PayPal’s TLS 1.2 and HTTP/1.1 Upgrade and How it Could Impact Your Membership Site

PayPal has announced several security updates set to roll out in 2016 which will impact sites using PayPal gateways. This post covers the TLS 1.2 and HTTP/1.1 upgrade scheduled for June 17, 2016. If all actors involved (your host, WordPress, Paid Memberships Pro, and PayPal) update before June (we plan to), you should experience no disruption in your service. However, if you are using the PayPal sandbox environment now or otherwise want to make sure your host and website are ready, please review the content below.

We’ve outlined the steps to take now to ensure compatibility and avoid a disruption of service.


Note: The contents of this post are highly technical and should be reviewed by your web hosting company and an experienced web developer.

About the TLS 1.2 and HTTP/1.1 Upgrade

PayPal is upgrading the protocols used to secure all external connections made to their system. This includes every connection your site makes with PayPal (onsite or offsite Membership Checkout and via IPN). TLS 1.2 and HTTP/1.1 will become mandatory for communication with PayPal on June 17, 2016.

The latest versions of Paid Memberships Pro have already been updated to use HTTP 1.1 in its API calls to PayPal. However, your server still needs to be updated to use TLS 1.2 for SSL communication.

If your server does not support TLS 1.2 and HTTP/1.1, payments processed via PayPal gateways (PayPal Express, PayPal Standard, and PayPal Website Payments Pro) will fail. You may notice the following error message after clicking to checkout at PayPal:

methodName_ failed: SSL connect error

In addition to this PayPal security update, WordPress also needs to be updated to specify the SSLVERSION for cURL to support PayPal Express moving to TLS 1.2.


Verify Support for TLS 1.2 and HTTP/1.1 With Your Webhost

To avoid disruption in service, you must first verify if your web server supports these security protocols. Contact your web host and find out if your server supports TLS 1.2 and HTTP/1.1. If the answer is no, you will need to work with your web host to enable support. In general, the host only needs to “upgrade OpenSSL to the latest stable version”.


Specify the SSLVERSION for cURL in your WordPress Site

After verifying that your server supports TLS 1.2 and HTTP/1.1, you will also need to make an update to your WordPress site to set an SSLVERSION for cURL (a tool on your server that transfers data from or to a server, using one of the supported protocols). For your site to continue to be able to communicate with PayPal, you need to set your version of cURL to explicitly use the TLS 1.2 protocol. Setting this version prior to PayPal’s TLS 1.2 rollout should not impact current communications with PayPal.

Here’s a code gist for setting the SSLVERSION for cURL that we will continue to develop and improve over time. Copy this code into your active theme’s functions.php file or a custom plugin.

Note: This or some version of this code will be moved in Paid Memberships Pro core or WordPress core prior to the security update in June. The above code gist is only needed if you need to use PMPro with PayPal in sandbox mode in the meantime or if you want to be sure your site will be ready before the updates roll out in the coming months.

Test Checkout via the PayPal Sandbox

The PayPal Sandbox endpoints have already been configured with the latest security standards to which the Production endpoints will be moving.

You can set your Payment Gateway in Paid Memberships Pro to the PayPal Testing/Sandbox Mode to verify support prior to the security release on July 17. See this post on PayPal Sandbox with Paid Memberships Pro »