TLS v1.2 requirement

On the 9th of March, 2016 we turned off support for HTTPS negotiation over earlier versions of TLS, specifically versions 1.0 and 1.1. Inevitably, we broke support for implementations running on early versions of OpenSSL and JRE.

Why did we do this?

Payment processors and e-commerce players that have to deal with transmission of cardholder data around the world are expected to comply with certain rules put together by the PCI security council. As of April 2015, it was decided that SSLv3 and TLSv1.0 are unacceptable protocols of encryption on the web and as such should be discontinued. This is largely due to the vulnerabilities discovered the years prior, including some with fancy names like BEAST, BREACH, CRIME, DROWN, Heartbleed, POODLE, etc.

The sunset date for TLSv1.0 and SSLv3 was set to June 30, 2016 (although this has been extended to 2018). A number of businesses have already begun intimating consumers of their API of this change - Paypal’s self-imposed sunset is on the 17th of June, 2016

New implementations however, are expected to disable support for these protocols right off the bat to achieve compliance and are thus not covered under the existing dependencies clause.

What does this mean for you?

Most browsers have supported TLSv1.2 for years now. This means most of your customers shouldn’t have a problem making payments using Paystack. Notable exceptions to this include the native browser on Android 4.2 and below. Unfortunately, the solution would be to encourage users to use Chrome or Firefox with your website. We know - it’s like IE6 all over again.

On the server side, updating your language’s security dependencies is just fine. This means updating OpenSSL to versions 1.0.1 and above, using .NET 4.5 and above, and running Java 8. If your language doesn’t depend on any of the above, see its documentation regarding support for TLSv1.2.

You can test support by pointing your code to https://api.paystack.co. You should get a 200 OK status code.

We understand a good number of developers who would like to use Paystack in production do not have control over the version of OpenSSL installed on their shared hosting environments and would rather not dabble with setting up their own VMs. We are doing our part with educating hosting providers about the importance of keeping their security stack up to date. Gigalayer is a fine alternative if your current provider isn’t responsive after a friendly support request.

We would be happy to help ensure compatibility in any way we can, and have already updated our official libraries to help you focus on your product.