It definitely sounds like a step up from the usual "we don't support TLS1.2, why don't you get a dedicated server."
Announcement
Collapse
No announcement yet.
Paypal 2016 Merchant Security Upgrades
Collapse
X
-
-----------------------------------------
First Tackle - Fly Fishing and Game Angling
-----------------------------------------
-
The following statement is to clarify how the coming rollout of TLS v1.2 will affect SellerDeck users, particularly in relation to the earlier questions and statements in this thread. Hopefully it answers most of the questions above.
The general enforcement of TLS v1.2 has been postponed to June 2018. However, PayPal currently still intend to enforce it for their services by 16th June 2016. This date may slip, but there is no guarantee that it will.
Consequently all SellerDeck PayPal users need to take action by that date.
1) All PayPal online checkout integrations will require the web server to support TLS v1.2. Specifically the perl module Crypt::SSL (which bundles Net::SSL) needs to support TLS v1.2. You must ensure that your web host will provide this support by 16th June. SellerDeck Hosting will be upgraded in good time, and this is already in progress.
We're investigating the possibility of providing a script that could be used to test 3rd party servers, but can't guarantee that we will be able to do so.
2) In SellerDeck 2013 and earlier the checkout communicates with PayPal using IPN and a mixture of http and https, depending whether or not the checkout is secured. PayPal have indicated that they may enforce the use of https on 30th September 2016. In this case these versions may require modification, and may require the use of https for the checkout. We are awaiting more information from PayPal, and will provide further updates as soon as we can.
3) In SellerDeck 2014 and onwards the PayPal Website Payments integration is able to communicate securely with PayPal using PDT instead of IPN, provided you have entered your Identity Token in the Configuration dialog. In this case SSL on the checkout is not required, but TLS v1.2 support still is. Otherwise these versions function the same as earlier ones and have the same requirement.
4) PayPal services on the desktop (added in SellerDeck 2016) all rely on the version of PHP that's embedded with the SellerDeck application. This is currently an older version that does not support TLS v1.2. If you use the PayPal desktop integration then the PHP used by your SellerDeck application must be upgraded to v5.6.10. This upgrade will be included in SellerDeck 2016 (v16.0.2) which will be available mid-May.
This upgrade may affect plugins and design customisations that use PHP. You should check with your web designer and / or plugin provider that their code is compatible with PHP v5.6.10.
Comment
-
I've pasted my Identity Token into the correct place just as it came off the PayPal website. I assume this is correct.
I'm slightly confused about what happens next.
Is the next step up to my host or Sellerdeck?Scottish Gifts 4U - quality gifts from Scotland
Comment
-
Thanks Bruce, your post helps a lot.
We're investigating the possibility of providing a script that could be used to test 3rd party servers, but can't guarantee that we will be able to do so.
Mike-----------------------------------------
First Tackle - Fly Fishing and Game Angling
-----------------------------------------
Comment
-
I just contacted Host-It on live chat.
It seems all their servers are TLS-1.2 compliant and they simply need to change the particular certificate of the website.
So next step is to raise a ticket and see what happens.Scottish Gifts 4U - quality gifts from Scotland
Comment
-
Sounds like it's time I give 1and1 another call.-----------------------------------------
First Tackle - Fly Fishing and Game Angling
-----------------------------------------
Comment
-
Just had this from 1and1, so support for the new protocol is being deployed it would seem:
On 24 May 2016 we will update the operating system of our Linux Hosting servers, including the server your website is hosted on. This update will optimise resource utilisation, improve system security, and add support for TLS 1.2.
Please note that there will be new versions of scripting languages and new database libraries. If you use one of the following scripting languages or libraries for your website, please ensure that your scripts are compatible with the following versions that will be installed:
- Perl 5.20
- Python 2.70 and 3.4
- Ruby 2.1
- Berkeley DB 5.3
After the operating system update, we will only support 64-bit applications. Please note that with the update, we will no longer provide a 32-bit compatibility on our Linux Hosting servers.
Please prepare all necessary adjustments by 24 May 2016, to ensure that your website will remain functional even after the operating system update.
Additional details regarding the update will come later in a second e- mail.
Release notes for the operating system update can be found here:
https://www.debian.org/releases/stable/releasenotes
Comment
-
I just received this via email from 1and1 today which seems quite conclusive:
Dear Mr. Hughes,
On 24 May 2016 we will update the operating system of our Linux Hosting servers, including the server your website is hosted on. This update will optimise resource utilisation, improve system security, and add support for TLS 1.2.
Mike
Ooh. Karen. You changed your post while I was posting mine. I guess the email has been widely sent.-----------------------------------------
First Tackle - Fly Fishing and Game Angling
-----------------------------------------
Comment
Comment