HowardR Posted March 20, 2017 Share Posted March 20, 2017 (edited) I just got a notice from PayPal that, starting in June 2017, versions older than TLS 1.2 and HTTP/1.1 will not be able to communicate with Payflow. Are we covered in Version 2.3.4? How about my stores that still run 2.3.3 - will I need to upgrade to 2.3.4 before June? https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US Edited March 20, 2017 by HowardR Quote Link to comment Share on other sites More sharing options...
♥mattjt83 Posted March 20, 2017 Share Posted March 20, 2017 I believe if you are using the PayPal App and are up to date with it you should be fine. Quote Matt Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted March 20, 2017 Share Posted March 20, 2017 If you can connect to the sandbox server now then you will be able to continue to connect to the live server with TLS v1.2. The sandbox server already requires TLS v1.2 connections. If you cannot connect to the sandbox server, it is recommended to upgrade to the latest PayPal App version which has a configuration parameter to test and force TLS v1.2 connections. More information about the TLS v1.2 setting in the PayPal App can be read at: https://library.oscommerce.com/Package&en&paypal&oscom23&ssl_version Quote , osCommerce Link to comment Share on other sites More sharing options...
♥John W Posted March 20, 2017 Share Posted March 20, 2017 The server OS sets the level of encryption possible and you can test your ssl at https://www.ssllabs.com/ Quote I'm not really a dog. Link to comment Share on other sites More sharing options...
HowardR Posted April 2, 2017 Author Share Posted April 2, 2017 (edited) I think I finally understand the TLS 1.2 issue. This is a very serious issue. There are a lot of OSCommerce owners that will wake up to a nasty surprise on May 1. Those of you who are not new to this, please let me know if I am wrong in any of my statements below: 1. This only affects PayFlow, if you have PayPal Express Checkout also installed in your store, that should keep working. So you won't be able to accept Credit Cards, but you will be able to still accept PayPal payments. 2. PayPal threatened to require TLS 1.2 on May 1, 2016. but they relented. Now they say that they are going to require it on May 1, 2017. I think that they are going to follow through this time. 3. If you have an older PayPal PayFlow module installed, it will stop working on May 1. If you have version 3.1 of the PayFlow module installed on May 1, you are OK. 4. There are two versions of 3.1 on addons created by Harald Ponce de Leon. Both work. The best one is the newest: http://addons.oscommerce.com/info/9184 -- March 1, 2017 -- designed for upcoming OSCommerce 2.3.5 but works with tweaking for earlier versions http://addons.oscommerce.com/info/5660 - June 9, 2014 -- designed for the standard (not responsive) version of OSCommerce 2.3.4 5. These versions require TLS 1.2 (the latest security standard) which does not run on OpenSSL 0.9.8, which just happens to be the version of Open SSL that is installed on most servers these days, due to security problems that were encountered with early versions of OpenSSL 1.0.1 and 1.0.2. You can test which version of TLS 1.2 that you have by using the following php code in a simple php file on your system: <?php function get_tls_version($sslversion = null) { $c = curl_init(); curl_setopt($c, CURLOPT_URL, "https://www.howsmyssl.com/a/check"); curl_setopt($c, CURLOPT_RETURNTRANSFER, true); if ($sslversion !== null) { curl_setopt($c, CURLOPT_SSLVERSION, $sslversion); } $rbody = curl_exec($c); if ($rbody === false) { $errno = curl_errno($c); $msg = curl_error($c); curl_close($c); return "Error! errno = " . $errno . ", msg = " . $msg; } else { $r = json_decode($rbody); curl_close($c); return $r->tls_version; } } echo "<pre>\n"; echo "OS: " . PHP_OS . "\n"; echo "uname: " . php_uname() . "\n"; echo "PHP version: " . phpversion() . "\n"; $curl_version = curl_version(); echo "curl version: " . $curl_version["version"] . "\n"; echo "SSL version: " . $curl_version["ssl_version"] . "\n"; echo "SSL version number: " . $curl_version["ssl_version_number"] . "\n"; echo "OPENSSL_VERSION_NUMBER: " . dechex(OPENSSL_VERSION_NUMBER) . "\n"; echo "TLS test (default): " . get_tls_version() . "\n"; echo "TLS test (TLS_v1): " . get_tls_version(1) . "\n"; echo "TLS test (TLS_v1_2): " . get_tls_version(6) . "\n"; echo "</pre>\n"; ?> So, if you have a store that uses PayFlow and you are using an older PayPal module, you could find yourself in deep doodoo on May 1. You better start making the transition today. Edited April 2, 2017 by HowardR frankl 1 Quote Link to comment Share on other sites More sharing options...
HowardR Posted April 9, 2017 Author Share Posted April 9, 2017 Actually, the deadline is the *end* of May, not the beginning. Also, the June 9, 2014, add-on has the PayFlow modules while the March 17, 2017 version has other PayPal payment modules as well as some admin improvements that work with the PayFlow modules. Quote Link to comment Share on other sites More sharing options...
HowardR Posted April 12, 2017 Author Share Posted April 12, 2017 Now PayPal says that we have until the end of June before the change goes into affect. Quote Link to comment Share on other sites More sharing options...
sapguy Posted June 30, 2017 Share Posted June 30, 2017 Looks like it is pushed out again. https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1914 "UPDATEWhile we are allowing for these security updates to be made after June 30, 2017, we continue to recommend that you prioritize the changes and updated protocols specified by the PCI Council so you are best positioned to protect your customers from security and fraud-related issues." https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls "The Payment Card Industry Security Standards Council (PCI SSC) is extending the migration completion date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher)." ezfindit 1 Quote Link to comment Share on other sites More sharing options...
ezfindit Posted June 30, 2017 Share Posted June 30, 2017 Good news! Quote Chris Link to comment Share on other sites More sharing options...
Jack_mcs Posted July 1, 2017 Share Posted July 1, 2017 To be clear, that deadline is not what the actual gateways are following. Paypal switched today, authorize.net will switch in September and a others are switching at various other times. You need to make sure your host has TLS 1.2 installed and set to the preferred protocol. Quote Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
vampirehunter Posted July 8, 2017 Share Posted July 8, 2017 i have the paypal app installed on a edge/BS oscommerce im using paypal standard in the app I have configured my API using my paypal API username details and have a pdt token set. I dont have any information in the private key, public certificate or openssl fields in configure on the app. ive been able to accept payments. do i need to do anything in regards to this announcement? Quote Link to comment Share on other sites More sharing options...
vampirehunter Posted July 8, 2017 Share Posted July 8, 2017 On 02/04/2017 at 3:35 PM, HowardR said: I think I finally understand the TLS 1.2 issue. This is a very serious issue. There are a lot of OSCommerce owners that will wake up to a nasty surprise on May 1. Those of you who are not new to this, please let me know if I am wrong in any of my statements below: 1. This only affects PayFlow, if you have PayPal Express Checkout also installed in your store, that should keep working. So you won't be able to accept Credit Cards, but you will be able to still accept PayPal payments. 2. PayPal threatened to require TLS 1.2 on May 1, 2016. but they relented. Now they say that they are going to require it on May 1, 2017. I think that they are going to follow through this time. 3. If you have an older PayPal PayFlow module installed, it will stop working on May 1. If you have version 3.1 of the PayFlow module installed on May 1, you are OK. 4. There are two versions of 3.1 on addons created by Harald Ponce de Leon. Both work. The best one is the newest: http://addons.oscommerce.com/info/9184 -- March 1, 2017 -- designed for upcoming OSCommerce 2.3.5 but works with tweaking for earlier versions http://addons.oscommerce.com/info/5660 - June 9, 2014 -- designed for the standard (not responsive) version of OSCommerce 2.3.4 5. These versions require TLS 1.2 (the latest security standard) which does not run on OpenSSL 0.9.8, which just happens to be the version of Open SSL that is installed on most servers these days, due to security problems that were encountered with early versions of OpenSSL 1.0.1 and 1.0.2. You can test which version of TLS 1.2 that you have by using the following php code in a simple php file on your system: <?php function get_tls_version($sslversion = null) { $c = curl_init(); curl_setopt($c, CURLOPT_URL, "https://www.howsmyssl.com/a/check"); curl_setopt($c, CURLOPT_RETURNTRANSFER, true); if ($sslversion !== null) { curl_setopt($c, CURLOPT_SSLVERSION, $sslversion); } $rbody = curl_exec($c); if ($rbody === false) { $errno = curl_errno($c); $msg = curl_error($c); curl_close($c); return "Error! errno = " . $errno . ", msg = " . $msg; } else { $r = json_decode($rbody); curl_close($c); return $r->tls_version; } } echo "<pre>\n"; echo "OS: " . PHP_OS . "\n"; echo "uname: " . php_uname() . "\n"; echo "PHP version: " . phpversion() . "\n"; $curl_version = curl_version(); echo "curl version: " . $curl_version["version"] . "\n"; echo "SSL version: " . $curl_version["ssl_version"] . "\n"; echo "SSL version number: " . $curl_version["ssl_version_number"] . "\n"; echo "OPENSSL_VERSION_NUMBER: " . dechex(OPENSSL_VERSION_NUMBER) . "\n"; echo "TLS test (default): " . get_tls_version() . "\n"; echo "TLS test (TLS_v1): " . get_tls_version(1) . "\n"; echo "TLS test (TLS_v1_2): " . get_tls_version(6) . "\n"; echo "</pre>\n"; ?> So, if you have a store that uses PayFlow and you are using an older PayPal module, you could find yourself in deep doodoo on May 1. You better start making the transition today. i ran the script and got this on my hosting PHP version: 5.4.45 curl version: 7.36.0 SSL version: OpenSSL/1.0.1e SSL version number: 0 OPENSSL_VERSION_NUMBER: 1000105f TLS test (default): TLS 1.2 TLS test (TLS_v1): TLS 1.2 TLS test (TLS_v1_2): TLS 1.2 Quote Link to comment Share on other sites More sharing options...
Jack_mcs Posted July 8, 2017 Share Posted July 8, 2017 You should be all set. :) Quote Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.