Announcement

Collapse
No announcement yet.

Payflow integration upgrade information email

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Payflow integration upgrade information email

    I have had a number of store owners forward me an email from PayPal:

    Security and safety are top priorities for PayPal, but being a good partner to you is equally important. We announced last year our plans to strengthen our Payflow integration as part of a broader infrastructure security initiative. We’re now sharing more details with you.

    Payflow TLS 1.2 endpoint upgrade

    Payflow production endpoints are scheduled to be upgraded to TLS 1.2 starting after June 30, 2017. When that happens, we’ll no longer support TLS versions 1.0 and 1.1.

    In preparation for the upgrade, you’ll be able to test your integration in the Payflow Pilot environment after February 15, 2017. We strongly encourage you to adjust your configuration and test your integration prior to the Payflow Production upgrade currently scheduled starting after June 30, 2017.

    For more information on the Payflow TLS 1.2 upgrade, you can refer to our TLS 1.2 and HTTP/1.1 Upgrade Microsite.
    What needs to be done for these stores using Payflow?
    Leslie Kirk
    Miva Certified Developer
    Miva Merchant Specialist since 1997
    Previously of Webs Your Way
    (aka Leslie Nord leslienord)

    Email me: [email protected]
    www.lesliekirk.com

    Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

    #2
    Make sure your engine and OpenSSL are up to date, that's it. If they're hosted with us, they shouldn't need to do anything unless they've specifically asked us to maintain an old engine for them.
    Thanks,

    Rick Wilson
    CEO
    Miva, Inc.
    [email protected]
    https://www.miva.com

    Comment


      #3
      Further info; stores need to be on an engine version of at least 5.22, AND using an OpenSSL version in the 1.x series. People hosting with other providers, or self-hosting, would want to double check both of those. The engine version can be seen in the store admin but the OpenSSL version would require someone checking on the server side. Servers running CentOS 6+ would be fine from an OpenSSL standpoint.
      David Hubbard
      CIO
      Miva
      [email protected]
      http://www.miva.com

      Comment


        #4
        Originally posted by ILoveHostasaurus View Post
        Further info; stores need to be on an engine version of at least 5.22
        I am curious about what lead you to this conclusion? I am running 5.20 on a self-hosted CentOS 6 server with the latest OpenSSL. Did someone tell you 5.22 or later specifically?

        Comment


          #5
          5.22 is the first version to explicitly attempt TLS first. Prior to that, it was left up to the OpenSSL library to choose, which on some platforms would default to SSLv3 and fail rather than SSLv3 first and TLS second or TLS first.
          David Hubbard
          CIO
          Miva
          [email protected]
          http://www.miva.com

          Comment


            #6
            Thanks! That is helpful! So my server supports TLS 1.2 and I can see in my browser that at least when I'm browsing secure pages on my site, it is using TLS 1.2. In addition I can disable SSLv2 an SSLv3 in my Apache configuration. Now perhaps that is completely irrelevant to the communication that happens between Miva and Payflow. So my question is along the lines of, how could I capture the request sent to Payflow and see that it is using TLS 1.2.

            I did note that Paypal has a test URL's like tlstest.paypal.com. I tried substituting this in the "host" field in the Miva admin paypal settings. The transactions I tried were successful, but I don't completely trust this result. I want to see under the hood.

            Comment


              #7
              Correct, the TLS between a visitor and your server will have no bearing on the connection from Miva Empresa to a payment gateway.

              If it worked talking to tlstest.paypal.com then you should be fine. I just verified that that server refuses SSLv3 connections:

              Code:
              # openssl s_client -ssl3 -connect tlstest.paypal.com:443
              CONNECTED(00000003)
              write:errno=104
              ---
              no peer certificate available
              ---
              No client certificate CA names sent
              ---
              SSL handshake has read 0 bytes and written 0 bytes
              ---
              New, (NONE), Cipher is (NONE)
              Secure Renegotiation IS NOT supported
              Compression: NONE
              Expansion: NONE
              SSL-Session:
                  Protocol  : SSLv3
                  Cipher    : 0000
                  Session-ID:
                  Session-ID-ctx:
                  Master-Key:
                  Key-Arg   : None
                  Krb5 Principal: None
                  PSK identity: None
                  PSK identity hint: None
                  Start Time: 1493774082
                  Timeout   : 7200 (sec)
                  Verify return code: 0 (ok)
              ---
              David Hubbard
              CIO
              Miva
              [email protected]
              http://www.miva.com

              Comment

              Working...
              X