Another message from PayPal in regards to TLS 1.2

My clients are receiving messages from PayPal about another upgrade they are making. I have searched and studied this but I can not figure out if I need to change anything in my eCart setups that use PayPal Advanced.

Here is part of their message...

"Our records indicate your current PayPal integration is utilizing a version that is less than TLS 1.2. With the deadline for this security upgrade currently set at June 30, 2018, you will need to act immediately to upgrade your PayPal integration(s) to utilize TLS 1.2 cryptographic protocol PRIOR to this date.

Failure to upgrade your integration by June 30, 2018 will lead to an inability to connect to PayPal for processing customer transactions. For further information on the TLS 1.2 upgrade, please bookmark the TLS 1.2 Upgrade Microsite page and visit frequently to ensure you are armed with the most current information..."

The link they provided is https://www.paypal-notice.com/en/TLS-1.2-and-HTTP1.1-Upgrade/

Is there something I need to change in my WA eCart files?

These sites are using the PayPal Advanced setup where the user doesn't leave the site when making a payment with a credit card. The sites do have an SSL installed and when viewing the certificate's details through the browser, it says they are using TLS 1.2. So I thought maybe it might be something in the WA code that I need to update. Some of these sites where setup a couple years ago.

Thanks for any help you can provide me.

TroyD

Do a site-wide search of your code for this:

CURLOPT_SSLVERSION

if you find that on any line of code, delete that line. By default it will use the latest version of TLS, but a line with that may specify an earlier version can could be causing the issue. By simply deleting the line(s) it should automatically use the latest and greatest available.

Thanks Ray,

No, I don't find CURLOPT_SSLVERSION in any of the WA files on the sites using PP Advanced. The closest is in the CallHTTP() function in the PP_PayAdv_PHP.php file, so I'm assuming it's not that.

I will see if I can get more information from them and report back.

Thanks,
TroyD

Add this code to a page:

<?php
$ch = curl_init('https://www.howsmyssl.com/a/check');
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$data = curl_exec($ch);
curl_close($ch);
die($data);
$json = json_decode($data);
echo $json->tls_version;
?>

it should tell you if your website is configured for TLS 1.2 properly.

Thanks again Ray,

I ran the code on a page in the site and posted the response in the PM area.
The end of the response is a little concerning but then again, I don't really know what it all means.

Thoughts?

Thanks
TroyD

Test paypal again. I think that should work now.

Thanks again Ray. I will do that and see what they say. I appreciate the help here.

TroyD

Ray,

I have been dealing with PayPal for months and I still can't get any useful help from them. When I talk to them, they tell me that 2 particular sites don't pass their tests. And when I ask why, they say "it doesn't say why it doesn't pass, just that is doesn't".

This week my client received letters in the mail which I will attach an image of here rather than trying to retype it.

These two sites are setup completely differently. One is a PayPal Advanced shopping cart with the endpoint being a PayPal Pro account. The other has one simple "Buy Now" button with the standard PayPal endpoint. And that one button is within a secure login so the only way PayPal could test that one is by the request of a payment and not by looking at the page the button is on.

Both sites have Comodo Essential SSLs and have passed all tests I know to run including the test code you provide above as well as the one you provided in the other thread http://www.webassist.com/forums/posts.php?id=41111 That test pops up "TLS 1.2" when I view the page. I also setup a sandbox for the "Buy Now" button site and I get a "Success" message from PayPal when I complete the transaction.

The one thing I have not yet tried, is mentioned in the letter under number 3 in the list of actions to take. I have not figured out how to do that. Going to tlstest.paypal.com only tells me that my browser is ok. I'm not sure how to test my actual server or these two websites.

I don't know what to try next. I am really concerned that other clients might have received these letters too and just haven't told anyone.

Can you take a look at this letter and tell me if you see anything?

Thanks so much,
TroyD

Do a full search on your site files for the text: CURLOPT_SSLVERSION

Let me know if you find it anywhere and where you find it if you do.

Thanks Ray,

I think thats the first thing you had me do up top here but i will check both sites again to be sure. Maybe i missed somethimg. Im out of my office at the moment but when i get back that will be the first thing i do. Thanks for the help.

TroyD