TLS 1.2 not working with 3.21.0

[robertkent87]

I have set up a new integration on a server that already has existing Stripe integrations that work fine. However, any attempt to make calls to Stripe return the error

Stripe\Error\Authentication: Stripe no longer supports API requests made with TLS 1.0. Please initiate HTTPS connections with TLS 1.2 or later

The test script for PHP on https://support.stripe.com/questions/how-do-i-upgrade-my-stripe-integration-from-tls-1-0-to-tls-1-2#php gives the following error

TLS 1.2 is not supported. You will need to upgrade your integration.

However my hosting provider assures me that TLS1.2 is enabled and working fine, they've even verified using Paypal's TLS test site.

Is this a false positive? Is there a setting or something I've missed?

Operating system: CentOS release 6.6 (Final)
PHP version: PHP 5.5.21 (cli) (built: Jan 24 2015 13:25:18)
stripe-php version: 3.21.0

[remi-stripe]

@robertkent87 The fact that your other integration works is usually unrelated. The reason is that we whitelisted any existing integration into being allowed to use TLS 1.0 until January 2017 before making the change. Your new integration gets the error because it's new and we want to make sure that new users are relying on TLS 1.2 only and nothing else.

The code below will allow you to confirm which protocol your PHP installation is using when negotiating transactions. It doesn't rely on our library to ensure whether the issue is with the server or with our library. Could you run it?

$c = curl_init();
curl_setopt($c, CURLOPT_URL, "https://www.howsmyssl.com/a/check");
curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
$r = json_decode(curl_exec($c));
curl_close($c);
echo $r->tls_version . "\n";'

If it outputs TLS 1.2 then it means your server does negotiate TLS 1.2 and the problem is with our library. If you get any other results it means the issue is with the server and not the library and you can show this to your host provider to convince them that they need to run an upgrade.

[brandur]

Hi there,

So first of all, we've been seeing a few hard-to-debug problems on older versions of PHP/libcurl/OpenSSL. We'll try to help however we can here, but it's worth saying in advance: likely the easiest path by far here is going to be just to upgrade to a newer line of PHP.

Just out of curiosity, we have another problem that doesn't look too dissimilar that was reported recently. Would you mind applying the following patch to your stripe-php and seeing if it fixes the problem for you?

diff --git a/lib/HttpClient/CurlClient.php b/lib/HttpClient/CurlClient.php
index a8c8877..d42f9c0 100644
--- a/lib/HttpClient/CurlClient.php
+++ b/lib/HttpClient/CurlClient.php
@@ -151,37 +151,7 @@ class CurlClient implements ClientInterface
             $opts[CURLOPT_SSL_VERIFYPEER] = false;
         }

-        // @codingStandardsIgnoreStart
-        // PSR2 requires all constants be upper case. Sadly, the CURL_SSLVERSION
-        // constants to not abide by those rules.
-        //
-        // Explicitly set a TLS version for cURL to use now that we're starting
-        // to block 1.0 and 1.1 requests.
-        //
-        // If users are on OpenSSL >= 1.0.1, we know that they support TLS 1.2,
-        // so set that explicitly because on some older Linux distros, clients may
-        // default to TLS 1.0 even when they have TLS 1.2 available.
-        //
-        // For users on much older versions of OpenSSL, set a valid range of
-        // TLS 1.0 to 1.2 (CURL_SSLVERSION_TLSv1). Note that this may result in
-        // their requests being blocked unless they're specially flagged into
-        // being able to use an old TLS version.
-        //
-        // Note: The int on the right is pulled from the source of OpenSSL 1.0.1a.
-        if (OPENSSL_VERSION_NUMBER >= 0x1000100f) {
-            if (!defined('CURL_SSLVERSION_TLSv1_2')) {
-                // Note the value 6 comes from its position in the enum that
-                // defines it in cURL's source code.
-                define('CURL_SSLVERSION_TLSv1_2', 6); // constant not defined in PHP < 5.5
-            }
-            $opts[CURLOPT_SSLVERSION] = CURL_SSLVERSION_TLSv1_2;
-        } else {
-            if (!defined('CURL_SSLVERSION_TLSv1')) {
-                define('CURL_SSLVERSION_TLSv1', 1); // constant not defined in PHP < 5.5
-            }
-            $opts[CURLOPT_SSLVERSION] = CURL_SSLVERSION_TLSv1;
-        }
-        // @codingStandardsIgnoreEnd
+        $opts[CURLOPT_SSLVERSION] = CURL_SSLVERSION_TLSv1;

         curl_setopt_array($curl, $opts);
         $rbody = curl_exec($curl);

[brandur]

Oh and oops — I didn't refresh this page before responding, please try @remistr's script first :)

[robertkent87]

Thanks for the suggestions. Fortunately my hosting provider has made some updates and restarted apache and it all seems to be working fine so it's not an issue with the library.

Thanks for the quick response.

[brandur]

@robertkent87 Awesome to hear. Thanks for checking back in.