PayPal upgrading SSL Certificates in 2015-2016
If you're using PayPal for handling payments, you'll soon be receiving an email from them to advise that they're upgrading their SSL certificates, and pointing to this document for reference: https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766
WHAT ACTION DO I NEED TO TAKE?
The Zen Cart software is not affected by these changes.
But if you haven't applied the 2014 POODLE update then you should do that immediately.
However, we have THREE RECOMMENDATIONS:
1. It is recommended that you upgrade to at least Zen Cart v1.5.4 to make future adjustments much simpler; and
2. EVEN IF YOU DON'T USE SSL ON YOUR STOREFRONT, to communicate with any payment service DOES require that your server have a working SSL infrastructure in the back-end. This is almost always already present, but isn't always up-to-date. So, you should still CHECK YOUR WEBSERVER for compatibility with the new SHA-256 certificate technology which will be required by most web services in 2015. At the very least you need to be using a minimum Apache version of 2.0.63 (if you're using Apache. If you're using IIS, talk to your server admin to fix that), and OpenSSL 0.9.8o or newer (v1.1.x is better).
3. If you use SSL on your storefront, test your site's SSL here: https://www.ssllabs.com/ssltest/ and have your hosting company fix all issues so that you get an "A" grade. (While an "A" itself isn't mandatory for the purposes of PayPal or Zen Cart, any issues preventing you from getting an "A" deserve investigation by someone who understands such matters. Hopefully your hosting company is well versed in that area. If not, that's a revealing piece of information to consider when renewing your hosting services.) We recommend you aim for an "A" rating, just to minimize possible issues (again, not specific to PayPal or Zen Cart), and make your site compatible with as many browsers as possible while providing the best security and insulating against all known threats due to improper configuration.
FOR THE TECHNICALLY-INTERESTED:
PayPal's update is occurring in 2 stages: A VeriSign G2-to-G5 Root Certificate Upgrade, and then a SHA-256 SSL certificate.
And, strictly speaking, those changes have NO IMPACT on the PHP code used in Zen Cart. But they do affect underlying server technologies used on your webserver.
1. VeriSign Root Certificate Upgrade:
We've already tested Zen Cart against the PayPal sandbox, which is already using the Verisign G5 Root Certificate, and it works fine. But that's because the webservers we tested on already have the Verisign G5 Root Certificate authority files installed. Your host can help you with this. See the link below.
2. SHA-256 SSL certificate
According to their announcement as of the date of this post, PayPal isn't updating the "api-3t.paypal.com" endpoint (used in Zen Cart v1.3.x and v1.5.x) until June 2016 (and sandbox too, so we can't test that just yet; nevertheless, it's a server config thing, not a Zen Cart thing).
But in 2015 there is a big push for all webservers to start using SHA-256 SSL certificate chains. As such, you should ensure that your hosting company properly updates your server's SSL certificate store.
a) PayPal offers some advice for your hosting company here: 2015 Merchant Security System Upgrade Guide (U.S. English).pdf
b) And you can also ask your hosting company to fix any SSL problems reported for your site as mentioned in #3 above.
Re: PayPal upgrading SSL Certificates in 2015
2016 Updates - PayPal
PayPal has been continuing the upgrades they announced in 2015, into 2016.
Here is how they affect you and your Zen Cart sites:
a) TLS 1.2 and HTTP/1.1 Upgrade
This does not affect the Zen Cart software. But it may affect your webserver. Your hosting company can help sort out this one. The information in the above post, as well as PayPal's own posts, are useful in establishing compatibility for your server.
b) SSL Certificate Upgrade
This too is a server issue, and has nothing to do with Zen Cart specifically. Your hosting company's server admins can follow the previous post above, and PayPal's recommendations.
c) IPN Verification Postback to HTTPS
This is NOT an issue if you're using Zen Cart v1.3.9a or newer.
Zen Cart versions v1.3.8 and older are terribly obsolete and are NOT compatible with modern PHP and SSL/TLS configurations. They should be upgraded immediately. They will stop working with PayPal after Sept 30, 2016. Zen Cart has already released 15 new versions since v1.3.8 was published in 2007. Using a modern version of Zen Cart will resolve this issue for you.
d) IP Address update for PayPal Secure FTP servers
This has nothing to do with Zen Cart.
No action required.
e) Merchant API Certificate Credentials Upgrade
Zen Cart uses "API Signature" credentials, and NOT "API Certificate" credentials, so this does not affect Zen Cart.
No action required.
f) Discontinue GET method for Classic NVP APIs
Zen Cart has never used the GET method for API calls to PayPal.
No action required.
g) Security Best Practices
As always, it is best to continually review your site's security: PayPal has a number of recommendations for you to review.