Hi Robert!
We have been working with Stripe on the best way to handle this for a few months now.
Here’s a quote from the Stripe developer:
Trying to set the appropriate CURLOPT_SSLVERSION option based on OPENSSL_VERSION_NUMBER has caused issues for some of our users. After looking at a lot of different systems and configurations, we’ve decided that the best course of action is to follow the advice from PHP’s documentation:
Your best bet is to not set this and let it use the default.
and provide a way for our users to manually set CURLOPT_SSLVERSION themselves if they need to.
For more information, see the PR here: stripe/stripe-php#299.
I hope this helps!
Please let us know if you will have any further questions.
Cheers!
Danny β WooCommerce Support
Hi Danny,
Thanks for your reply.
So, you will be providing a way in the plugin, before January, to expose the ability to force TLS1.2 as per this part of the stripe-php readme:
https://github.com/stripe/stripe-php#ssl–tls-compatibility-issues
Is that what I understand correctly? Some checkbox or setting in the WP Admin preferences for the plugin that will let us do this?
Otherwise, we would have to modify the plugin code ourselves to force this change (and maintain it as a patch to apply with each successive update). Not ideal for us or any of the countless other CentOS/RHEL users in this situation.
Thanks for your help.
Best,
Robert
Hi Danny,
I also note here:
https://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.8#line-76
that “TLS 1.2 has been enabled by default in various packages” — whether the standard cURL/OpenSSL package is among them I am not sure yet. I will do some testing.
Best,
Robert
Hi Danny,
My tests on CentOS 6.8 so far reveal that cURL with OpenSSL is using TLS1.2 by default without having to explicitly set it.
Best,
Robert
Hi Robert!
If my understanding is correct, you have to make sure your server is running TLS 1.2 – and the extension will work fine.
If you don’t meet the TLS 1.2 requirement, the extension won’t work.
Please let us know if you will have any further questions.
Hi Daniel,
Responding here in case it helps someone else during a search for more information.
To say that if “your server is running TLS 1.2 β and the extension will work fine” is a great oversimplification of the problem. π
Centos 6.8 was running TLS 1.2, but cURL was not using TLS 1.2 as the default. As of the latest point-release update, it is defaulting to TLS 1.2. So, there is no further action required. Previously, to get TLS 1.2 to work, some version of the code change I posted at the top of this message was required.
Hopefully this helps anyone else on a system using back-ports to ensure security and lock versions of software (RHEL, CentOS) in case they have TLS 1.2 installed but not being used as the cURL default.
I will close this for now, since our own issues is resolved.
Best,
Robert
