Paypal TLS 1.2


https://forum.kartris.com/Topic6414.aspx
Print Topic | Close Window

By Neil - Thu 25 Feb 2016
Hello,

Does anyone know if the change to PayPal supporting TLS 1.2 only will have any impact on Cactushop sites? I have a site running CactuShop Version 5.149 with PayPal and would like to know if anything will need to be done,

Thanks
By Paul - Thu 25 Feb 2016
We're not patching CactuShop these days, it's so old and there is hardly anyone with ongoing support cover for it so we don't really have the resources to continue work on it.

I am not entirely sure if a patch will be possible, with .NET they've only added TLS support to .NET 4.5, and Microsoft now only supports 4.5.2 and above with security fixes. I had a quick google but didn't find anything definitive.

One hack which is perhaps possible is to skip the security postback in the Paypal code. That's the part that requires the secure connection (basically Paypal makes the callback to your site, then requires as a security check that you post back the values they send and get a 'validated' response in order to proceed). If you skip that step and just assume callbacks are genuine, it will work though there is the possibility callbacks could be faked.
By Paul - Thu 5 May 2016
Further to this, we did work on Paypal ASP code on another site we handle (not CactuShop) and got it working by removing the XML verification post to Paypal, which relies on SSL/TLS. The server itself was Windows 2008 which does not support TLS 1.2 so it definitely would not have been possible on that (need at least 2008 R2 for TLS 1.2).
By metalmania - Wed 8 Jun 2016
Looks like PayPal have updated their notices and are no longer targeting 6/17/16 as the deadline for migration to TLS 1.2 and have moved this out to June 2017.