TLSv1.2 Requirement
The Payment Card Industry Security Standards Council (PCI SSC) mandates that all credit card processors must retire early versions of TLS from service by the PCI deadline.
As part of this requirement, PayPal and Braintree are making this upgrade alongside the rest of the payments industry. PayPal and Braintree are updating its services to require TLS 1.2 for all HTTPS connections. PayPal and Braintree will also require HTTP/1.1 for all connections.
For more official, relevant information, see the 2017-2018 Merchant Security Roadmap Microsite:
See also Updating Your Production Environment to Support TLSv1.2 on the Braintree blog.
What does this mean for PayPal and Braintree merchants?
Merchants must verify that their systems can use the TLSv1.2 protocol with a SHA-256 certificate. As a merchant, you must make sure that you are up-to-date with security updates, including current versions of operating systems, encryption libraries, and runtime environments.
To get started, use the following notes to verify the TLSv1.2 readiness in your environments:
Prerequisites
- These checks assume that you have installed all PayPal REST- and Braintree SDK-required libraries.
- For these checks to be valid, run them on a production system or one that exactly matches the production configuration.
Java
Java requirements
Note: Java 8 is preferred because TLSv1.2 is the default in this Java version.
| Java version | TLSv1.2 support | Requirements |
|---|---|---|
| 5 and earlier | No support | Upgrade to Java 6 or later. Note: Java 8 is preferred because TLSv1.2 is the default in this Java version. |
| 6 | Available |
|
| 7 | Available |
|
| 8 | Default |
|
To verify your Java and TLS versions
-
Set the TLS version through the
SSLContextclass. -
Verify that Java runtime 6 or later is installed:
java -versionIf you have Java version 5 or earlier, upgrade it.
Note: Java 8 is preferred because TLSv1.2 is the default in this Java version.
-
Download the TlsCheck.java and TlsCheck.jar files.
-
In a shell on your production system, run:
> java -jar TlsCheck.jar-
On success:
Successfully connected to TLS 1.2 endpoint. -
On failure:
Failed to connect to TLS 1.2 endpoint.
-
Supported SDKs
.NET
.NET requirements
To enable TLSv1.2, you must install the .NET framework 4.5 or later.
To verify your .NET and TLS versions
-
Set the TLS version through
ServicePointManager.SecurityProtocolenumeration. -
To verify that you have .NET framework 4.5 or later, run NetFrameworkVersions on the console of your production system. If you do not have .NET 4.5 or later, upgrade it.
-
In a shell on your production system, run TlsCheck:
> TlsCheck.exe-
On success:
PayPal_Connection_OK
-
Supported SDKs
PHP
PHP requirements
- PHP uses the system-supplied cURL library, which requires OpenSSL 1.0.1c or later.
- You might need to update your SSL/TLS libraries.
Guidelines
Find OpenSSL in these locations:
- OpenSSL installed in your operating system's
openssl version. - OpenSSL extension installed in your PHP. Find this in your
php.ini. - OpenSSL used by PHP_CURL.
curl_version().
These OpenSSL extensions can be different, and you update each one separately.
PayPal and other PHP SDKs use the same OpenSSL extension that PHP_CURL uses to make HTTP connections. The PHP_CURL OpenSSL extension must support TLSv1.2.
The php_curl library uses its own version of the OpenSSL library, which is not the same version that PHP uses, which is the openssl.so file in php.ini.
To verify your PHP and TLS versions
-
To find the
openssl_versioninformation for cURL, run:php -r 'echo json_encode(curl_version(), JSON_PRETTY_PRINT);'The returned
php_curlversion might be different from theopenssl versionbecause they are different components. -
When you update your OpenSSL libraries, you must update the
php_curlOpenSSL version and not the OS OpenSSL version. -
Download cacert.pem and TlsCheck.php.
-
In a shell on your production system, run:
php -f TlsCheck.php-
On success:
PayPal_Connection_OK -
On failure:
curl_error information
-
Notes:
- Make sure that your command line test uses the same versions of PHP and SSL/TLS libraries that your web server uses.
- If you use MAMP or XAMPP as your development set up, the PHP that is packaged with them uses an earlier version of OpenSSL, which you cannot easily update. For more information about this issue and a temporary workaround, see Unknown SSL protocol error.
Python
Python requirements
- Python uses the system-supplied OpenSSL.
- TLSv1.2 requires OpenSSL 1.0.1c or later.
To verify your Python and TLS versions
-
In a shell on your production system, run the command for your environment:
-
For Python 2.x:
$ python -c "import urllib2; print(urllib2.urlopen('https://tlstest.paypal.com/').read())" -
For Python 3.x:
$ python -c "import urllib.request; print(urllib.request.urlopen('https://tlstest.paypal.com/').read())"-
On success:
PayPal_Connection_OK -
On failure, an
URLErroris raised:urllib2.URLError: <urlopen error EOF occurred in violation of protocol (_ssl.c:590)> urllib2.URLError: <urlopen error [Errno 54] Connection reset by peer>
-
-
Ruby
Ruby requirements
-
Ruby 2.0.0 or later and OpenSSL 1.0.1c or later are required:
- Ruby 2.0.0 or later is required to use TLSv1.2 from the system-supplied OpenSSL.
- TLSv1.2 requires OpenSSL 1.0.1c or later.
-
To update your dependencies, you might need to run
bundle update.
PayPal legacy Ruby SDK update
For the PayPal legacy Ruby SDK packaged as PP_Ruby_NVP_SDK.zip, download this PP_Ruby_NVP_SDK.zip.
To verify your Ruby and TLS versions
-
In a shell on your production system, run:
$ ruby -r'net/http' -e 'puts Net::HTTP.get(URI("https://tlstest.paypal.com/"))'-
On success:
PayPal_Connection_OK -
On failure, a
OpenSSL::SSL::SSLErrororEOFErroris thrown.
-
Node
Node requirements
- Node.js uses the system supplied OpenSSL.
- TLSv1.2 requires OpenSSL 1.0.1c or later.
To verify your Node and TLS versions
-
In a shell on your production system, run:
$ node -e "var https = require('https'); https.get('https://tlstest.paypal.com/', function(res){ console.log(res.statusCode) });"-
On success:
200 -
On failure, a network error occurs.
-
Native Mobile Apps
Android
Android requirements
TLSv1.2 is the default for client connections in API 20 (Android 4.4W or KITKAT - wearable extensions).
All Android app developers must make sure that their code and PayPal or Braintree SDKs provide explicit support for TLSv1.2. To verify correct implementation, test apps on API 16 through 19 devices (Android 4.1 through 4.4 platforms).
After the TLSv1.2 upgrade, native app support for user devices earlier than API 16 (Android 4.1 or JELLY_BEAN) are not available. Fortunately, as of April 16, 2018, Google reports 0.7% of devices accessing the Play store are API 15 or earlier.
Users of the PayPal or Braintree Android SDKs must update to the latest version. To illustrate how to support TLSv1.2 outside of the SDK, we have provided an example Android app.
Supported SDKs
iOS
TLSv1.2 support was introduced in iOS 5. The PayPal iOS SDK and the Braintree iOS SDK both require iOS 7 or later. Apps built since 2013 will likely not need any updates.
Windows
Neither PayPal nor Braintree support any Windows SDKs. For a web browser integration, we recommend Braintree's JavaScript SDK.