TLS 1.2 requirement for PayPal
PayPal recently announced they will require Transport Layer Security (TLS) version 1.2 to process payments in a live environment. (PayPal already requires TLS 1.2 in the sandbox.)
- Details (PayPal security bulletin)
- PayPal live payments switching in June 2016 (PayPal technical blog)
According to PayPal, symptoms of the issue include the following messages in your error log:
1 *Unknown SSL protocol error* in connection to api-3t.sandbox.paypal.com:-9824
1 2 3 4 5 6 7 8 9 10 11 12 140062736746144:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: ... (more messages) ... New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported* Compression: NONE Expansion: NONE SSL-Session: Protocol: SSLv3* ... (more messages) ...
The source of the issue is your version of
libcurl versions earlier than 7.34 use TLS 1.1 or earlier by default.
To determine the version of
libcurl you’re running, enter the following command on the server that processes PayPal transactions:
1 curl --version
If the version is earlier than 7.34, continue with the next section. If you’re already running version 7.34 or later, no action is necessary.
The source of the issue is that the
libcurl library packaged with CentOS 6.6 and earlier use TLS 1.1 or earlier by default.
To determine the version of CentOS your server runs, enter the following command:
1 cat /etc/*release*
If you’re already running CentOS 6.8 or later, no action is necessary. According to the CentOS 6.8 changelog, “various applications now support TLS 1.2, i.e. OpenLDAP, yum, stunnel, vsftpd, git, postfix and others. Also TLS 1.2 has been enabled by default in various packages”.
(CentOS 7 has a newer version of
libcurl that also defaults to TLS 1.2.)
You have the following options:
(Recommended). Upgrade your Magento server to CentOS 6.8 or later.
Its recommended repositories support current versions of TLS with
libcurl. Using CentOS 6.8 or later is the most secure way to continue operating your store and accepting PayPal.
CentOS 6.8 has a
libcurlversion that defaults to TLS 1.2.
(Less secure, not recommended). Upgrade to
libcurl7.34 or later on CentOS 6 using a non-recommended third-party repository.
One possible solution is to use the information on serverfault.
Installing software from non-recommended repositories can change other system packages and can result in issues. We strongly recommend you upgrade
libcurlin a development environment and thoroughly test all payment processors you use as well as any other critical software before putting this into production.