TLS v1.2 requirement
Payment Card Industry (PCI) has made the announcement that Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) will be forever removed from service.
SSL and TLS encrypt the information sent between web browsers and web servers. But, to date, “SSL and early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which there are no fixes.”
As a result, all entities, which are using SSL or early version of TLS, must migrate to TLS v1.2 to protect yourself from the current protocol vulnerabilities.
What does this all mean for PayPal merchants?
Merchants and partners use HTTPS to securely connect with PayPal’s servers. TLS protocol is used to encrypt these communications. To ensure the security of the systems and adhere to industry best practices, PayPal is updating its services to require TLS 1.2 for all HTTPS connections. At this time, PayPal will also require HTTP/1.1 for all connections.
What do you need to do?
- Following this upgrade, we have made according update for PayPal Adaptive in our themes.
- To ensure your site has the latest TLS v1.2, please contact your web hosting company to config your server. You need to do it ASAP since PayPal requires that your site be ready for this change by June 17, 2016.
A message to your hosting company
If you’re still not clear of what you need to say, simply copy and send this message to the support team of your site hosting service to get help:
To comply with PCI policy, PayPal is updating its services to require TLS v1.2 for all HTTPS connections. PayPal Adaptive payment gateway is currently used in my website. So, please upgrade my site TLS to the latest version 1.2 ASAP. Thank you!
PHP uses the system supplied CURL library. OpenSSL used by CURL library is required to be 1.0.1c or higher. You may also need to update your SSL/TLS libraries, see here for more details.
To check PHP, in a shell on your production system, run:
php -r '$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); var_dump(curl_exec($ch));'
- On success, PayPal_Connection_OK is printed.
- On failure, bool(false) will be printed.
You can get the specific error with curl_error($ch):
php -r '$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); var_dump(curl_exec($ch)); var_dump(curl_error($ch));'Note: Please make sure that your command line test is using the same versions of PHP & SSL/TLS libraries as your web server. If you are using MAMP or XAMPP as your development setup, currently the PHP packaged with them comes with a lower version of OpenSSL, which currently cannot be updated easily.
