6

I've been getting emails from PayPal about the changes they're making about supporting SHA-256 certificates and warning me that I may have to update things on my website.

I use PayPal's IPN service, which I originally set up on my website (all custom PHP code that I wrote, no pre-built shopping carts) and that has been running quite happily since 2008.

My hosting is shared hosting as it's not a very large or busy website. The hosting platform us running PHP 5.2.17, Apache 2.2.3 (CentOS), and OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 (I got all of this info from PHP's phpinfo() function).

Am I correct in thinking that any changes that need to be made will have to be made by my web host since I can't update any software on the server?

When I originally set everything up back in 2008 I remember downloading a certificate from PayPal and using OpenSSL on my Windows PC to create something (another certificate? I don't know) which I then uploaded to my website and use for encrypting my payment requests to PayPal. Does the SHA-256 changes that PayPal are bring in affect this? Do I need to remake the certificate or something?

I did try using the IPN Simulator (after changing the end points that my IPN handler uses) but I can't get this to work as the IPN Simulator gives me a 502 Bad Gateway error and I've got no idea what that means or what the problem might be.

Improve this question
4
  • Put your site URL into www.shachecker.com and see what it tells you.
    – Drew Angell
    Commented Sep 13, 2015 at 20:11
  • shachecker.com didn't seem to work for me (wildcard SSL cert) though sslshopper.com/ssl-checker.html did
    – ajbeaven
    Commented Sep 13, 2015 at 21:35
  • shachecker.com says "That domain doesn't seem to be running on https" which is correct, I don't use https anywhere on my site as there's no need to because all credit card information is done via PayPal. sslshopper.com/ssl-checker.html said it couldn't find a certificate, which again is correct as I don't use https.
    – user3792628
    Commented Sep 14, 2015 at 0:29
  • @user3792628 there is a need to use https even though you have a payment gateway, and that's because an attacker can modify your page to point to their paypal, or even a malicious site, to steal info/money.
    – Amelia
    Commented Sep 14, 2015 at 16:29

1 Answer 1

Reset to default
7

Even if you website is nowhere using HTTPS, you would still need to check the cert compatibility with this upgrade.

When your IPN script recieves PayPal messages and POST them back to PayPal for verification, this server to server connection has to be secured as the IPN endpoint of PayPal is with HTTPS, that means the default keystore/truststore on your webserver should contain the SHA-2 compatible certs to establish the SSL handshake.

OpenSSL 0.9.8 by default is supporting SHA-2, but still worth checking your server compatibility by simply pointing your IPN script endpoint from www.paypal.com to www.sandbox.paypal.com (because the sandbox environment has done the SHA-2 upgrade already), and send an IPN POST message to your listener (with IPN simulator)

OR SSH to your server and run the command:

openssl s_client -connect www.sandbox.paypal.com:443 -showcerts -CApath /etc/ssl/certs/
Improve this answer
3
  • Thanks for your comments. I did try changing my IPN script's endpoint to www.sandbox.paypal.com and sent a message via the IPN Simulator, but the simulator gave me a 502 Bad Gateway error and no message made it into my script. I'm pretty sure I was entering the correct URL for my IPN script, so I don't know what the problem was (maybe the sandbox was just experiencing one of its numerous outages). I'll go back and try again.
    – user3792628
    Commented Sep 14, 2015 at 23:06
  • sorry here i am asking one question, If ipn working in sendbox that means no change required regarding changes for SHA-256 certificates?
    – Purvesh Desai
    Commented Sep 28, 2015 at 6:32
  • 1
    @Purvesh Desai, correct, tests against sandbox will ensure the SHA-2 compliance
    – pp_pduan
    Commented Sep 28, 2015 at 8:29

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.