Does enabling CloudFlare on my site affect PayPal's TLS 1.2 requirement?

In a word, no. CloudFlare has no bearing on this requirement.

You may have read one of the following articles from PayPal:

https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766&expand=true&locale=en_US
or
https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US

These articles state that as of June 17, 2016, PayPal will:

  • Upgrade the TLS certificate(s) used on PayPal's servers to be signed with SHA-2.
  • Disallow connections that require the VeriSign G2 Root Certificate for trust validation.
  • Enforce that HTTP connections made to PayPal use HTTP/1.1 or newer. HTTP/1.0 will be disallowed.
  • Enforce that HTTPS connections made to PayPal's servers are made using TLS 1.2 only.

In practice, this means that your origin server and/or your visitor's clients (i.e.- web browsers) must support the above requirements. CloudFlare doesn't proxy connections made directly to paypal.com, so enabling CloudFlare on your website doesn't affect how these connections are made.

If you have questions if your server or browser supports these standards, you can visit https://tlstest.paypal.com/ from the client making the connection to PayPal to see if the connection is able to be made successfully. A response of "PayPal_Connection_OK" indicates that your client already supports these standards.

A chart of what standards popular browsers support is available here: https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

For reference, CloudFlare supports SHA-2 and TLS 1.2 for both connections from visitors to our edge as well as from our edge to your website's origin.

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk