I am working on a project which is to integrate PayPal Express Checkout and I’m using C# to implement the API calls, but after invoking the initial setExpresCheckout call I got the below error.
The error seems pretty obvious, so I started digging the SSL/TLS settings on the server and doing some googling and it became apparent that PayPal has updated its services to require TLS 1.2 for all HTTPS connections. So I enabled TLS 1.2 and disabled TLS 1.0 in the registry (again, I used powershell 🙂 ) and rebooted the server.
# Create Keys if not exist md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" # Disable TLS 1.2 for client and server new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -name "Enabled" -value 0 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -name "DisabledByDefault" -value 1 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -name "Enabled" -value 0 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -name "DisabledByDefault" -value 1 -PropertyType "DWord" # Create Keys if not exist md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" # Enable TLS 1.2 for client and server SCHANNEL communications new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
Registry (complete change including disabling SSLv2, SSLv3, TLS1.0 and other Ciphers)
After made all these changes I rebooted the server (typical windows step), went for a tea and after 15 mins I tried RDP to the server but kept getting this message!!!
PANIC!!!
After about 10 retries I realised there is definitely something wrong as I couldn’t Remote Desktop to the server at all.
After some googling I found out that if the security layer is set to TLS1.0 and if you disable TLS1.0 RDP services won’t work. You can check this in Remote Desktop Host Configuration settings:
Luckily it’s a virtual server and thanks to my colleague Justin Marx who managed to get into the server and made the changes through VMWare portal.
Right-click on the connection name RDP-Tcp and click properties.
Microsoft released a hotfix to provide support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows 7 Service Pack 1 (SP1) or Windows Server 2008 R2 SP1 for Remote Desktop Services (RDS). you can download it from https://support.microsoft.com/en-us/kb/3080079.
Panic OVER! 🙂
(I will post some more articles about the PayPal Express Checkout API soon).