Everything has been working fine for years. As of August 2018, my eccommerce site has an error when processing the payments upon submission. I get "Error, couldn't connect to https://api-aa-3t.paypal.com/2.0/ (-2147012739). An error occurred in the secure channel support."

My server is TLS 1.2 compliant, and I have a valid G5 2048 bit SSL certificate. Other sites that I host using PayPal Websites Payment Pro work fine using other eccomerce solutions. This is just happening to my eccomerce templates. I ran the updater with the latest version, but did not change the outcome. I looked at the older versions of the eccomercetemplates code to compare the PayPal scripts in cart.asp. Nothing looks to have been updated for years as far as PayPal code.

PayPal support seems to think it's a TLS ussue with a legacy method of passing the payment info in the code of the eccomerce template. Has anything been updated/patched to address this issue to be in compliance with PayPal's developer specs for the new TLS 1.2 standards as listed here https://www.paypal-notice.com/en/ ?

All SSL and TLS tests pass:
https://tlstest.paypal.com/ reveals "PayPal_Connection_OK"
https://www.htbridge.com/ssl/?id=LI0AlTYN TLS/SSL test passes with flying colors.

Please help.

Hi

As far as I'm aware there was nothing we had to change on our side but we did set up a test here for TLS1.2 when UPS required it. Can you have a look at the post here and see what you get back

https://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID=107642

From the test results link I see this

The server has TLS 1.0 enabled. Since the 30th of June 2018 it is non-compliant with PCI DSS 3.2.1.

and I don't think there is now any reason to have TLS1.0 enabled.

Andy

Please feel free to review / rate our software

Hi Andy:

Thank you for the reply. I read through the link that you sent me. Yes, we have TLS 1.0, 1.1 & 1.2 enabled. However, other ecommerce websites (VP.ASP) and using the same type of PayPal payment provider, and using TLS 1.2 just fine without issue. I don't see an requirement to disable TLS 1.0, for as long as TLS 1.2 is enabled. I think what this comes down to is, how do we make ecommerce templates to specifically utilize the TLS 1.2 protocol when it passes the payment information?

Thanks.

My understanding is that for security and compliance only a minimum of TLS1.2 should be supported by the host.

Andy

Please feel free to review / rate our software

Hi Andy:

All versions of TLS have been disabled on the server except TLS 1.2 as you can see here: https://www.ssllabs.com/ssltest/ and enter for www.reducemyenergy.com or www.accountantsmarketing.com to test.

However, the -2147012739 error message at checkout still occurs. I also followed all suggestions and edited policy settings as indicated in the link you shared earlier as it relates to the UPS TLS issue.

Any other ideas? Thanks.

Let me have a closer look and do some checking and I'll get back to you.

Andy

Please feel free to review / rate our software

Yesterday when I ran our test at your page https://www.yourstoreurl.com/vsadmin/ppconfirm.asp?ppdebug=tls I received a blocked by Norton message, today it is coming up correctly as

Testing URL: https://ipnpb.sandbox.paypal.com/cgi-bin/webscr
Result : INVALID
This is a good/correct result as it shows that communication with the PayPal server was successful and the transaction was of course rejected as invalid.

So that suggests the TLS1.2 check is good now (I'm pretty sure it was blocked yesterday) - has it made any difference to PayPal orders?

Andy

Please feel free to review / rate our software

Hi Andy:

We don't have Norton, so I don't know how you could have received that kind of message yesterday. Our site currently has the same error when processing cards. I have been in touch with PayPal merchant support, and they are not even receiving the payment attempt on their end. It is as if something should be specified in the code to force TLS 1.2 in the eccomerce templates code.....maybe the legacy scripting is no longer accepted by PayPal. That is just what it seems at this point. Any other ideas?

Thank you.

I thought I would point out here, that it must be a server setting because many many ect users use paypal without having this issue. I haven't seen any servelink users (that's who we use) reporting this issue.
Considering that, I expect it's a server setting.
If TLS1.0 and TLS1.1 are no good anymore, why would the server even allow it?
I think rather than add some unnecessary code to the software to force 1.2, your server should disallow 1.0 and 1.1. Of course I do not speak for ECT, so this is my thoughts only, and I may be off base, it's just an observation.

Having the TLS 1.2 protocol wan't enough. Despite passing all TLS/SSL tests and the PayPal test link, I knew there was something going on where ecommerce sites was not using TLS 1.2. After many hours and days, I found this this Microsoft EasyFix link below and it fixed the issue. The fix forces the Windows O/S to use the TLS 1.2 protocol by default, no matter what.

https://support.microsoft.com/en-gb/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

Thanks for your help. I hope others find this helpful!

Glad you were able to sort that out and thanks for letting us know how you achieved it.

Andy

Please feel free to review / rate our software