TLSv1.2 Requirement

The Payment Card Industry Security Standards Council (PCI SSC) mandates that all credit card processors must retire early versions of TLS from service by the PCI deadline.

As part of this requirement, PayPal and Braintree are making this upgrade alongside the rest of the payments industry. PayPal and Braintree are updating its services to require TLS 1.2 for all HTTPS connections. PayPal and Braintree will also require HTTP/1.1 for all connections.

For more official, relevant information, see the 2017-2018 Merchant Security Roadmap Microsite:

• TLS 1.2 and HTTP/1.1 Upgrade Microsite
• SSL Certificate Upgrade Microsite

See also Updating Your Production Environment to Support TLSv1.2 on the Braintree blog.

What does this mean for PayPal and Braintree merchants?

Merchants must verify that their systems can use the TLSv1.2 protocol with a SHA-256 certificate. As a merchant, you must make sure that you are up-to-date with security updates, including current versions of operating systems, encryption libraries, and runtime environments.

To get started, use the following notes to verify the TLSv1.2 readiness in your environments:

• Prerequisites
• Java
• .NET
• PHP
• Python
• Ruby
• Node
• Native Mobile Apps

---

Prerequisites

• These checks assume that you have installed all PayPal REST- and Braintree SDK-required libraries.
• For these checks to be valid, run them on a production system or one that exactly matches the production configuration.

---

Java

• Java requirements
• To verify your Java and TLS versions
• Supported SDKs

Java requirements

Note: Java 8 is preferred because TLSv1.2 is the default in this Java version.

Java version	TLSv1.2 support	Requirements
5 and earlier	No support	Upgrade to Java 6 or later. Note: Java 8 is preferred because TLSv1.2 is the default in this Java version.
6	Available	You must explicitly enable TLSv1.2. At least Oracle Java version 6u115 b32 or IBM V6 service refresh 10. You might require a PayPal SDK update or code change.
7	Available	You must explicitly enable TLSv1.2. You might require a PayPal SDK update or code change.
8	Default	No code change is required. Make sure that you're using the latest PayPal SDK.

To verify your Java and TLS versions

1. Set the TLS version through the SSLContext class.

2. Verify that Java runtime 6 or later is installed:

   java -version
   

   If you have Java version 5 or earlier, upgrade it.

   Note: Java 8 is preferred because TLSv1.2 is the default in this Java version.

3. Download the TlsCheck.java and TlsCheck.jar files.

4. In a shell on your production system, run:

   > java -jar TlsCheck.jar
   

   • On success:

     Successfully connected to TLS 1.2 endpoint.
     

   • On failure:

     Failed to connect to TLS 1.2 endpoint.
     

Supported SDKs

• PayPal
• Braintree

---

.NET

• .NET requirements
• To verify your .NET and TLS versions
• Supported SDKs

.NET requirements

To enable TLSv1.2, you must install the .NET framework 4.5 or later.

To verify your .NET and TLS versions

1. Set the TLS version through ServicePointManager.SecurityProtocol enumeration.

2. To verify that you have .NET framework 4.5 or later, run NetFrameworkVersions on the console of your production system. If you do not have .NET 4.5 or later, upgrade it.

3. In a shell on your production system, run TlsCheck:

   > TlsCheck.exe
   

   • On success:

     PayPal_Connection_OK
     

Supported SDKs

• PayPal
• Braintree

---

PHP

• PHP requirements
• Guidelines
• To verify your PHP and TLS versions

PHP requirements

• PHP uses the system-supplied cURL library, which requires OpenSSL 1.0.1c or later.
• You might need to update your SSL/TLS libraries.

Guidelines

Find OpenSSL in these locations:

1. OpenSSL installed in your operating system's openssl version.
2. OpenSSL extension installed in your PHP. Find this in your php.ini.
3. OpenSSL used by PHP_CURL.curl_version().

These OpenSSL extensions can be different, and you update each one separately.

PayPal and other PHP SDKs use the same OpenSSL extension that PHP_CURL uses to make HTTP connections. The PHP_CURL OpenSSL extension must support TLSv1.2.

The php_curl library uses its own version of the OpenSSL library, which is not the same version that PHP uses, which is the openssl.so file in php.ini.

To verify your PHP and TLS versions

1. To find the openssl_version information for cURL, run:

   php -r 'echo json_encode(curl_version(), JSON_PRETTY_PRINT);'
   

   The returned php_curl version might be different from the openssl version because they are different components.

2. When you update your OpenSSL libraries, you must update the php_curl OpenSSL version and not the OS OpenSSL version.

3. Download cacert.pem and TlsCheck.php.

4. In a shell on your production system, run:

   php -f TlsCheck.php
   

   • On success:

     PayPal_Connection_OK
     

   • On failure:

     curl_error information
     

Notes:

• Make sure that your command line test uses the same versions of PHP and SSL/TLS libraries that your web server uses.
• If you use MAMP or XAMPP as your development set up, the PHP that is packaged with them uses an earlier version of OpenSSL, which you cannot easily update. For more information about this issue and a temporary workaround, see Unknown SSL protocol error.

---

Python

• Python requirements
• To verify your Python and TLS versions

Python requirements

• Python uses the system-supplied OpenSSL.
• TLSv1.2 requires OpenSSL 1.0.1c or later.

To verify your Python and TLS versions

1. In a shell on your production system, run the command for your environment:

   • For Python 2.x:

     $ python -c "import urllib2; print(urllib2.urlopen('https://tlstest.paypal.com/').read())"
     

   • For Python 3.x:

     $ python -c "import urllib.request; print(urllib.request.urlopen('https://tlstest.paypal.com/').read())"
     

     • On success:

       PayPal_Connection_OK
       

     • On failure, an URLError is raised:

       urllib2.URLError: <urlopen error EOF occurred in violation of protocol (_ssl.c:590)>
       urllib2.URLError: <urlopen error [Errno 54] Connection reset by peer>
       

---

Ruby

• Ruby requirements
• PayPal legacy Ruby SDK update
• To verify your Ruby and TLS versions

Ruby requirements

• Ruby 2.0.0 or later and OpenSSL 1.0.1c or later are required:

  • Ruby 2.0.0 or later is required to use TLSv1.2 from the system-supplied OpenSSL.
  • TLSv1.2 requires OpenSSL 1.0.1c or later.

• To update your dependencies, you might need to run bundle update.

PayPal legacy Ruby SDK update

For the PayPal legacy Ruby SDK packaged as PP_Ruby_NVP_SDK.zip, download this PP_Ruby_NVP_SDK.zip.

To verify your Ruby and TLS versions

1. In a shell on your production system, run:

   $ ruby -r'net/http' -e 'puts Net::HTTP.get(URI("https://tlstest.paypal.com/"))'
   

   • On success:

     PayPal_Connection_OK
     

   • On failure, a OpenSSL::SSL::SSLError or EOFError is thrown.

---

Node

• Node requirements
• To verify your Node and TLS versions

Node requirements

• Node.js uses the system supplied OpenSSL.
• TLSv1.2 requires OpenSSL 1.0.1c or later.

To verify your Node and TLS versions

1. In a shell on your production system, run:

   $ node -e "var https = require('https'); https.get('https://tlstest.paypal.com/', function(res){ console.log(res.statusCode) });"
   

   • On success:

     200
     

   • On failure, a network error occurs.

---

Native Mobile Apps

• Android
• iOS
• Windows

Android

• Android requirements
• Supported SDKs

Android requirements

TLSv1.2 is the default for client connections in API 20 (Android 4.4W or KITKAT - wearable extensions).

All Android app developers must make sure that their code and PayPal or Braintree SDKs provide explicit support for TLSv1.2. To verify correct implementation, test apps on API 16 through 19 devices (Android 4.1 through 4.4 platforms).

After the TLSv1.2 upgrade, native app support for user devices earlier than API 16 (Android 4.1 or JELLY_BEAN) are not available. Fortunately, as of April 16, 2018, Google reports 0.7% of devices accessing the Play store are API 15 or earlier.

Users of the PayPal or Braintree Android SDKs must update to the latest version. To illustrate how to support TLSv1.2 outside of the SDK, we have provided an example Android app.

Supported SDKs

• PayPal
• Braintree

iOS

TLSv1.2 support was introduced in iOS 5. The PayPal iOS SDK and the Braintree iOS SDK both require iOS 7 or later. Apps built since 2013 will likely not need any updates.

Windows

Neither PayPal nor Braintree support any Windows SDKs. For a web browser integration, we recommend Braintree's JavaScript SDK.