Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PayPal Changes for SHA-256 Certificates

Tags:

php

ssl

paypal

I've been getting emails from PayPal about the changes they're making about supporting SHA-256 certificates and warning me that I may have to update things on my website.

I use PayPal's IPN service, which I originally set up on my website (all custom PHP code that I wrote, no pre-built shopping carts) and that has been running quite happily since 2008.

My hosting is shared hosting as it's not a very large or busy website. The hosting platform us running PHP 5.2.17, Apache 2.2.3 (CentOS), and OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 (I got all of this info from PHP's phpinfo() function).

Am I correct in thinking that any changes that need to be made will have to be made by my web host since I can't update any software on the server?

When I originally set everything up back in 2008 I remember downloading a certificate from PayPal and using OpenSSL on my Windows PC to create something (another certificate? I don't know) which I then uploaded to my website and use for encrypting my payment requests to PayPal. Does the SHA-256 changes that PayPal are bring in affect this? Do I need to remake the certificate or something?

I did try using the IPN Simulator (after changing the end points that my IPN handler uses) but I can't get this to work as the IPN Simulator gives me a 502 Bad Gateway error and I've got no idea what that means or what the problem might be.

like image 494
user3792628 Avatar asked Sep 13 '15 09:09

user3792628


1 Answers

Even if you website is nowhere using HTTPS, you would still need to check the cert compatibility with this upgrade.

When your IPN script recieves PayPal messages and POST them back to PayPal for verification, this server to server connection has to be secured as the IPN endpoint of PayPal is with HTTPS, that means the default keystore/truststore on your webserver should contain the SHA-2 compatible certs to establish the SSL handshake.

OpenSSL 0.9.8 by default is supporting SHA-2, but still worth checking your server compatibility by simply pointing your IPN script endpoint from www.paypal.com to www.sandbox.paypal.com (because the sandbox environment has done the SHA-2 upgrade already), and send an IPN POST message to your listener (with IPN simulator)

OR SSH to your server and run the command:

openssl s_client -connect www.sandbox.paypal.com:443 -showcerts -CApath /etc/ssl/certs/
like image 117
pp_pduan Avatar answered Sep 21 '22 21:09

pp_pduan