Updated the WePay SDK for PHP to force TLS 1.2 connections.

skyzyx · skyzyx · commit df061efc3fbb · 2015-08-14T14:21:33.000-07:00
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-WePay PHP SDK
+WePay SDK for PHP
 =============
 
 WePay's API allows you to easily add payments into your application.
@@ -106,7 +106,32 @@ try {
 }
 ```
 
-And that's it!  For more detail on what API calls are available, their parameters and responses, and what permissions they require, please see [our documentation](https://www.wepay.com/developer/reference). For some more detailed examples, look in the `demoapp` directory and check the README. Dropping the entire directory in a web-accessible location and adding your API keys should allow you to be up and running in just a few seconds.
+For more details on which API calls are available, their parameters and responses, and which permissions they require,
+please see [our documentation](https://www.wepay.com/developer/reference). For some more detailed examples, look in the 
+`demoapp` directory and check the README. Dropping the entire directory in a web-accessible location and adding your 
+API keys should allow you to be up and running in just a few seconds.
+
+Security
+--------
+
+### Connections require TLS 1.2 ###
+
+According to updated PCI requirements, SSL (v2, v3) and early TLS (1.0, 1.1) are no longer considered “strong 
+cryptography” and cannot be used as a security control after 2016-06-30. Because of this, WePay will be updating its API 
+endpoints to only allow TLS 1.2 connections over the coming months.
+
+WePay SDK for PHP version 0.3.0 is _possibly_ backwards-incompatible depending on how new or old your PHP stack is, 
+hence the [Semantic Versioning](http://semver.org) bump.
+
+Using the [PHP cURL extension](https://secure.php.net/manual/en/intro.curl.php), PHP will make outbound requests via the 
+system’s cURL installation. For licensing reasons, the PHP cURL extension uses NSS instead of OpenSSL.
+
+* [PHP (Zend Engine) 5.5.19+ or 5.6.3+ is required](https://secure.php.net/manual/en/curl.constants.php).
+* The PHP cURL extension requires cURL `7.34.0` (or newer) on the underlying system.
+* The PHP cURL extension must be compiled with NSS `3.15.1` (or newer).
+* HHVM 3.0 (or newer) and/or Hacklang (any version) has [the same cURL and cURL extension requirements as for 
+  PHP](https://twitter.com/SaraMG/status/631654826426798081).
+
 
 ### SSL Certificate ###
 
diff --git a/wepay.php b/wepay.php
@@ -26,7 +26,7 @@ class WePay
     /**
      * Version number - sent in user agent string
      */
-    const VERSION = '0.2.6';
+    const VERSION = '0.3.0';
 
     /**
      * Scope fields
@@ -102,10 +102,13 @@ public static function getAllScopes()
      * Generate URI used during oAuth authorization
      * Redirect your user to this URI where they can grant your application
      * permission to make API calls
+     *
      * @link https://www.wepay.com/developer/reference/oauth2
-     * @param  array  $scope        List of scope fields for which your application wants access
-     * @param  string $redirect_uri Where user goes after logging in at WePay (domain must match application settings)
-     * @param  array  $options      optional  user_name,user_email which will be pre-filled on login form, state to be returned in querystring of redirect_uri
+     *
+     * @param  array  $scope        List of scope fields for which your application wants access.
+     * @param  string $redirect_uri Where user goes after logging in at WePay (domain must match application settings).
+     * @param  array  $options      `user_name,user_email` which will be pre-filled on login form, state to be returned
+     *                              in query string of redirect_uri. The default value is an empty array.
      * @return string URI to which you must redirect your user to grant access to your application
      */
     public static function getAuthorizationUri(array $scope, $redirect_uri, array $options = array())
@@ -267,6 +270,11 @@ private static function make_request($endpoint, $values, $headers = array())
         curl_setopt(self::$ch, CURLOPT_TIMEOUT, 30); // 30-second timeout, adjust to taste
         curl_setopt(self::$ch, CURLOPT_POST, !empty($values)); // WePay's API is not strictly RESTful, so all requests are sent as POST unless there are no request values
 
+        // Force TLS 1.2 connections
+        curl_setopt(self::$ch, CURLOPT_SSL_VERIFYPEER, true);
+        curl_setopt(self::$ch, CURLOPT_SSL_VERIFYHOST, 2);
+        curl_setopt(self::$ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+
         $uri = self::getDomain() . $endpoint;
         curl_setopt(self::$ch, CURLOPT_URL, $uri);
 
@@ -282,8 +290,10 @@ private static function make_request($endpoint, $values, $headers = array())
             }
             throw new Exception('cURL error while making API call to WePay: cURL Errno - ' . $errno . ', ' . curl_error(self::$ch), $errno);
         }
+
         $result = json_decode($raw);
         $httpCode = curl_getinfo(self::$ch, CURLINFO_HTTP_CODE);
+
         if ($httpCode >= 400) {
             if (!isset($result->error_code)) {
                 throw new WePayServerException("WePay returned an error response with no error_code, please alert api@wepay.com. Original message: $result->error_description", $httpCode, $result, 0);
