TLS 1.2 and HTTP/1.1 Upgrade
PayPal is upgrading the protocols used to secure all external connections made to our systems. Transport Layer Security version 1.2 (TLS 1.2) and Hypertext Transfer Protocol version 1.1 (HTTP/1.1) will become mandatory for communication with PayPal in 2018. You will need to check that your environment supports TLS 1.2 and HTTP/1.1, and if necessary make appropriate updates by 30 June 2018.
The information below is very technical. We recommend it's reviewed by one of the following:
Your web hosting company
Your ecommerce software provider
Your in-house web programmer/system administrator
In a nutshell...
Merchants and partners use HTTPS to connect with PayPal servers securely. We use the Transport Layer Security (TLS) protocol to encrypt these communications. To ensure our systems' security and adhere to industry best practices, we are updating our services to require TLS 1.2 for all HTTPS connections. At this time, PayPal will also require HTTP/1.1 for all connections. To help us avoid any disruption to your service, you'll need to check that your systems are ready for this change by 30 June 2018. To help you understand the areas of your integration that still require work, we'll conduct brief rounds of testing throughout June to demonstrate the upgraded security experience.
What do I need to do?
Note:
To avoid having to make versioning changes reactively in the future, we recommend that you code your system to always negotiate using the highest possible version.
Technical Details
Sandbox and Payflow Pilot Endpoints – Ready Now
The PayPal Sandbox and Payflow Pilot endpoints have been configured with the latest security standards, which the Production endpoints will be moving to. You can use these endpoints to verify that your code supports the required standards prior to the Production endpoints being updated.
These endpoints only allow TLS 1.2 and HTTP/1.1 connections:
- api.sandbox.paypal.com
- api-3t.sandbox.paypal.com
- api-aa.sandbox.paypal.com
- api-aa-3t.sandbox.paypal.com
- svcs.sandbox.paypal.com
- pointofsale.sandbox.paypal.com
- ipnpb.sandbox.paypal.com
- www.sandbox.paypal.com
- pilot-payflowpro.paypal.com
- pilot-payflowlink.paypal.com
Production Endpoints - Ready after June 2018
The Production endpoints will only allow TLS 1.2 and HTTP/1.1 connections:
- api.paypal.com
- api-3t.paypal.com
- api-aa.paypal.com
- api-aa-3t.paypal.com
- svcs.paypal.com
- pointofsale.paypal.com
- ipnpb.paypal.com
- www.paypal.com
- payflowpro.paypal.com
- payflowlink.paypal.com
- xml-reg.paypal.com
- payments-reports.paypal.com
- cr.cybercash.com
- securepayments.paypal.com
- manager.paypal.com
Check your systems at https://tlstest.paypal.com
PayPal has created a new endpoint – https://tlstest.paypal.com – to help you check that your systems can support the latest security standards. This endpoint supports all of the security standards that the PayPal endpoints are moving to.
- Upon success: When the connection to https://tlstest.paypal.com is successful, you’ll see, PayPal_Connection_OK as an HTTP 200 response in the page.
- Upon failure: You’ll see one of the following error messages as an HTTP 400 response in the page, depending on what your system doesn’t support:
- HTTPS – ERROR! Connection is not HTTPS. Please use https://tlstest.paypal.com
- HTTP/1.1 – ERROR! Connection is using HTTP/1.0 protocol. Please use HTTP/1.1
- TLS 1.2 – ERROR! Connection is using TLS version lesser than 1.2. Please use TLS1.2
Need more help?
We’ve put together language-specific testing notes for common environments. We expect significant impact to Java environments, including Android. Other environments, including .NET, PHP, Ruby, Python and Node.js, may also be affected.
For full details read our Language-Specific Testing Notes