Braintree PHP SDK Starting June 25th needs to be 6.21.0 or above

[thss-admin]

Hello

We recently received an email from Paypal Braintree mentioning that we must update the version of the SDK to the minimum version of 6.21.0, released on Oct 31, 2024.

This is the official email from Braintree:

Our records show that as of 1/29/2025, you were using a legacy SDK version on a production or Sandbox application that is not compatible with an upcoming update to our root SSL certificate provider for production and Sandbox API traffic on 1/30/2025.

If you do not update to a compatible SDK and push changes to customer devices by June 30, 2025, you will not be able to process requests through your PayPal Braintree production and Sandbox accounts until you make the necessary update.

What action is required?

To avoid interruption to your processing, please update your SDK version to the appropriate minimum version as soon as possible:

Client-Side SDKs:
iOS 6.17.0
iOS 5.26.0
Android 4.45.0
Android 5.0.0
*Web/JS SDK does not require updating to a minimum version

Server-Side SDKs:
Ruby 4.23.0
Java 3.37.0
Python 4.31.0
PHP 6.21.0
Where can I find more information?

For information on how to update your SDK version, see our [developer docs] (https://developer.paypal.com/braintree/docs/reference/general/best-practices/ruby#server-sdk-versions).

If you are using a third-party shopping cart for your integration, we recommend reaching out to your shopping cart provider to ensure that they are using up-to-date Braintree SDKs so your processing is not interrupted.

If you have updated your production and Sandbox integration since 1/29/2025, please disregard this email.

For any additional questions, contact us or reach out to your Customer Success Manager, if applicable.

Thanks,

Basically our question is to verify if Magento plans to fix this as a security update in the sooner patches for 2.4.4, 2.4.5, 2.4.6 and 2.4.7 or if it will be released as a separate patch we could apply.

This will affect almost 60 sites we own and we need to get prepared before June to be sending all of those updates.

Now another solution would be to update the dependency itself to 6.21.0 by using

php composer.phar update braintree/braintree_php:6.21.0

We would like to receive your feedback about this, since it will break a lot of sites not only from us but world wide that uses Paypal as their payment processor.

Regards

[m2-assistant]

Hi @thss-admin. Thank you for your report.
To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce.

• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this
• To learn more about issue processing workflow, refer to the Code Contributions.

---

Join Magento Community Engineering Slack and ask your questions in #github channel.
⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
🕙 You can find the schedule on the Magento Community Calendar page.
📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

[thss-admin]

This is an official email from Paypal and verifying the versions, in the 2.4.6 version we have the 6.11.1 braintree SDK.

I don't know if I need to show steps to reproduce this, but it will be just triggering:

php composer.phar show braintree/braintree_php

Will show the version you all have.

---

I just did a local installation of Magento 2.4.7-p3 and after triggering the command mentioned above, it shows that the braintree PHP sdk natively integrated is: 6.13.0

So even in the latest stable version of Magento, we are outdated, and this will break many installations that uses Paypal/Braintree as their payment processor.

Regards

[streamaster]

Ok just another clear as mud email from Braintree on this issue, it seems to me that it refers only to domains owned by Braintree needing to update their Braintree SSL certificates. It would seem to me to question why we even receieved the first email unless I am reading it wrong :

Clarification: Update your production and Sandbox Braintree SDK version

Hi,

We apologize for any confusion caused by our previous email sent yesterday titled “ACTION REQUIRED: Update your production and Sandbox Braintree SDK version” regarding the update of your SSL certificates.

Please note that SSL Certificates need to be updated by June 30, 2025 not January 30, 2025.

Please note that JavaScript and .NET SDKs do not require updates to their SSL certificates. You can continue using these SDKs without taking any action. If you're still unsure about which server-side SDK version you're
using, please refer to our documentation by clicking this link.

If you have already upgraded your SSL certificate and pushed the changes, please ignore this email and continue with your current setup.

We apologize for any inconvenience caused and appreciate your attention to this matter. For any additional questions, contact us or reach out to your Customer Success Manager, if applicable.

Thanks,

The Braintree Team

[thss-admin]

No Streamaster,

It refers to the SSL cert that is in the braintree library in:

vendor/braintree/braintree_php/lib/ssl/api_braintreegateway_com.ca.crt

This CRT file is too old and needs to be updated, but it's suggested to not update files in vendor/ because in future updates or any composer update -W, it could override this content.

Either we update the library directly with the command I shared (Praying that it works properly) or we create a patch for overriding the content of that CRT.

This is not domain related, but the certificate used when doing requests to Braintree via CURL in the braintree module.

---

And confirming something about your message, they just sent another mail referring to a date error they sent, mentioning the certificates will stop working on January 30, but the real date was June 30.

Regards

[maderlock]

Adobe have confirmed that the Braintree module will be updated to the required SDK version well in advance of the June deadline. I was asking them about 2.4.6 specifically, but word from Gene Commerce is that they will have documentation covering all possible scenarios in the next few days, so that's encouraging.

[thss-admin]

@maderlock could you share where Adobe confirmed this?

I need to report this to all of our clients, so that link where this is mentioned will be very beneficial

Thank you

[maderlock]

@thss-admin ​This was in a support ticket with Adobe for a Commerce client, so there is no link I am afraid.

[qrz-io]

Hey everyone! I work with GENE, the agency responsible for the Braintree extension that ships with Magento. To address all concerns about the expiring certificate, we've written this post explaining what everyone should do. In summary:

• Adobe will release a patch update on the 8th of April, which will include the upgrade to the SDK
• If you can't get on that version in time (before June 30), we've provided a patch that can ensure you don't see disruption of service
• We've added some notes for merchants that are not on supported versions of Magento as well

All the information here: https://www.gene.co.uk/braintree-sdk-ssl-certificate-update/
The patch and accompanying notes can be found in our GitHub page: https://github.com/genecommerce/braintree_php_sdk_update_ssl_certificate

Any questions, please let us know!