Results 1 to 2 of 2
  1. #1
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default PayPal upgrading SSL Certificates in 2015-2016

    If you're using PayPal for handling payments, you'll soon be receiving an email from them to advise that they're upgrading their SSL certificates, and pointing to this document for reference: https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766

    WHAT ACTION DO I NEED TO TAKE?
    The Zen Cart software is not affected by these changes.

    But if you haven't applied the 2014 POODLE update then you should do that immediately.

    However, we have THREE RECOMMENDATIONS:
    1. It is recommended that you upgrade to at least Zen Cart v1.5.4 to make future adjustments much simpler; and

    2. EVEN IF YOU DON'T USE SSL ON YOUR STOREFRONT, to communicate with any payment service DOES require that your server have a working SSL infrastructure in the back-end. This is almost always already present, but isn't always up-to-date. So, you should still CHECK YOUR WEBSERVER for compatibility with the new SHA-256 certificate technology which will be required by most web services in 2015. At the very least you need to be using a minimum Apache version of 2.0.63 (if you're using Apache. If you're using IIS, talk to your server admin to fix that), and OpenSSL 0.9.8o or newer (v1.1.x is better).

    3. If you use SSL on your storefront, test your site's SSL here: https://www.ssllabs.com/ssltest/ and have your hosting company fix all issues so that you get an "A" grade. (While an "A" itself isn't mandatory for the purposes of PayPal or Zen Cart, any issues preventing you from getting an "A" deserve investigation by someone who understands such matters. Hopefully your hosting company is well versed in that area. If not, that's a revealing piece of information to consider when renewing your hosting services.) We recommend you aim for an "A" rating, just to minimize possible issues (again, not specific to PayPal or Zen Cart), and make your site compatible with as many browsers as possible while providing the best security and insulating against all known threats due to improper configuration.



    FOR THE TECHNICALLY-INTERESTED:
    PayPal's update is occurring in 2 stages: A VeriSign G2-to-G5 Root Certificate Upgrade, and then a SHA-256 SSL certificate.

    And, strictly speaking, those changes have NO IMPACT on the PHP code used in Zen Cart. But they do affect underlying server technologies used on your webserver.

    1. VeriSign Root Certificate Upgrade:
    We've already tested Zen Cart against the PayPal sandbox, which is already using the Verisign G5 Root Certificate, and it works fine. But that's because the webservers we tested on already have the Verisign G5 Root Certificate authority files installed. Your host can help you with this. See the link below.

    2. SHA-256 SSL certificate
    According to their announcement as of the date of this post, PayPal isn't updating the "api-3t.paypal.com" endpoint (used in Zen Cart v1.3.x and v1.5.x) until June 2016 (and sandbox too, so we can't test that just yet; nevertheless, it's a server config thing, not a Zen Cart thing).
    But in 2015 there is a big push for all webservers to start using SHA-256 SSL certificate chains. As such, you should ensure that your hosting company properly updates your server's SSL certificate store.

    a) PayPal offers some advice for your hosting company here: 2015 Merchant Security System Upgrade Guide (U.S. English).pdf

    b) And you can also ask your hosting company to fix any SSL problems reported for your site as mentioned in #3 above.
    Last edited by DrByte; 14 Sep 2015 at 02:40 PM. Reason: PayPal changed the locations of FAQ articles, so I've updated the links
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: PayPal upgrading SSL Certificates in 2015

    2016 Updates - PayPal

    PayPal has been continuing the upgrades they announced in 2015, into 2016.

    Here is how they affect you and your Zen Cart sites:

    a) TLS 1.2 and HTTP/1.1 Upgrade
    This does not affect the Zen Cart software. But it may affect your webserver. Your hosting company can help sort out this one. The information in the above post, as well as PayPal's own posts, are useful in establishing compatibility for your server.

    b) SSL Certificate Upgrade
    This too is a server issue, and has nothing to do with Zen Cart specifically. Your hosting company's server admins can follow the previous post above, and PayPal's recommendations.

    c) IPN Verification Postback to HTTPS
    This is NOT an issue if you're using Zen Cart v1.3.9a or newer.
    Zen Cart versions v1.3.8 and older are terribly obsolete and are NOT compatible with modern PHP and SSL/TLS configurations. They should be upgraded immediately. They will stop working with PayPal after Sept 30, 2016. Zen Cart has already released 15 new versions since v1.3.8 was published in 2007. Using a modern version of Zen Cart will resolve this issue for you.

    d) IP Address update for PayPal Secure FTP servers
    This has nothing to do with Zen Cart.
    No action required.

    e) Merchant API Certificate Credentials Upgrade
    Zen Cart uses "API Signature" credentials, and NOT "API Certificate" credentials, so this does not affect Zen Cart.
    No action required.

    f) Discontinue GET method for Classic NVP APIs
    Zen Cart has never used the GET method for API calls to PayPal.
    No action required.

    g) Security Best Practices
    As always, it is best to continually review your site's security: PayPal has a number of recommendations for you to review.
    Last edited by DrByte; 13 Apr 2016 at 03:34 AM. Reason: Updated the IPN information
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. v139f PayPal New Security Question 2016
    By addlink in forum General Questions
    Replies: 3
    Last Post: 26 Jun 2016, 12:25 AM
  2. v154 Paypal: 2016 Merchant Security Roadmap
    By hsweta in forum General Questions
    Replies: 1
    Last Post: 6 Apr 2016, 05:22 AM
  3. v151 PayPal SHA-256 Security Update Sept 2015
    By Malaperth in forum Built-in Shipping and Payment Modules
    Replies: 26
    Last Post: 19 Mar 2016, 12:09 AM
  4. USPS RateV4 Intl RateV2 - May 31, 2015 Version K7 for May 31, 2015
    By Ajeh in forum Zen Cart Release Announcements
    Replies: 0
    Last Post: 31 May 2015, 12:20 AM
  5. v154 PayPal 2015-2016 SSL Certificate Change
    By mikestaps in forum PayPal Express Checkout support
    Replies: 2
    Last Post: 19 Mar 2015, 08:28 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR