PayPal Requires TLS 1.2

As of June 2016, PayPal® requires you to use version 1.2 of the Transport
Layer Security protocol (TLS 1.2)
when communicating with their service. If you leverage PayPal
to process payments, you might have to take action if your operating system (OS)
does not support TLS 1.2.

This article provides guidance for addressing this issue for some
common Rackspace operating systems.

Table of contents

Red Hat® Enterprise Linux® (RHEL) and CentOS®

Ubuntu® operating system

Debian®

Windows® Server®

Find the OS that your server is running

If you do not know which OS your server is running,
use the following steps to find out:

  1. Log in to the Cloud Control Panel.

  2. In the top navigation bar, click Select a Product > Rackspace Cloud.

  3. Select Servers > Cloud Servers.

  4. Click the name of the server that you want to check.

    The Server Details page appears.

  5. The OS appears in the System Image field.

RHEL and CentOS 7

If you are running RHEL and CentOS 7, you do not need to take action because
the OS comes with TLS 1.2 configured by default.

RHEL and CentOS 6

RHEL 6.8 enables TLS 1.2 use by default. In both RHEL and CentOS, customers
who rely on Rackspace for automatic patching automatically update in their
normal patching cycle.

RHEL and CentOS 5

RHEL and CentOS 5 do not support TLS 1.2. As a result, your websites and
applications can no longer take payments by using the PayPal
service because the server can no longer talk to the PayPal endpoint.
(Other payment gateway providers might not be affected.)

You can resolve this issue in one of the following ways:

  • Migrate to RHEL 6 or 7, CentOS 6 or 7, or Ubuntu 14.04 Long Term Support
    (LTS). We encourage you to engage with your account manager or Rackspace
    Support before you take this step to ensure that you understand how it
    might affect your configuration and if your hardware supports the OS.

  • Perform a custom compile of packages to provide TLS 1.2. Rackspace does not
    perform this work and does not recommend this option. If you use this
    approach, Rackspace is not able to provide support for the OS. If this step
    is performed incorrectly, it might also create security vulnerabilities
    because these packages are not continuously patched.

Ubuntu 14.04 LTS

If you are running Ubuntu 14.04 LTS, you do not need to take action because
the OS comes with TLS 1.2 configured by default.

Ubuntu 12.04 LTS

If you are running Ubuntu 12.04 LTS, you do not need to take action because the
OS comes with TLS 1.2 configured by default.

Debian 8

If you are running Debian 8, you do not need to take action because the OS
comes with TLS 1.2 configured by default.

Debian 7

If you are running Debian 7, you do not need to take action because the OS comes with
TLS 1.2 configured by default.

Windows Server 2012

If you are running Windows Server 2012, you do not need to take action because
the OS comes with TLS 1.2 configured by default.

Windows Server 2008 R2

Windows Server 2008 R2 supports TLS 1.2, but you need to modify some settings
on the server to ensure that you are leveraging that protocol. To make the
changes, open PowerShell® and run the following commands:

#make TSL 1.2 protocol reg keys
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

# Enable TLS 1.2 for client and server SCHANNEL communications

new-itemproperty -path     "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"

Next, you need to restart the server to ensure that the changes take effect.

Note: Servers that are running Windows Server 2008 R2 but are using the
.NET framework to enable TLS must update to .NET 4.5. Before you perform
this step, we recommend that you determine how it might impact your
application and rework any portions of it that are not compatible with the
upgrade.

Windows Server 2003 and 2008

Windows Server 2003 and 2008 do not support TLS 1.2. As a result,
websites and applications that run on these systems are no longer able to take
payments because the server is no longer able to talk to the PayPal endpoint.

The only way to ensure continuity of the service is to migrate to Windows
Server 2008 R2 or 2012. We encourage you to engage with Rackspace Support
before you take this step to ensure you understand how it might affect your
configuration and if your hardware supports the OS.

Note: Servers that are running Windows Server 2008 but are using the .NET
framework to enable TLS must update to .NET 4.5. However, before you perform
this step, we recommend that you determine how it might impact your
application and rework any portions of it that are not compatible with the
upgrade.