Stripe no longer supports API requests made with TLS 1.0. Please initiate HTTPS connections with TLS 1.2 or later

TLS and SSL versions are controlled by your hosting company (since it requires SSL packages such as OpenSSL). You should reach out to them and ask if they can enable this option for you.

You can find more information in Stripe's blog post on this subject.

@torgosPizza

I'm having the same issue on a new stripe account. My site is TLS1.2 ready and fully PCI DSS. I have run the test specified on stripe KB for v3 of library and it is returning "TLS 1.2 supported, no action required." However when running the test with v1.18.0 I am getting "TLS 1.2 is not supported. You will need to upgrade your integration."

Unsure where to go from here? I am also running php 5.6(not sure if this is creating issue when using the older library)

Interesting, perhaps there's something wrong in version 1.18? That'd be my first guess, however we are using it in production and haven't had any trouble.

Let me do some digging - it would be worth making the module compatible with v2 and 3 of the API library, and it's possible that changes which were made in recent versions just need to be backported, or the module itself updated.

@torgosPizza

Thanks for looking into it! I tried rolling back to php5.4 as well with no success. I also tried an old stripe account and had the same issue.

I was getting this error (under UBERCART, sorry Commerce guys, stumbled across this post) with the 3.13 version of the library. When I rolled back to 2.2.0 version of the library the error went away. Some sort of incompatibility with older versions of Curl (7.24) I guess?

We just created a Drupal Commerce site and are using this Stripe module and receiving this error too.

@pdesai: Can you confirm you're using version 1.18 of the Stripe-PHP Library, and your server's installation of SSL meets the requirements for Stripe?

I'll try to do some more thorough testing ASAP.

Yes I'm using 1.18 and using updated server settings as per Stripe. Also tried using PHP 7 vs 5.4 and neither worked.

I have just tried on our server using PHP 7 and Library version 1.18 and was able to connect without any issue.

I truly believe this is a server configuration problem, as @plato1123 mentioned it could be related to older versions of cURL.

One thing I would recommend everyone experiencing this issue do, is visit the SSL test here: https://cryptoreport.geotrust.com/checker/ and enter your site's domain name. You'll want to make sure you support TLS 1.2, and if it's not enabled, contact your host.

If those protocols do show up as enabled then it could be something else, but at this time I'm still unable to reproduce the issue.

That being said, I have plans to shore up our Library compatibility so that we're compatible with v3.

Lastly: I also reached out to Stripe engineers to see if they have any other suggestions to try and figure out what else might cause you to see these errors, assuming your server is indeed meeting all of the proper requirements.

Thanks for jumping on this. I had updated cURL as Stripe suggested on their site before posting. Here is what was updated earlier:

Downloading Packages:
(1/4): curl-7.19.7-52.el6.x86_64.rpm | 197 kB 00:00
(2/4): libcurl-7.19.7-52.el6.x86_64.rpm | 169 kB 00:00
(3/4): openssl-1.0.1e-48.el6_8.3.x86_64.rpm | 1.5 MB 00:00
(4/4): openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm | 1.2 MB 00:00

We may have found our issue, our server is running Apache 2.2.15 and TLSv1.2 was supported until Apache 2.2.3. Going to move this site to CentOS 7 running Apache 2.4 and give it a shot.

Im on the following with the issue remaining-

curl- 7.29.0
libcurl- 7.29.0
openssl- 1.0.1e
apache-2.4

paste from cryptoreport @torgosPizza

Server configuration
Host name:
----
Server type:
nginx
IP address:
----
Port number:
443
Protocols enabled:
TLS1.2
TLS1.1
TLS1.0
Protocols not enabled:
SSLv3
SSLv2

Secure Renegotiation:
Enabled
Downgrade attack prevention:
Enabled
Next Protocol Negotiation:
Enabled
Session resumption (caching):
Enabled
Session resumption (tickets):
Enabled
Strict Transport Security (HSTS):
Not Enabled
SSL/TLS compression:
Not Enabled
Heartbeat (extension):
Enabled
RC4:
Not Enabled
OCSP stapling:
Not Enabled

@brandercreative: That is interesting. I still haven't heard back from Stripe yet, but I'm hoping they can shed a bit of light on this. Remember that, at least according to their blog post linked above:

At the application layer, SHA-2 and TLS 1.2 behave identically to their older versions. You won’t need to change your code, but might need to upgrade your operating system or packages.

Were you also able to use the PHP test snippet from Stripe? Here it is below, modified for our usage (be sure and use your actual test key):

commerce_stripe_load_library();

Stripe::setApiKey("YOUR_TEST_KEY_HERE");
Stripe::$apiBase = "https://api-tls12.stripe.com";
try {
  Stripe_Charge::all();
  echo "TLS 1.2 supported, no action required.";
} catch (Stripe_ApiConnectionError $e) {
  echo "TLS 1.2 is not supported. You will need to upgrade your integration.";
}

If that fails, would it be possible for you contact your hosting support and ask them about any additional packages that may require updating?

Any additional information would be helpful since again, I'm unable to reproduce this in any capacity currently. Thanks for the help!

Here is an issue in the PHP Library for Stripe that might help, too. I don't believe the TLS version is being specified in the Library itself, but it is possible that your server is configured to use a specific version rather than "the highest one available." https://github.com/stripe/stripe-php/issues/301

Here is the PR where they changed this: https://github.com/stripe/stripe-php/pull/299

An issue around how to test cURL: https://github.com/stripe/stripe-php/issues/290

Information on using TLS 1.2 with the 1.x version of the Library (which should work as long as your packages are not interacting in a conflicting way): https://github.com/stripe/stripe-php/issues/288

Hopefully these will help in our quest :)

Marking as a support request. I'm confident this is a server config issue; please reopen if you find Stripe Library does play a part in it.

Few things - we disabled TLS v1.0 and 1.1 on our server and also disabled selinux (not sure if that was related).

Some links to read carefully to solve this problem:

https://stripe.com/blog/upgrading-tls
https://support.stripe.com/questions/how-do-i-upgrade-my-stripe-integrat...
https://support.stripe.com/questions/how-do-i-upgrade-my-stripe-integrat...
https://github.com/stripe/stripe-php/issues/275

From last link, I found a comment that says you need at least curl 7.34.0 which is the first one to support TLS > 1.0. See here:

https://curl.haxx.se/changes.html#7_34_0

Also, make sure to have a recent openssl version. Once you have updated CURL and openssl, do the test that @torgosPizza suggested on #14 to see if your system is fine to communicate via TLS 1.2.