TLS 1.2 and HTTP/1.1 Upgrade

PayPal is upgrading the protocols used to secure all external connections made to our systems. Transport Layer Security version 1.2 (TLS 1.2) and Hypertext Transfer Protocol version 1.1 (HTTP/1.1) will become mandatory for communication with PayPal in 2018.

You will need to verify that your environment supports TLS 1.2 and HTTP/1.1, and if necessary make the appropriate updates.

The information below is highly technical and should be reviewed by one of the following:

Your web hosting company

Your ecommerce software provider

Your in-house web programmer/system administrator

In a Nutshell...

Merchants and partners use HTTPS to securely connect with PayPal servers. We use the Transport Layer Security (TLS) protocol to encrypt these communications. To ensure the security of our systems and adhere to industry best practices, PayPal is updating its services to require TLS 1.2 for all HTTPS connections. At this time, PayPal will also require HTTP/1.1 for all connections.

This change is complete as of June 28, 2018.

What do I need to do?

Single Logo

Note:

To avoid having to make versioning changes reactively in the future, we recommend that you code your system to always negotiate using the highest possible version.

If you’re using a downloaded shopping cart to connect to PayPal, please contact your web host or developer to take the appropriate next steps.

Technical Details

Sandbox and Payflow Pilot Endpoints – Ready Now

The PayPal Sandbox and Payflow Pilot endpoints have been configured with the latest security standards to which the Production endpoints will be moving. You can use these endpoints to verify that your code supports the required standards prior to the Production endpoints getting updated.

These endpoints only allow TLS 1.2 and HTTP/1.1 connections:

  • api.sandbox.paypal.com
  • api-3t.sandbox.paypal.com
  • api-aa.sandbox.paypal.com
  • api-aa-3t.sandbox.paypal.com
  • svcs.sandbox.paypal.com
  • pointofsale.sandbox.paypal.com
  • ipnpb.sandbox.paypal.com
  • www.sandbox.paypal.com
  • pilot-payflowpro.paypal.com
  • pilot-payflowlink.paypal.com

Production Endpoints - Ready Now

The Production endpoints will only allow TLS 1.2 and HTTP/1.1 connections:

  • api.paypal.com
  • api-3t.paypal.com
  • api-aa.paypal.com
  • api-aa-3t.paypal.com
  • svcs.paypal.com
  • pointofsale.paypal.com
  • ipnpb.paypal.com
  • www.paypal.com
  • payflowpro.paypal.com
  • payflowlink.paypal.com
  • xml-reg.paypal.com
  • payments-reports.paypal.com
  • cr.cybercash.com
  • securepayments.paypal.com
  • manager.paypal.com

Verify your systems at https://tlstest.paypal.com

PayPal has created a new endpoint – https://tlstest.paypal.com – to help you verify that your servers meet the latest encryption standards. This endpoint supports all of the encryption standards to which the PayPal endpoints are moving. Connect your servers to https://tlstest.paypal.com

  • On success: If the test environment responds with “PayPal_Connection_OK,” your servers are TLS 1.2-compliant and you’ve completed the updates correctly. Please note that you must test using your server, not your web browser. Also, please be sure to test all methods that you are currently using to connect to PayPal’s endpoints.

  • On failure: One of the following errors will occur depending on what your system does not support:

    • HTTP/1.1 - tlstest.paypal.com will return an HTTP 400 response with the following text in the body: “ERROR! Connection is using HTTP/1.0 protocol. Please use HTTP/1.1”

    • TLS 1.2 - tlstest.paypal.com will return will return an HTTP 400 response with the following text in the body: “ERROR! Connection is using TLS version lesser than 1.2. Please use TLS1.2”

For Additional Help

We have put together language-specific testing notes for common environments. We expect significant impact to Java environments, including Android. Other environments, including .NET, PHP, Ruby, Python and Node.js, may also be affected.

For complete details see: Language-Specific Testing Notes