Stripe

Support

How do I upgrade my Stripe integration from TLS 1.0 to TLS 1.2?

To keep your communication with Stripe secure, we will drop support for TLS 1.0 and 1.1 for new integrations on July 1 2016, in response to security concerns around these protocols. You can learn more about these concerns and our reasons for dropping support in our blog post.

We’ve provided test code snippets and upgrade instructions for each Stripe library below.

If you’re using Stripe from a server you don’t control, for example from a shared hosting provider, you should reach out to them and ask them to perform any relevant upgrades on your behalf.

The examples below use an endpoint address called https://api-tls12.stripe.com. Please note that although this endpoint is suitable for testing a TLS connection, it’s not a real API endpoint, and will only return sample information. You shouldn’t use it in your production code.

Ruby

You can determine whether or not your Ruby integration is affected by running the following code snippet in your production environment.

require "stripe"
Stripe.api_key = "sk_test_BQokikJOvBiI2HlWgH4olfQ2"
Stripe.api_base = "https://api-tls12.stripe.com"

begin
  Stripe::Charge.all()
  puts "TLS 1.2 supported, no action required."
rescue OpenSSL::SSL::SSLError, Stripe::APIConnectionError
  puts "TLS 1.2 is not supported. You will need to upgrade your integration."
end

If you receive the message “TLS 1.2 is supported”, will not need to change anything. Otherwise, you will need to upgrade your OpenSSL version.

Additionally, if you are using OS X, and which ruby contains .rbenv, after upgrading your OpenSSL version you may need to re-install any copies of Ruby you have. You can do this by manually uninstalling, then re-installing your Ruby version, as below. Note that doing so will remove your existing gems, and you will need to use the output of gem list to reinstall them.

gem list > /tmp/gem.list
export RUBY_VERSION=`rbenv version` | cut -d' ' -f1
rbenv uninstall $RUBY_VERSION
rbenv install $RUBY_VERSION
echo "Remember to reinstall your gems - you can find a list in /tmp/gem.list"

Python

You can determine whether or not your Python integration is affected by running the following code snippet in your production environment.

import stripe
stripe.api_key = "sk_test_BQokikJOvBiI2HlWgH4olfQ2"
stripe.api_base = "https://api-tls12.stripe.com"

if stripe.VERSION in ("1.13.0", "1.14.0", "1.14.1", "1.15.1", "1.16.0", "1.17.0", "1.18.0", "1.19.0"):
  print "Bindings update required."

try:
  stripe.Charge.all()
  print "TLS 1.2 supported, no action required."
except stripe.error.APIConnectionError:
  print "TLS 1.2 is not supported. You will need to upgrade your integration."

If you receive the message “TLS 1.2 is supported”, you will not need to change anything.

If you receive the message “Bindings update required.”, you will need to update your stripe-python version to at least 1.19.1. You can do this by running pip install --upgrade stripe==1.19.1. You will also need to follow the remaining Python instructions.

  • If you are using Linux, and running cat /etc/*-release indicates that you are on CentOS 6, you will need to run the following commands
sudo yum install gcc python python-devel libffi-devel openssl-devel
sudo curl https://bootstrap.pypa.io/get-pip.py | python
sudo pip install pyOpenSSL backports.ssl requests
  • If you are using OS X with system Python (i.e. running which python gives /usr/bin/python), we suggest you instead use Homebrew to manage your Python installation. You can then use brew install python to install a new copy of Python. You will need to re-install any modules you are currently using, for example by running pip install stripe.

  • If you are using any other system, or are already using brew on OS X, you will need to upgrade your OpenSSL version.

PHP

You can determine whether or not your PHP integration is affected by running one of the following code snippets in your production environment.

If php --version is 5.3 or later, run the following snippet.

<?php
// Include stripe-php as you usually do, either with composer as shown,
// or with a direct require, as commented out.
require_once("vendor/autoload.php");
// require_once("/path/to/stripe-php/init.php");

\Stripe\Stripe::setApiKey("sk_test_BQokikJOvBiI2HlWgH4olfQ2");
\Stripe\Stripe::$apiBase = "https://api-tls12.stripe.com";
try {
  \Stripe\Charge::all();
  echo "TLS 1.2 supported, no action required.";
} catch (\Stripe\Error\ApiConnection $e) {
  echo "TLS 1.2 is not supported. You will need to upgrade your integration.";
}
?>

Otherwise, if php --version is 5.2 or earlier, run this snippet.

<?php
require_once("/path/to/stripe-php/lib/Stripe.php");

Stripe::setApiKey("sk_test_BQokikJOvBiI2HlWgH4olfQ2");
Stripe::$apiBase = "https://api-tls12.stripe.com";
try {
  Stripe_Charge::all();
  echo "TLS 1.2 supported, no action required.";
} catch (Stripe_ApiConnectionError $e) {
  echo "TLS 1.2 is not supported. You will need to upgrade your integration.";
}
?>

If you receive the message “TLS 1.2 is supported”, no changes need to be made. If not, check which version of our PHP library you are using. If it’s below 3.19.0, update it and try again. Otherwise, continue with these additional steps.

Linux

Run cat /etc/*-release to determine your distribution.

  • If you are using Red Hat Enterprise Linux, you will need to upgrade to at least RedHat Enterprise Linux 6.8 or RedHat Enterprise Linux 7.

  • If you are using CentOS, you will need to at least CentOS 6.8, when it is released, or CentOS 7. This upgrade is risky, so we recommend rebuilding your server instead.

If you are using any other system, you will need to upgrade your OpenSSL version.

OS X

  • If you are using Mac OS X 10.8 (Mountain Lion) or below, you will need to upgrade your OS X version. You can do this from the Mac App Store.

  • If you have MAMP installed, you will need to run your application with system php. This is because MAMP bundles its own copy of OpenSSL, which cannot be upgraded. This issue is expected to be fixed in MAMP 4, but as an interim workaround, you can use system php by calling /usr/bin/php to run your application.

If you are using any other system, you will need to upgrade your OpenSSL version.

Java

You can determine whether your Java integration is affected from the Java version you are running, and the stripe-java version you are using.

You can find your Java version by running java -version at the command line, and your stripe-java version by looking for the version number in your jar file’s name, for example stripe-java-1.40.0.jar or by finding the version of the Stripe dependency in your POM file.

If you are running Java

  • version 1.6, you will need to upgrade to at least Java version 1.7, and stripe-java version 1.36.0.
  • version 1.7, and you have a stripe-java version earlier than 1.36.0, you will need to upgrade to at least stripe-java version 1.36.0.
  • version 1.8, you will not need to change anything.

You can upgrade your stripe-java version by downloading a new jar, or by upgrading the version number in your POM, and rebuilding your project.

You can upgrade your Java version by downloading a new copy, or installing a newer version of OpenJDK.

Node

You can determine whether or not your Node integration is affected by running the following code snippet in your production environment.

var https = require("https");
var req = https.request({
  host: "api-tls12.stripe.com",
  port: "443",
  path: "/v1/charges",
  method: "GET",
  headers: {
    "Authorization": "Bearer sk_test_BQokikJOvBiI2HlWgH4olfQ2",
    "Accept": "application/json",
    "Content-Type": "application/x-www-form-urlencoded",
  }
}, function (res) {
  res.on("data", function (data) {
    console.log("TLS 1.2 supported, no action required.");
  });
});
req.end();
req.on("error", function(err) {
  if (err.code == "ECONNRESET") {
    console.log("TLS 1.2 not supported! You will need to upgrade");
  } else {
    console.log("Unknown error talking to Stripe, please try again later.");
  }
});

If you receive the message “TLS 1.2 is supported”, you will not need to change anything. Otherwise, you will need to upgrade your OpenSSL version.

Go

All versions of Go already support TLS 1.2, so you will not need to make any changes.

Mobile

This change will only affect requests made using secret keys, not those made using publishable keys. This means it will not impact Stripe applications running on Android or iOS.

.NET

You can determine whether your .NET integration is affected from the NuGet packages you have installed. You can find this out by running Get-Package in the the Package Manager Console.

If you are using Stripe.net to communicate with Stripe, and you have version 5.1.1 or lower installed, you will need to update this package. You can do this by running Update-Package Stripe.net.

If you are using RestSharp to communicate with Stripe, you will need to add the following line above the first request you make to Stripe, to opt into TLS 1.2 support, ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;. You can test your configuration by ensuring that a request to https://api-tls12.stripe.com/v1/charges does not raise an exception.

Connect applications

If your Stripe integration is entirely controlled by a Connect application, they will be taking these updates on your behalf. You will not need to do anything to upgrade your integration.

Third party plugins

If you use Stripe through a third party plugin, you will need to reach out to your plugin provider to determine whether or not you are affected, and how to upgrade if so.

Was this answer helpful? Yes / No