2

We have got email from Braintree that they have upgrade the certificate . detail : We want to make sure you're aware that Braintree will stop accepting connections encrypted using TLS 1.0 beginning January 31, 2017. Following the PCI DSS 3.1 requirements, all requests must use TLS 1.2+. Learn how to ensure you're using TLS 1.2.

As of December 13th, Sandbox no longer supports TLS versions older than 1.2. We expect significant impact to Java environments, including Android. Other environments, including .NET, PHP, Ruby, Python and Node.js, may also be affected. For complete details.

our application works fine on testing enviroment which mean all sandbox url works fine but it dose not work on locahost.

detail exception on localhost :

com.acti.braintreegateway.exceptions.UnexpectedException: Could not verify SSL certificate for URL: https://api.sandbox.braintreegateway.com:443/merchants/qt7d7qk52zpssmqb/customers com.acti.braintreegateway.exceptions.UnexpectedException: Could not verify SSL certificate for URL: https://api.sandbox.braintreegateway.com:443/merchants/qt7d7qk52zpssmqb/customers

We use Google appengine java and gradle for building the app.

Pravanjan
  • 698
  • 7
  • 16
  • Can you provide more details about your local environment? What version of JDK are you running? You may find these resources relevant: [Issue 12705: Could not verify SSL certificate (TLSv1.2)](https://code.google.com/p/googleappengine/issues/detail?id=12705&q=Could%20not%20verify%20SSL%20certificate%20for%20URL&colspec=ID%20Type%20Component%20Status%20Stars%20Summary%20Language%20Priority%20Owner%20Log) and [Force TLS > 1.0 on AppEngine local development server in Java](http://stackoverflow.com/questions/35878293/force-tls-1-0-on-appengine-local-development-server-in-java/36119342) – Shea Jan 16 '17 at 15:39
  • @Shea I have jdk 7 installed .I did follow the link and updated dev_appserver.sh with **exec "${RUN_JAVA}" "${SCRIPT_NAME}" \ -Ddeployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=true -ea -cp "${JAR_FILE}" \ com.google.appengine.tools.KickStart \ com.google.appengine.tools.development.DevAppServerMain "$@"** but it throws the same exception. – Pravanjan Jan 18 '17 at 15:10
  • Have you [run through these steps on localhost](https://github.com/paypal/TLS-update#to-verify-your-java-and-tls-versions) to ensure your client can connect via TLS 1.2? Also, what version of the Braintree Java SDK are you using? – Shea Jan 19 '17 at 19:21
  • https://github.com/paypal/TLS-update#to-verify-your-java-and-tls-versions – Pravanjan Jan 23 '17 at 07:56
  • I am not sure how to do the first step mentions in the link : Set the TLS version through the SSLContext class. I did verify the last two steps it shows : Failed to connect to TLS 1.2 endpoint. My Braintree SDK version is 2.70.0 – Pravanjan Jan 23 '17 at 08:14
  • To set the TLS version through the SSLContext class, you can do it by adding to your code something similar to this: `SSLContext sslContext = SSLContext.getInstance("TLSv1.2");` `sslContext.init(null, null, null);` As described on this [thread](http://stackoverflow.com/questions/29841610/will-sslcontext-getinstancetls-supports-tls-v1-1-and-tls-v1-2-also) about using TLS 1.2. More information can be found on the Java documentation [page](https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLContext.html#getInstance(java.lang.String)). – Alex Jan 25 '17 at 17:24
  • Here’s Another example of using the SSLContext to set an https protocol. [thread](http://stackoverflow.com/questions/30121510/java-httpsurlconnection-and-tls-1-2). Upon completing this step, is your client able to connect through TLS 1.2? – Alex Jan 25 '17 at 17:27
  • @Alex I am having the same problem and can tell you that Braintree controls the connection and SSL socket factory application. Pravanjan will have no access to the relevant code to undertake any of these suggstions. Ideally, what he (and I) need is some way to globally tell app engine to make it work. Individual connection configuration options won't be possible. – ndtreviv May 15 '17 at 09:47
  • @Pravanjan see the answer here: http://stackoverflow.com/questions/43919057/force-tls-1-2-on-appengine-dev-server-sdk/44072363#44072363 – ndtreviv May 19 '17 at 14:17

1 Answers1

0

We had this same problem (question here: Force TLS 1.2 on appengine dev server SDK) which we resolved by running the local version of the app on Java 8 SDK.

Java 8 uses TLSv1.2 by default. None of the JVM argument hacks worked for us, and we wanted to dynamically download the appengine SDK using appengineDownloadSdk so that we wouldn't have to maintain versions on our CI server, so the dev_server.sh hack didn't work either.

In the end, using Java 8 SDK worked just fine, even though it feels wrong developing and testing on a JRE other than that of the one the app is being run on in production.

Community
  • 1
  • 1
ndtreviv
  • 3,473
  • 1
  • 31
  • 45