cancel
Showing results for 
Search instead for 
Did you mean: 

PayPal Endpoint certificate upgrade - SHA-256 encryption

Member

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

Hi

 

Can you confirm whether sites which currently have IPN set to a non-encrypted (http://) URL will need to obtain certificates also? Or is this change only affecting sites using https:// IPN URLs?

 

Thanks

Tags (2)
Member

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

Thanks for this! With an updated browser and as an Etsy seller I am going to assume we are all updated. However lately I have been getting pressure by Etsy to use their own payment system and bring Pay Pal into their party rather than the other way around so maybe I should worry.

Other prob is I never created a business act with PayPal  and that may trip me up after 6 smooth years of transactions. Also, sounds like customers may be blocked from buying if their browsers are old.

Member

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

I have a question I could not find an answer for anywhere, so I hope you will help me.

As we know, if a merchant uses IPN (Instant Payment Notification), two operations take place after each payment:

1- PayPal sends an IPN to the merchant site's listener script
2- The merchant site's listener script contacts (via POST) the PayPal site to verify the received IPN

Plenty of merchant sites use HTTPS for both tasks, and they will soon have to change their certificate to SHA-256... but what about merchants who interact with PayPal using plain HTTP?

I know that if a merchant uses only plain HTTP on his site, he does not need to change anything for task 1 (i.e. receiving the IPN). But what about task 2? Will PayPal still be able to accept the POST from the merchant site for IPN validation over plain HTTP?

Thank you a lot for your answer.

Member

PayPal service upgrades on 30-sept-2015

Hi,

I have received email for paypal service upgrade as below.
###################################################
PayPal service upgrades.

As we have previously communicated to you, PayPal is upgrading the certificate for www.paypal.com to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.

This upgrade is scheduled for 9/30/2015; however, we may need to change this date on short notice to you to align to the industry security standard.

You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!
Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.
Testing in the Sandbox is one of the best ways to make sure your integration works. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.
Full technical details can be found in our Merchant Security System Upgrade Guide. In addition, our 2015-2016 SSL Certificate Change microsite contains a schedule of our service upgrade plan.
Thanks for your patience as we continue to improve our services.
###################################################

So what should i need to change in my environment to support this. our environment details is as below.

We are using ruby on rails application. and below is server ralated things.
Ubuntu version- 12.04 LTS
Openssl version - 1.0.1
nginx version: nginx/1.4.1
Ruby version - ruby 1.9.3p448 (2013-06-27 revision 41675) [x86_64-linux]


For paypal configuration, we are using below configurations. Also we have configured payment configuration as per railcast security episode.
(1) For merchant certificate we have used below configurations.
Signature Algorithm: sha1WithRSAEncryption
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
(2) For paypal payment we are using below URL in our website.
For production environment:- https://www.paypal.com/cgi-bin/webscr
For development environment:- https://www.sandbox.paypal.com/cgi-bin/webscr

(3) We are using below code to encrypt/decryt values to send paypal.

 

signed = OpenSSL:Smiley TongueKCS7::sign(OpenSSL::X509::Certificate.new(merchant.certificate), OpenSSL:Smiley TongueKey::RSA.new(merchant.encryption_key, ''), values.map { |k, v| "#{k}=#{v}" }.join("\n"), [], OpenSSL:Smiley TongueKCS7::BINARY)

 

OpenSSL:Smiley TongueKCS7::encrypt([OpenSSL::X509::Certificate.new(PAYPAL_CERT_PEM)], signed.to_der, OpenSSL::Cipher::Cipher::new("DES3"), OpenSSL:Smiley TongueKCS7::BINARY).to_s.gsub("\n", "")

 

Here all fields values as below.

 

merchant.certificate => It is merchant certificate generate with sha1WithRSAEncryption signature algorithm through openssl software.
merchant.encryption_key => It is the 1024 bit used to generate encryption key through openssl software.
values => It is the Hash of values passed to paypal. it contains info like merchant email, return url, notify url, product info, price etc.
PAYPAL_CERT_PEM => It is the certificate given by paypal website after uploading merchant certificate at paypal website.

 

So, My question is as below. I want permanent solution for this.

 

(1) Is there anything code change require in my application?
(2) Will i need to upgrade any software (openssl, ubuntu,nginx)?

 

Thanks in advance,
Ashok

 

Administrator

Re: PayPal service upgrades on 30-sept-2015


ashokpatel wrote:
...

So what should i need to change in my environment to support this. our environment details is as below.

We are using ruby on rails application. and below is server ralated things.
Ubuntu version- 12.04 LTS
Openssl version - 1.0.1
nginx version: nginx/1.4.1
Ruby version - ruby 1.9.3p448 (2013-06-27 revision 41675) [x86_64-linux]


(1) For merchant certificate we have used below configurations.
Signature Algorithm: sha1WithRSAEncryption

 ...

Here all fields values as below.

 

merchant.certificate => It is merchant certificate generate with sha1WithRSAEncryption signature algorithm through openssl software.
...

 

So, My question is as below. I want permanent solution for this.

 

(1) Is there anything code change require in my application?
(2) Will i need to upgrade any software (openssl, ubuntu,nginx)?

 

Thanks in advance,
Ashok

 


 

Hi @ashokpatel,

 

As you are using an OpenSSL version greater than 0.9.8 your server should support SHA-2 and I don't expect that you would need to upgrade any of the software.  It's always best to test to be sure. Smiley Happy  But the settings appear to still use SHA-1 for the certificate so there may be some adjustments needed there.

 

I recommend testing the current configuration in the PayPal Sandbox and use the IPN Simulator.  These have already been migrated over and should let you know if IPNs will continue to work after the upgrade.  If the initial IPN POST to your listener is failing, you may need to reissue or renew to a SHA-2 compatible certificate for the merchant.

 

 


mttnet wrote:

I have make some test on the IPN at this link:

 

https://developer.paypal.com/developer/ipnSimulator/

 

The result was: "IPN was sent and the handshake was verified."

 

I am ok with my IPN, for SHA - 256 update ?


 

Hi @mttnet,

If your integration is currently working with the IPN Simulator then it should be ready for the upgrade. Smiley Happy

 

- Frank

 

If you see a helpful post, please accept it as a solution or give the author kudos. Smiley Happy Thanks!
Member

Re: PayPal service upgrades on 30-sept-2015

HI @PayPal_Frank

 

 

Thanks you for reply.

 

 

I have tested with sandbox environment and it is working fine.

 

Regards,

Ashok

New Community Member

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

I have make some test on the IPN at this link:

 

https://developer.paypal.com/developer/ipnSimulator/

 

The result was: "IPN was sent and the handshake was verified."

 

I am ok with my IPN, for SHA - 256 update ?

New Community Member

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

What if you have a SHA-2 SSL cert that was signed with a G2 root.  I don't see the root cert aspect discussed.  My GoDaddy SSL certificate is signed with a GoDaddy G2 root cert.  Could you speak to the root cert aspect discussed in 

 

 https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766&expand=true&locale=en_US

 

I am not clear if I have to get a new SSL cert which has a G5 root, or if what I have from GoDaddy is fine.  Please advise.

 

Member

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

So does anyone know if this will affect people running websites without SSL?  I am using OpenCart 2 without SSL, all customers are redirected to PP to finish checkout.

 

BUT I believe opencart also uses pp IPN, it sends a message to my website that the order is complete so that opencart can still save the order in my opencart severs database.