Thanks

We have not made any server changes yet. Our webhost has advised that removing the older TLS versions will not resolve the issue as there is a cURL handshake error that might be the cause.

We have contacted paypal merchant support for more assistance on this matter first, for now no payments are being accepted through paypal express or hosted

Hi Andy,

We have disabled TLS 1.0 and TLS 1.1 however the issue is still present.

Our web host has advised that there seems to be a handshake problem with the ppconfirm.php file.

If you add something to our cart and click on the PayPal button, it does not even divert to PayPal it just displays an error message "PayPal Payment Pro error: SSL connect error"


The same error message "SSL connect error" appears when finalising payment through the hosted checkout cart.php page.

Please advise?

Did you specifically ask your host to check if the cURL installation on your server is configured to use TLS1.2?

You can refer your host to a method here to check https://stackoverflow.com/questions/27904854/verify-if-curl-is-using-tls

Andy

Please feel free to review / rate our software

cURL version 7.19 is being used on the server. There does not seem to be an official later release for this?

I'm certainly no server tech but my understanding is that it's the configuration rather than the version. Maybe your host can confirm that for you.

Andy

Please feel free to review / rate our software

Hello Andy,

If you type in our website address then /curl.php you will see that it shows a message that it is running TLS 1.0 however none of the config files are running an earlier version unless something is specifically forcing the server to run TLS 1.0 as opposed to TLS 1.2.

We are completely at a standstill on this, im surprised nobody else has mentioned the same problem as us yet

Hello Andy,

Our web host managed to locate the problem with the incfunctions.php file that did not specify a strict TLS version to be used. Even though we disabled TLS 1.0 and 1.1 the script in the incfunctions.php file allows to communicate using TLSv1.0. So we have instead forced the handshake between our server and PayPal to communicate using TLSv1.2.

CentOS 6 (our Operating System) only supports up-to cURL version 2.17 – which without upgrading the whole OS (to CentOS 7) and rebuilding parts of the server meant we couldn't update the cURL component to the latest version. Also, there was no guarantee this would have worked upgrading the OS to CentOS 7 – as we already disabled TLSv1 (and TLSv1.1) from the server and removing any related Ciphers – yet somehow during the handshake the default cURL version used to communicate with PayPal was using TLSv1.0.

This is the code we added to force TLSv1.2 on incfunctions.php includes file:

curl_setopt($ch, CURLOPT_SSLVERSION, 6);

(6 at the end refers to TLSv1.2)

Might be worth looking into the coding again on the incfunctions.php page to ensure it is more stringent for the upgrades PayPal have made from June 26th 2018 and ensure nobody else faces the same problems that we have.

Regards

Kev

Hi Andy, I set up a test site and upgraded to the latest version. I also worked with our hosting service and they checked the servers and there are no issues getting to PayPal gateways (nothing shows anything wrong in the log files or the firewall either).

I'm DESPERATE as all of my customers Paypal accounts are now restricted and they can not get fund in or out $$$$$

Yet we still can not connect to the gateways for PayPal and process transactions.
Checkout with PayPal Express:
PayPal Express (4) error: Error, couldn't connect to https://api-aa-3t.paypal.com/2.0/ (-2147012721).
A security error occurred

Checkout with Credit Card:
Error, couldn't connect to https://api-aa-3t.paypal.com/2.0/ (-2147012721).
A security error occurred

Also, neither of these urls work either, the pages just never respond.
https://ipnpb.sandbox.paypal.com/cgi-bin/webscr
https://ipnpb.paypal.com/cgi-bin/webscr

NOTE: I am emailing you some additional information but everything points to the ECT code causing the issue.

HELP!

Can you let us know what server set up your store is running, what version of Windows Server?

Andy

Please feel free to review / rate our software

2008 sp2 enterprise server

Andy any news yet! I have customers down AND PayPal has their accounts on hold.
This means no money in or out!

Sorry, I missed your reply earlier. After checking it seems the version, although old, is ok if the tls1.2 update was applied after April this year. I would check that with your host. You sent me on an URL of one updated site and it failed our ppconfirm tls check - any other sites will need their own updater though.

You say that you believe it's a coding problem, that is unlikely to be honest and often a comment used by some hosts to deflect blame. Who are you hosting with by the way?

Andy

Please feel free to review / rate our software

I will send the hostname directly to you but I still have to open the question of if you know of anyone that could take a look at our server?

I have written to PayPal to ask if they can take a closer look and let me know what they find. I'll let you know as soon as I hear back.

Andy

Please feel free to review / rate our software

PayPal have replied and are looking into ti, this is part of their reply

TLS 1.2 is not ruled out yet as the SSL Labs only checks incoming connections, but the security error would be for an outbound connection.

We can check some information on our side to see if it is TLS 1.2 related.

Andy


Please feel free to review / rate our software

This is their latest reply

This does appear to be TLS 1.2 related. Please contact the customer and have them file a ticket through https://www.paypal-techsupport.com. They can file it as a Priority 1 ticket since they are not receiving payments.

Andy

Please feel free to review / rate our software

Andy, all our ticket to PayPal Tech support was a reply with links to common PayPal graphics on PCI technical pages for compliance and tell us to hire an Approved Integrator ... and have a great weekend! grhhh

PayPal does not want to provide any assistance! What a waste of time.

We can not prove it is code or the server but ...

We have:

A. our server as TLS 1.2 and we even turned off TLS 1.1
B. upgraded our sites to 6.9.3 ASP
C. the carts do connect to USPS and get a valid quote
D. Hosting providers assure us that TLS 1.2 is working.
E. Our customers are PayPalPro Accounts
F. This means they are using:

The "Classic" Production environment will allow the use of the POST on 6/30/18 method only for classic NVP/SOAP API requests to:

api.paypal.com
api-aa.paypal.com
api-3t.paypal.com
api-aa-3t.paypal.com

But we can not connect to PayPal to process the transaction!
There is nothing in the Firewall or in the Server Log Files

Checkout via either checkout method fail:
PayPal Express (4) error: Error, couldn't connect to https://api.paypal.com/2.0/ (-2147012852).
Credit Card: Error, couldn't connect to https://api-aa-3t.paypal.com/2.0/ (-2147012721).
A security error occurred

Literally, we have been around the world and back again for 7 days now and feel like we have made no headway!

All of the sites seem to work otherwise.

We really could use some Fresh input on what else could be tested or tried.

HELP!

OK ANSWER: This works for PHP and ASP.

We wasted 7 days and have a lot of ticked off clients and here is the answer.

This is a combination of issues.
ECT Code does not specifically state the version of TLS in one of the files or include So code will grab a version of TLS and run with it.
PayPal's instructions were they only support TLS 1.2 everywhere. We were advised to turn off versions that were not 1.2

Clue, SQL server quit working on the server when as a result of turning off 1.0 (saw another ticket referencing this issue), this also broke our server control panel adding salt to the wound during the missing to get websites back up.

SOLUTION: We turned on ALL versions, 1.0, 1.1 and 1.2 of TLS and now PayPal API gateways are happy.

So all sites we upgraded to 9.6.3 ECT versions were unnecessary along with all the bug fixes and tweaks needed to get the sites to work.
Note: Popup cart quit working when we upgraded. So we are turning off the popup to deal with it another day.

Small note to add to this: there's quite a lot of misinformation in this thread, and while it's good that the OP seems to have got things working for themselves, the proposed "solution" consists of bad advice that should not be followed by others. It isn't necessary and weakens the security of your site, in addition to being out of compliance with PCI/DSS. TLS v1.2 only is the recommended way to proceed and has been battle tested by us on both Windows and Linux with no ill effects. It works fine

Peter

ServeLink
Professional ecommerce web hosting for ASP & PHP
https://servelink.com

Take a look at our image upload/resize tool for the ASP cart
https://servelink.com/clients/cart.php?gid=7

We had "only" 1.2 version running and PayPal told us we were non-compliant.

In addition, our SQL server, which runs our server control panel, quit working when only 1.2 was turned on.
Note: There is another thread in ECT who had their SQL stop working as well.

ONLY when we had 1.1 and 1.0 reactivated did PayPal approved our sites compliant. Go Figure!

Please advise.