UPS TLS 1.2 Upgrade SSL Connection Issues¶
On January 19th UPS sent out a tech alert email stating that they were going to reject all requests to their API that were not TLS 1.2 compatible.
UPS is in the process of upgrading communication security protocols for all web-based applications, including UPS Developer Kit Application Programming Interfaces (APIs), which are used to integrate UPS functionality into your website and applications.
Effective January 26, 2016, the UPS test environment will require the TLS 1.2 security protocol, and will be available for your system testing.
Effective May 31, 2016, UPS will require the TLS 1.2 security protocol in production. After that date, any communication requests submitted to UPS using older protocols (TLS 1.1 or earlier) will fail.
NOTE: From January 19 through May 31, 2016, you may see intermittent failures for any non-compliant transactions.
Do I need to do anything?¶
RocketShipIt uses your operating system’s version of the PHP curl extension to send HTTP requests so RocketShipIt itself doesn’t have control over which version of TLS your system can support. There is no reason to upgrade RocketShipIt; however, your operating system environment may need updated.
The quickest way to determine if your environment supports TLS 1.2 is to run this script from the server hosting RocketShipIt and view the file result.txt that it creates:
<?php $curl = curl_init(); curl_setopt_array($curl, array( CURLOPT_RETURNTRANSFER => 1, CURLOPT_URL => 'https://www.ssllabs.com/ssltest/viewMyClient.html', )); $resp = curl_exec($curl); curl_close($curl); file_put_contents('result.txt', $resp);
If you see something like this if successful:
<tr class="tableRow"> <td class="tableLeft" id="protocol_tls1_2_label">TLS 1.2</td> <td class="tableRight" id="protocol_tls1_2">Yes*</td> </tr>
Alternatively you can check to make sure you curl extension is > 7.34 and was compiled with OpenSSL > 1.0.1 or NSS > 3.15 by checking the output of phpinfo().
You may be effected by this if you see this error:
error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
FOR CENTOS 6
$ rpm -Uvh http://nervion.us.es/city-fan/yum-repo/rhel6/x86_64/city-fan.org-release-1-13.rhel6.noarch.rpm
FOR CENTOS 7
$ rpm -Uvh http://nervion.us.es/city-fan/yum-repo/rhel7/x86_64/city-fan.org-release-1-13.rhel7.noarch.rpm
$ yum update