XF 1.5 user upgrades - TLS 1.2 message

[SnoSheriff]

I just noticed the following message in my user upgrades section

Starting June 18, 2016, PayPal will require all requests to use TLS 1.2 and your server does not have the required SSL libraries to support this. Without TLS 1.2 support, user upgrades will not be processed correctly. Please contact your host or system administrator for guidance.

What do I need to request from my server provider?

 

[Fred.]

You need to update SSL libraries on your server so they support TLS 1.2
Check Mike his post.
https://xenforo.com/community/threads/paypal-going-tls-1-2-only-in-june-2016.112050/#post-1040113

 

[SnoSheriff]

My server operators asked the following:

We can be strict with the protocols used. Meaning we have to disable SSLv2 and SSLv3 completely. Can we do that?

Obviously I don't want to break anything. What is the right thing to do and say?

 

[Mike]

They seem to be taking that as you only want your site to be accessible via TLS 1.2. That's not what the error is saying -- it's that PHP doesn't support making requests with TLS 1.2. Changing this may require updating OpenSSL, updating cURL, changing cURL to use a different SSL library, or (worst case) an OS change/server change. Unfortunately, this can be difficult to support without pretty fundamental changes.

 

[SnoSheriff]

I sent the message straight from XF console (listed in my original post above) but it's not clear to me and server operators what to do.

I'm a noob in this area. Please clarify what exactly should I be asking for? What is my request/requirement for the operators?

Thank you.

 

[Mike]

You need the necessary server libraries to support making outgoing requests using TLS 1.2 and these libraries need to be exposed to PHP (either via PHP itself or PHP's cURL extension).

 

[SnoSheriff]

My server ops still are not entirely clear on what needs to be done. They asked for my XF admin access so they can trace the 'error' message. Is that a good idea?

Is this the Paypal requirement page that this change will address? Is this something that my server ops may understand? I'd rather point them to the requirements stating what needs to be done on the server...

• https://devblog.paypal.com/upcoming-security-changes-notice/
  
• https://www.paypal-knowledge.com/in...t&widgetview=true&id=FAQ1914&viewlocale=en_US

 

[Mike]

Those are the correct pages. The flow chart on the second link is getting to "Does your system already support TLS 1.2 and HTTP/1.1?" and we're detecting that the answer is no (for TLS 1.2). There's also some PHP-specific discussion here: https://github.com/paypal/TLS-update

 

[teletubbi]

that a good idea?

Not at all.

My server ops still are not entirely clear on what needs to be done

To be honest.
They are selling server space for money.
Than it is their job to get this working.
Or to hire someone who can do this.

For example.
You buy a new car. You would expect, if the car is broken, that the car manufacturer is able to fix it. And not that you have to figure out how to do it and tell them.

 

[SnoSheriff]

Still working on this... How do I test to see if the server is configured correctly? What needs to be checked and what are the expected results? Thank you.

 

[Mike]

The user upgrades section dynamically detects whether PHP supports sending TLS 1.2 requests. If you don't see that message, your server supports it.

 

[SnoSheriff]

Ok, I no longer see a message in the "admin.php?user-upgrades/" section. However I see 14 error logs between 1:35AM-1:46AM (today):

Zend_Http_Client_Exception: Connection to PayPal failed: Error in cURL request: Unsupported SSL protocol version - library/Zend/Http/Client/Adapter/Curl.php:423

What does this mean and what should I do?

As a side note, I received user upgrade Paypal at 2:18AM so I'm guessing that it's all working and maybe this error was logged during the TLS upgrade timeframe?

 

[Mike]

1.5.7 has changes to better support servers that don't support TLS 1.2 before PayPal brings these changes in. It sounds like that may have been affecting you, though if you now support TLS 1.2 and an upgrade was processed successfully, then you probably don't need these changes.

It's worth checking your PayPal logs to confirm that whoever bought the upgrade where this error occurred has been upgraded successfully. PayPal will retry failed IPN calls (which this is triggering) over the course of about 5 days, so I'm guessing it has gone through, but it's worth confirming.

 

[Rigo]

I just wish I knew someone who knew how to make all these changes and fix this for me.