December 3, 2017 at 12:37 pm #9667
I have SSL in place – the host has updated to the latest cURL from the vendor Version 29.0-42
I’m not sure how to resolve the warning below
WARNING: Your server appears to have incompatibilities with PayPal’s requirements
cURL: 7.29.0, SSL: NSS/3.28.4
cURL version too low:
PayPal requires TLSv1.2, which requires cURL 7.34.0 or greater. Your server appears to be running an older version (7.29.0).
It’s correct that they are running 29.0-42 and they are telling me that’s the latest version.
Any ideas on this one?
Thank you in advance for your help
DebDecember 4, 2017 at 12:23 am #9672
cURL is currently at 7.57. See: https://curl.haxx.se/docs/releases.html
cURL 3.41 was released in December 2013. cURL 7.29 was released in February of that year. The requirement for 3.41 is not mine. PayPal requires TLS 1.2 and TLS 1.2 requires a cURL version that supports it.
P.S. I decided to do some math. There have been 1,692 bug fixes to cURL since the version your vendor says is up to date.December 8, 2017 at 5:27 pm #9699
Without commenting on whether it’s a good idea to be using older versions, I should point out that the error message is sometimes incorrect. Versions of cURL older than 7.34.0 can certainly support TLS 1.2.
For example, here’s the version supplied with Debian Wheezy:PHP12$ curl -Vcurl 7.26.0 (i486-pc-linux-gnu) libcurl/7.26.0 OpenSSL/1.0.1t zlib/1.2.7 libidn/1.25 libssh2/1.4.2 librtmp/2.3
That version of cURL prompts this error message within Seamless Donations:PHP12cURL version too low:PayPal requires TLSv1.2, which requires cURL 7.34.0 or greater. Your server appears to be running an older version (7.26.0).
However, that cURL supports TLS 1.2 properly:PHP123456789$ curl https://tlstest.paypal.comPayPal_Connection_OK$ curl https://www.howsmyssl.com/...<p><span class="label okay">Good</span> Your client is usingTLS 1.2, the most modern version of the encryptionprotocol. It gives you access to the fastest, most secureencryption possible on the web.</p>
So the error message can be misleading. I’ve seen this same problem in another plugin; I suspect the confusion may have arisen because the cURL 7.34.0 binary was the first to offer the “–tlsv1.2” flag. However, that’s just the first version of cURL to offer the flag to force TLS 1.2; it’s not the first version of cURL to support TLS 1.2.
A reliable check of whether cURL (and everything else in the development stack) will work is to try a connection to <https://tlstest.paypal.com>. This is the method PayPal recommends here: <https://www.paypal.com/webapps/mpp/tls-http-upgrade>. If it works, you know that the current PHP/cURL stack works correctly without needing to compare version numbers, etc.
You must be logged in to reply to this topic.