Documentation & tools for the upcoming TLSv1.2 required update
Java C# PHP Perl
Switch branches/tags
Nothing to show
Clone or download

README.md

TLSv1.2 Requirement

The Payment Card Industry Security Standards Council (PCI SSC) mandates that all credit card processors must retire early versions of TLS from service by the PCI deadline.

As part of this requirement, PayPal and Braintree are making this upgrade alongside the rest of the payments industry. PayPal and Braintree are updating its services to require TLS 1.2 for all HTTPS connections. PayPal and Braintree will also require HTTP/1.1 for all connections.

For more official, relevant information, see the 2017-2018 Merchant Security Roadmap Microsite:

See also Updating Your Production Environment to Support TLSv1.2 on the Braintree blog.

What does this mean for PayPal and Braintree merchants?

Merchants must verify that their systems can use the TLSv1.2 protocol with a SHA-256 certificate. As a merchant, you must make sure that you are up-to-date with security updates, including current versions of operating systems, encryption libraries, and runtime environments.

To get started, use the following notes to verify the TLSv1.2 readiness in your environments:


Prerequisites

  • These checks assume that you have installed all PayPal REST- and Braintree SDK-required libraries.
  • For these checks to be valid, run them on a production system or one that exactly matches the production configuration.

Java

Java requirements

Note: Java 8 is preferred because TLSv1.2 is the default in this Java version.

Java version TLSv1.2 support Requirements
5 and earlier No support

Upgrade to Java 6 or later.

Note: Java 8 is preferred because TLSv1.2 is the default in this Java version.
6 Available
7 Available
  • You must explicitly enable TLSv1.2.
  • You might require a PayPal SDK update or code change.
    8 Default
    • No code change is required.
    • Make sure that you're using the latest PayPal SDK.

    To verify your Java and TLS versions

    1. Set the TLS version through the SSLContext class.

    2. Verify that Java runtime 6 or later is installed:

      java -version
      

      If you have Java version 5 or earlier, upgrade it.

      Note: Java 8 is preferred because TLSv1.2 is the default in this Java version.

    3. Download the TlsCheck.java and TlsCheck.jar files.

    4. In a shell on your production system, run:

      > java -jar TlsCheck.jar
      
      • On success:

        Successfully connected to TLS 1.2 endpoint.
        
      • On failure:

        Failed to connect to TLS 1.2 endpoint.
        

    Supported SDKs


    .NET

    .NET requirements

    To enable TLSv1.2, you must install the .NET framework 4.5 or later.

    To verify your .NET and TLS versions

    1. Set the TLS version through ServicePointManager.SecurityProtocol enumeration.

    2. To verify that you have .NET framework 4.5 or later, run NetFrameworkVersions on the console of your production system. If you do not have .NET 4.5 or later, upgrade it.

    3. In a shell on your production system, run TlsCheck:

      > TlsCheck.exe
      
      • On success:

        PayPal_Connection_OK
        

    Supported SDKs


    PHP

    PHP requirements

    Guidelines

    Find OpenSSL in these locations:

    1. OpenSSL installed in your operating system's openssl version.
    2. OpenSSL extension installed in your PHP. Find this in your php.ini.
    3. OpenSSL used by PHP_CURL.curl_version().

    These OpenSSL extensions can be different, and you update each one separately.

    PayPal and other PHP SDKs use the same OpenSSL extension that PHP_CURL uses to make HTTP connections. The PHP_CURL OpenSSL extension must support TLSv1.2.

    The php_curl library uses its own version of the OpenSSL library, which is not the same version that PHP uses, which is the openssl.so file in php.ini.

    To verify your PHP and TLS versions

    1. To find the openssl_version information for cURL, run:

      php -r 'echo json_encode(curl_version(), JSON_PRETTY_PRINT);'
      

      The returned php_curl version might be different from the openssl version because they are different components.

    2. When you update your OpenSSL libraries, you must update the php_curl OpenSSL version and not the OS OpenSSL version.

    3. Download cacert.pem and TlsCheck.php.

    4. In a shell on your production system, run:

      php -f TlsCheck.php
      
      • On success:

        PayPal_Connection_OK
        
      • On failure:

        curl_error information
        

    Notes:

    • Make sure that your command line test uses the same versions of PHP and SSL/TLS libraries that your web server uses.
    • If you use MAMP or XAMPP as your development set up, the PHP that is packaged with them uses an earlier version of OpenSSL, which you cannot easily update. For more information about this issue and a temporary workaround, see Unknown SSL protocol error.


    Python

    Python requirements

    • Python uses the system-supplied OpenSSL.
    • TLSv1.2 requires OpenSSL 1.0.1c or later.

    To verify your Python and TLS versions

    1. In a shell on your production system, run the command for your environment:

      • For Python 2.x:

        $ python -c "import urllib2; print(urllib2.urlopen('https://tlstest.paypal.com/').read())"
        
      • For Python 3.x:

        $ python -c "import urllib.request; print(urllib.request.urlopen('https://tlstest.paypal.com/').read())"
        
        • On success:

          PayPal_Connection_OK
          
        • On failure, an URLError is raised:

          urllib2.URLError: <urlopen error EOF occurred in violation of protocol (_ssl.c:590)>
          urllib2.URLError: <urlopen error [Errno 54] Connection reset by peer>
          

    Ruby

    Ruby requirements

    • Ruby 2.0.0 or later and OpenSSL 1.0.1c or later are required:

      • Ruby 2.0.0 or later is required to use TLSv1.2 from the system-supplied OpenSSL.
      • TLSv1.2 requires OpenSSL 1.0.1c or later.
    • To update your dependencies, you might need to run bundle update.

    PayPal legacy Ruby SDK update

    For the PayPal legacy Ruby SDK packaged as PP_Ruby_NVP_SDK.zip, download this PP_Ruby_NVP_SDK.zip.

    To verify your Ruby and TLS versions

    1. In a shell on your production system, run:

      $ ruby -r'net/http' -e 'puts Net::HTTP.get(URI("https://tlstest.paypal.com/"))'
      
      • On success:

        PayPal_Connection_OK
        
      • On failure, a OpenSSL::SSL::SSLError or EOFError is thrown.


    Node

    Node requirements

    • Node.js uses the system supplied OpenSSL.
    • TLSv1.2 requires OpenSSL 1.0.1c or later.

    To verify your Node and TLS versions

    1. In a shell on your production system, run:

      $ node -e "var https = require('https'); https.get('https://tlstest.paypal.com/', function(res){ console.log(res.statusCode) });"
      
      • On success:

        200
        
      • On failure, a network error occurs.


    Native Mobile Apps

    Android

    Android requirements

    TLSv1.2 is the default for client connections in API 20 (Android 4.4W or KITKAT - wearable extensions).

    All Android app developers must make sure that their code and PayPal or Braintree SDKs provide explicit support for TLSv1.2. To verify correct implementation, test apps on API 16 through 19 devices (Android 4.1 through 4.4 platforms).

    After the TLSv1.2 upgrade, native app support for user devices earlier than API 16 (Android 4.1 or JELLY_BEAN) are not available. Fortunately, as of April 16, 2018, Google reports 0.7% of devices accessing the Play store are API 15 or earlier.

    Users of the PayPal or Braintree Android SDKs must update to the latest version. To illustrate how to support TLSv1.2 outside of the SDK, we have provided an example Android app.

    Supported SDKs

    iOS

    TLSv1.2 support was introduced in iOS 5. The PayPal iOS SDK and the Braintree iOS SDK both require iOS 7 or later. Apps built since 2013 will likely not need any updates.

    Windows

    Neither PayPal nor Braintree support any Windows SDKs. For a web browser integration, we recommend Braintree's JavaScript SDK.