Hacker News new | comments | ask | show | jobs | submit login
Stripe won't work with lower than TLS 1.2, starting tomorrow (stripe.com)
62 points by danschumann 7 months ago | hide | past | web | favorite | 13 comments

(I work at Stripe.)

You might wonder "Hmm, is my Stripe integration affected?" (I sure did!) and the answer is "Almost certainly not." (We've been watching the number of users with outdated versions of TLS on a dashboard for the last several months and actively working on getting people migrated.)

If your integration was affected, it is likely you've gotten a few emails from us and also a notification in your Stripe dashboard. If you don't see a prominent banner when you log in (with additional detail in your Developer tab of the dashboard), you're probably good.

If you have any questions, email support@stripe.com ; we're happy to help.

Nice to hear Stripe being proactive before what is essentially functionality breaking changes. Kudos to you guys for having a page with instructions on testing it ourselves on production servers with small snippets of pre-written code.

Thanks! We know that the infrastructure we build sits in really important parts of our customers' businesses and do our best to avoid both breaking changes and, especially, surprise breaking changes.

(A related topic: we go to fairly substantial efforts to support outdated API versions while still letting us build new features. Amber Feng had a great presentation on it back in the day: https://www.heavybit.com/library/video/move-fast-dont-break-... )

If working on these sort of problems at scale sounds interesting or if you like the idea of working on a team which really sweats the downstream impact of engineering changes, we're hiring and always happy to chat.

We were tasked with upgrading a stripe integration for a client with really old PHP. On Friday, none of their transactions worked. We called stripe and they said, "Oh, we decided to upgrade some people early"... uhh.. yea. Eventually they rolled us back, and we finished the upgrade on Monday, but it was still really troubling.

I'm sorry that happened. For clarity, was it related to this specifically? I'd like to look into what went wrong there.

Yes. We were aware that this was happening on June 13th ( today ). We were moving through the steps to upgrade ( finished on Monday ). On Friday, client came to us saying "None of our transactions work!". Contacted stripe, they said they decided to go ahead and get started with some upgrades. We complained ( because we weren't done upgrading yet ), and I know the person in direct contact wasn't very happy with the responses. They did reverse though, and TLS 1.0 was working for us again. It wasn't me who was in contact directly w/ stripe, so I can get you more of the exact emails and what was said, but I know he was second guessing stripe at that point, as was I.

I'll try to remember to get you the exact emails tomorrow, and the account name, etc. What do you need to look into it?

I've always heard good things about stripe but like I said this was kinda worrying, because everything we read said June 13th.

You can feel free to forward anything you have to my HN name at stripe.com ; we'll look things up from there.

I feel like this is an incorrect, inflammatory title. New integrations will cease to work with TLS < 1.2. Existing integrations are fine.

This is a requirement for PCI. So I'm sure all integrations will cease to work with older TLS.

Not necessarily as PCI requires a minimum of TLS 1.1 with 1.2 being the recommended. [0]


No, they are definitely shutting off all TLS less than 1.2, it's required to keep PCI certification.

PCI requirements are TLS 1.1 minimum. Stripe's change is of course is due to PCI certification and 1.2 is strongly encouraged, but 1.2 is not the defacto version required. They could have just disabled 1.0 and keep 1.1. Just wanted to correct the info. (Also happy that they didn't take the minimum and took the extra effort to implement 1.2)

Source: https://blog.pcisecuritystandards.org/are-you-ready-for-30-j...

Are you sure about that? It would appear that the library will raise an APIConnectionError, which may in turn do so based on the return code from Stripe's API.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact