Technical Bulletin

The Magento software and component repository, repo.magento.com, recently started requiring Transport Layer Security (TLS) 1.1 or later.

The PCI Security Standards Council} removed SSL/TLS 1.0 as an example of strong cryptography from the PCI Data Security Standard (PCI DSS) version 3.1, stating that it can no longer be used as a security control after June 30, 2016.

For details, see Date Change for Migrating from SSL and Early TLS.

Symptoms

If you have an earlier version of TLS, you’ll see the errors discussed in this section.

Downloading a Magento metapackage

The following error displays if you attempt to run composer create-project to get a Magento metapackage:

[Composer\Downloader\TransportException]                                           
The "https://repo.magento.com/packages.json" file could not be downloaded: Failed to enable crypto                                                                  
failed to open stream: operation failed  

Using the Web Setup Wizard

Actions like saving your authentication credentials or synchronizing with Magento Marketplace fail with the following error:

SSL connect error

Solution

The solution to this issue depends on how your operating system packages TLS. See one of the following sections for more information:

Ubuntu

Make sure you’re using libcurl. libcurl versions 7.34 or later; these versions use TLS 1.2 by default.

To determine your libcurl version, enter the following command:

curl --version

CentOS

The source of the issue is that the libcurl library packaged with CentOS 6.6 and earlier use TLS 1.1 or earlier by default.

To determine the version of CentOS your server runs, enter the following command:

cat /etc/*release*

If you’re already running CentOS 6.8 or later, no action is necessary. According to the CentOS 6.8 changelog, “various applications now support TLS 1.2, i.e. OpenLDAP, yum, stunnel, vsftpd, git, postfix and others. Also TLS 1.2 has been enabled by default in various packages”.

(CentOS 7 has a newer version of libcurl that also defaults to TLS 1.2.)

Mac OS

Recent updates to the OS X liip package should resolve the issue.