matthewclower
commented
7 years ago @rmullaney77,
Per PCI-DSS we require all new implementations use at least TLS 1.2 and though we appreciate your suggestion we are unable to make this change.
By defining the constant manually the interpreter is able to proceed without error but the connection that results is not TLS 1.2 unless the extension also supports it. Defining the constant if it does not exist is not sufficient and connections not using at least TLS 1.2 will be rejected once support for TLS versions below 1.2 has been fully deprecated by WePay.
TLS 1.2 is available via the PHP cURL extension as of version 7.34.0 of cURL and you can check your support like this:
<?php
echo ' PHP version: ' . phpversion() . PHP_EOL;
echo 'cURL version: ' . curl_version()['version'] . PHP_EOL;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.howsmyssl.com/a/check");
curl_setopt($ch, CURLOPT_SSLVERSION, 6);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
echo ' TLS version: ' . json_decode($response)->tls_version . PHP_EOL;NOTE that it is now possible to open connections using TLS 1.2 in earlier versions of PHP:
$php54 curl_test.php
PHP version: 5.4.45
cURL version: 7.50.3
TLS version: TLS 1.2
Very easy fix for PHP versions prior to CURL_SSLVERSION_TLSv1_2 constant being available...
somewhere before...
curl_setopt(self::$ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);executes, add...