PayPal Security Overview
As of 06/26/2018, PayPal has officially begun updating their server security to only accepts traffic requests using a specific HTTP protocol, TLS 1.2 / HTTP 1.1. Even though PayPal has been warning people about this for years now, and they have provided a security roadmap for merchants to follow well in advance as well as security best practices, many will not be prepared.
This will certainly cause lots of confusion as people begin to find that their websites are no longer processing PayPal payments successfully, and they’re getting strange errors full of technical jargon that is difficult to understand. In this article I will try to explain a bit about what to expect with this change, and how to solve the problem if you’re running into it.
PayPal Security TLS Errors
How exactly will you know if you’re having a problem with this? Well if you’re reading this article, you probably already figured it out. First, browsers have been warning people over the passed few months about PayPal’s upcoming changes with this cryptic, somewhat confusing message that gets displayed in the console:
(index):1 The SSL certificate used to load resources from https://www.paypal.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.
This is just a warning that the certificates PayPal is using will be expiring and will no longer accept HTTP requests. As long as your server is configured properly (and your web browser is up-to-date) you shouldn’t have any problems. If your server is not configured correctly, you may run into errors like this when trying to access PayPal services:
cURL Error code 35 “Unknown SSL protocol.
Unsupported SSL protocol.
SSLv3 alert handshake failure.
TLSv1 alert protocol version.
These errors can come up when your site attempts to connect to a remote service (such as PayPal) via secure connection that is not accepting the protocol used to send the request. In most cases, simply updating your server software and/or web browser will resolve your issues.
Okay, So How Do I Fix This?
If you are having this problem that means you are probably missing out on payments / orders that you would typically be getting, and you are probably freaking out a bit right now. As such, let’s get to the point: how do I fix this problem?
In almost all cases, the problem is with the software installed on the web server running your website. If you are on a shared server, for example, there’s a good chance it has not been updated in quite some time. This can lead to outdated software, and this will cause this problem.
Long story short, you need to make sure your server environment is configured to send all HTTP requests using the HTTP 1.1 and TLS 1.2 protocol. If you are running on Linux with PHP then the following steps should resolve your problem.
- Check that you are running OpenSSL 1.0.1 or higher on your server.
- Check that you are running PHP 5.5.19 at an absolute minimum. This is the ideal solution and will cause the TLS 1.2 protocol to be used by default.
If you are unable to install PHP 5.5.19 or higher because of a shared hosting environment, then you can add the following cURL option to your code to force the TLS 1.2 protocol to be used.
curl_setopt ($endpointurl, CURLOPT_SSLVERSION, 6); //Integer NOT string TLS v1.2
If updating your server software did not resolve the problem, make sure to check your web browser version and get the latest version of it installed. If you are running an outdated browser this could be your only problem.
PayPal for WooCommerce
Are you using our PayPal for WooCommerce plugin? The fix is simple! From your WordPress admin panel go to Settings -> PayPal for WooCommerce -> General -> Global, and check the box to Enable Force TLS 1.2.
Need Additional Help?
Schedule a live meeting with Drew Angell, PayPal Certified Developer, and get all of your questions or concerns answered.