cancel
Showing results for 
Search instead for 
Did you mean: 

RHEL/CentOS 6.7 - cURL needs explicit TLS > 1.0 option - PCI DSS deadlines

RHEL/CentOS 6.7 - cURL needs explicit TLS > 1.0 option - PCI DSS deadlines

Running latest RHEL/CentOS 6.7 packages, libcurl does not auto-negotiate higher than TLS 1.0 (eg, TLS 1.2 or 1.1) by default. One workaround is to specify the use of TLS, such as:

 

curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); (or forcing it to a specific version of TLS).

 

One major issue that is upcoming is PayPal will be requiring TLS 1.2 come June 17, 2016, possibly among other providers as well, due to PCI DSS deadlines. Currently there is no option for curl's SSLVERSION within Magento, therefore core has to be manually patched (or running a custom version of libcurl, which we prefer not to do).

 

It's believed that the patch for libcurl will be in RHEL 6.8, but there is an unknown ETA for that (or even a beta yet). In order to handle a 6.8 release after June 17th, or older versions of libcurl, are there any plans to update the core PayPal package to either enable TLS auto-negotiation or the ability to specify which TLS version?

 

We'll also need a solution for Authorize.Net due to the same TLS issue (and any other PCI DSS API endpoint). Although Auth.Net's latest update (as of Feb 2016) is that TLS 1.0 will be disabled early 2017.

 

Thanks

2 REPLIES

Re: RHEL/CentOS 6.7 - cURL needs explicit TLS > 1.0 option - PCI DSS deadlines

Re: RHEL/CentOS 6.7 - cURL needs explicit TLS > 1.0 option - PCI DSS deadlines

Bump