Published
2017-04-27 20:42
As you may be aware, new PCI DSS requirements state that all payment systems must disable early TLS by 2018.
As part of this requirement, PayPal, Auth.Net and Braintree are updating its services to require TLS 1.2 for all HTTPS connections along with requiring HTTP/1.1 for all connections. You need to make sure your CiviCRM is all set with this change which you could do by doing the following checks.
Deadlines
Plans to disable TLS 1.0 and TLS 1.1 on the following dates :
PayPal: June 30, 2017
Braintree: June 30, 2017
Authorize.Net Sandbox: April 30, 2017
Authorize.Net Sandbox: April 30, 2017
Authorize.Net Production: September 18, 2017
What does this mean?
You must verify that your systems can use the TLSv1.2 protocol with a SHA-256 certificate. You must make sure that you are up-to-date with security updates, including current versions of operating systems, encryption libraries, and runtime environments.
To get started, use the following notes to verify the TLSv1.2 readiness in your environments:
PHP requirements
- PHP uses the system-supplied cURL library, which requires OpenSSL 1.0.1c or later.
- You might need to update your SSL/TLS libraries.
Guidelines
Find OpenSSL in these locations:
- OpenSSL installed in your operating system's openssl version.
- OpenSSL extension installed in your PHP. Find this in your php.ini.
- OpenSSL used by PHP_CURL.curl_version().
These OpenSSL extensions can be different, and you update each one separately.
PayPal and other PHP SDKs use the same OpenSSL extension that PHP_CURL uses to make HTTP connections. The PHP_CURL OpenSSL extension must support TLSv1.2.
The php_curl library uses its own version of the OpenSSL library, which is not the same version that PHP uses, which is the openssl.so file in php.ini.
To verify your PHP and TLS versions
- To find the openssl_version information for cURL, run:
-
php -r 'echo json_encode(curl_version(), JSON_PRETTY_PRINT);'
The returned php_curl version might be different from the openssl version because they are different components. - When you update your OpenSSL libraries, you must update the php_curl OpenSSL version and not the OS OpenSSL version.
- Download cacert.pem and TlsCheck.php.
- In a shell on your production system, run:
php -f TlsCheck.php
-
On success:
PayPal_Connection_OK
-
On failure:
curl_error information
Notes:
- Make sure that your command line test uses the same versions of PHP and SSL/TLS libraries that your web server uses.
- If you use MAMP or XAMPP as your development set up, the PHP that is packaged with them uses an earlier version of OpenSSL, which you cannot easily update. For more information about this issue and a temporary workaround, see Unknown SSL protocol error.
Filed under