Jump to content
moulte

modification paypal SHA 256

Recommended Posts

Hello,

since the amendment of paypal server with SHA 256 when I purchase my eboutique of the stock does deducts more
would you have this concern , and if so have you found a solution thank you very much

Share this post


Link to post
Share on other sites

I got an e-mail from PayPal today telling me the following.

 

 

As we have previously communicated to you, PayPal is upgrading the certificate for www.paypal.com to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.
This upgrade is scheduled for 9/30/2015; however, we may need to change this date on short notice to you to align to the industry security standard.
You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!
Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.
Testing in the Sandbox is one of the best ways to make sure your integration works. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.

 

For me this is all giprish, I have no clue what SHA-256 is and how to integrate that into current PayPal modules.

Is this something that concerns only me or is this something that might concern all osC users and those that use PayPal as payment?

Looking at the date this is something that needs attention, now! So any further Info on this would be appreciated.

Thanks.

 

Here more Info.

 

https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766&expand=true&locale=en_US

https://www.paypal-knowledge.com/resources/sites/PAYPAL/content/live/FAQ/1000/FAQ1766/en_US/2015%20Merchant%20Security%20System%20Upgrade%20Guide%20%28U.S.%20English%29.pdf

Edited by Tsimi

Share this post


Link to post
Share on other sites

Hi there,

I also got this confusing email and tested my site in the sandbox which apparently has already been upgraded to the new standard.

The theory being if it all works in the sandbox it will work when they upgrade. Running PayPal standard in the new Oscommerce PayPal app the ipn called back to my site no problem.

However from what I understand it really has more to do with the server and the way that is configured.

:thumbsup:

Share this post


Link to post
Share on other sites

@@douglaswalker

 

Yeah, that's what I read too. According to PayPal Sandbox is already updated so I placed 2 test orders (domestic and international customer account) and both went through just fine.

Then I guess it is as you said, if it works in Sandbox then it should work in live mode too.

 

Maybe Harald will chime in one day and enlighten us all. o:)  

Share this post


Link to post
Share on other sites

The paypal upgrade involves two things: Your ssl certificate has to use the SHA 2 algorithm (for any certificate) and if it is a VeriSign cert, it must use the G5 CA bundle. You can test you certificate here

Share this post


Link to post
Share on other sites

@@Jack_mcs

Jack,

I have GeoTrust EV SSL CA - G4 as the intermediary -do you know if that is going to be an issue?

 

I get all green on your test link.


-Dave

Share this post


Link to post
Share on other sites

I get this...

 

One of the certificates is signed with a SHA1 signature. We recommend that you reissue or replace this certificate with one that uses a SHA-2 signature. Contact your SSL provider about how to do this. Read more about the SHA-1 deprecation here.

 

however when I test in the sandbox all works as it should ????

 

Weird huh

Anyone have any ideas

Share this post


Link to post
Share on other sites

@@Tsimi Green is just the color that site uses. it doesn't check specifically for these changes. You need to check the results to be sure they are correct. Search for "Signature Algorithm" for the SHA version in use.  The "Issuer" contains the CA version.

 

@@Roaddoctor I don't know the answer for this for sure. Paypals document clearly states mention VeriSign. But VeriSign owns GeoTrust so it is not clear, at least to me, if that is a problem. I'm pretty sure their CA bundles are different and GeoTrusts ssl's won't be a problem. But I sent GeoTrust an email last week for clarification since we have sites that use them too. I haven't received a reply yet but will post it here when I do.

 

@@douglaswalker I can't say why it works with in Sandbox. According to the way I read Paypal's doc's on this, it should fail. But SHA 1 is being phased out. It is supposed to be good through 2016 but google said they are changing Chrome to refuse it some time sooner, possibly this year. It is an easy change and, as mentioned, usually doesn't involve a cost, so I suggest you do this now.

Share this post


Link to post
Share on other sites

With green i meant everything is OK not specifically green as in the round check icons. ;)

 

Mine says

 

Signature Algorithm: sha256WithRSAEncryption

Issuer: GeoTrust Global CA

Share this post


Link to post
Share on other sites

 @@Roaddoctor

 

Thank-you

 

My Server (local) 

 

Signature Algorithm: sha256WithRSAEncryption
Issuer: RapidSSL CA

 

so that bit is ok

the 2 next ones are SH1 

 

however in the sand box the ipn connects and updates no problem so perhaps as you say only the server needs sha256.

 

As it turns out my cert is due for upadate in the next few days anyway.

Share this post


Link to post
Share on other sites

I have been following this and have come across 2 things that I am not sure how to do. I am using osCommerce Online Merchant v2.3.1 and have not touched this since I opened my store a few years back so I am like a newbie again.

 

1. It was suggested doing tests in sandbox mode. I changed my mode to sandbox and signed on to my test customer and tried to make a purchase.

 

All seemed normal but when I tried to sign in to pay for the item, Paypal kept telling me to check my email address and/or password. I could not complete the transaction to see if everything is working as it should.

 

2. I did the test and all was green with the exception of one. It said the following. I do not know how to fix this.

None of the common names in the certificate match the name that was entered (sunshynecraftsbeads.com). You may receive an error when accessing this site in a web browser.

3. My server is as follows;

 

Signature Algorithm: sha256WithRSAEncryption
Issuer: COMODO RSA Domain Validation Secure Server CA

 

 

Can anyone offer help or suggestions on what I should do ?

 

Thank you in advance.

Share this post


Link to post
Share on other sites

@@sunshynecraftsbeads Paypal's sandbox can be a pain to work with, in my opinion. You have to set it up as a whole new paypal account, which includes different credentials. The error you are getting sounds like you may be trying your live accounts login.

 

For the ssl test, you are getting that error because you don't have an ssl certificate. The good news is that that makes this change by paypal a non-issue for you. The bad news is that not having a certificate will, most likely, cause a loss of sales. I suggest you look into purchasing a cert or, at least, using your hosts shared cert, which is free, if they offer it.

Share this post


Link to post
Share on other sites

Hi everyone,

I too was conerned about the email from paypal.  So I emailed by SSL certificate provider and their response was as follows:

"

Please note that this notification you received from Paypal has nothing to do with your own SSL certificate, which by the way is encrypted using a SHA-256 key, basically Paypal are upgrading their own SSL certificate from SHA-1 to SHA-256. 

 

Furthermore, they send this email for you to make sure that the platform on which you website is being hosted supports SHA-256 encrypted certificates. For this you will need to get in touch with your hosting provider, however, if you could install the 123-Reg SSL, which is SHA-256, you should not encounter any issues with Paypal upgrading their own SSL certificate.

"

 

Hope this helps?

 

Mike


osC BS gold live - osC CE in development (awesome)

Share this post


Link to post
Share on other sites

@@sunshynecraftsbeads Paypal's sandbox can be a pain to work with, in my opinion. You have to set it up as a whole new paypal account, which includes different credentials. The error you are getting sounds like you may be trying your live accounts login.

 

For the ssl test, you are getting that error because you don't have an ssl certificate. The good news is that that makes this change by paypal a non-issue for you. The bad news is that not having a certificate will, most likely, cause a loss of sales. I suggest you look into purchasing a cert or, at least, using your hosts shared cert, which is free, if they offer it.

Jack thank you so much for the information amd advice. It is greatly appreciated. I will look at getting a ssl certificate now. Have a great day !

Share this post


Link to post
Share on other sites

I'm using this add on without a secure certificate. Is that right or wrong. My web co say I now have to have one. Is there another add on that works in a different way that wont need a SSL ?

 

 

Share this post


Link to post
Share on other sites

@@cran-09 I'm not sure what you mean by "this addon" but I assume you mean the oscommerce package, which isn't an addon. SSL isn't required. See the previous post by member sunshynecraftsbeads that shows her site is working without a certificate. It is not recommended, as stated in my reply. If you don't want to purchase a cert, then you can use your hosts free shared cert, assuming they offer one. If not, then you can move to a better equipped host.

Share this post


Link to post
Share on other sites

this forum thread categorises it as an add on - sorry for using the wrong term.

my host confirmed I don't need to act, so I'm not sure why my web co told me to do this without explaining the options. 

 

What I was trying to ask is that some platforms other that oscommerce haven't had the paypal email, so they must be using another method of communicating with paypal and wondered if there was another option.

Share this post


Link to post
Share on other sites

No need to apologize. I'm just trying to understand the question. I think you may be referring to the paypal module, which is an addon but isn't involved with the changes talked about here. The module will work with or without an ssl certificate. Your host may have meant you should have an ssl certificate, which you should, though only they can say what they meant.

Share this post


Link to post
Share on other sites

@@Jack_mcs 

 

Once again, thanks for taking the time to provide guidance to all of us who just wish we understood all of this stuff!!!

 

:thumbsup:    :)   :beers:   :thumbsup:

 

Having you, and some of the other forum members who so graciously expend your personal time and effort helping the rest of us, makes the OSC solution manageable and enjoyable by those of us who are less technically inclined.  You guys are truly appreciated!


Anthony David

AllThingsTrendy.com

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×