So, here's the thing: PayPal is rolling out a security update on June 17th 2016. A friday, for the joy of all developers and agencies I think. Those who are not prepared and did not check the requirements first will have websites/shops with a non-working PayPal integration after June 17th.
The main 2 points are:
PayPal is upgrading SSL certificates on all Live and Sandbox endpoints from SHA-1 to the stronger and more robust SHA-256 algorithm. You will need to update your integration to support certificates using SHA-256.
Discontinue use of the VeriSign G2 Root Certificate
In accordance with industry standards, PayPal will no longer honor secure connections that require the VeriSign G2 Root Certificate for trust validation. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.
What do do and what to check
- Try a PayPal order on the system of your choice
- Check error logs and see if order was successful
- Check if G5 Root Certificate is installed
- Check for SHA-256 algorithm
Check if G5 Root Certificate is installed
see Merchant Security System Upgrade Guide (PDF) on page 2: "Follow these guidelines to ensure you are securely connecting using a supported VeriSign G5 Root Certificate"
- Check your certificate store
ls -la /etc/ssl/certs/ | grep G5
[www-data]$ ls -la /etc/ssl/certs/ | grep G5 lrwxrwxrwx 1 root root 99 Apr 21 2015 VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem -> /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt lrwxrwxrwx 1 root root 64 Apr 16 00:00 b204d74a.0 -> VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem lrwxrwxrwx 1 root root 64 Apr 16 00:00 facacbc6.0 -> VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
If there is a
VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt in the list, that looks good.
Check the serial number of this certificate (it needs to be
18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a according to the PDF)
[www-data]$ openssl x509 -in /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt -serial -noout serial=18DAD19E267DE8BB4A2158CDCC6B3B4A
Check for SHA-256 algorithm
Website to check your server configuration and certificate: https://www.ssllabs.com/ssltest/
Run the check for your domain
Wait till all checks are complete
In the "Cipher Suites" section, check if there are cipher suites supporting "SHA256" for example:
Check the openssl version on your server (if in use). More information: SHA-2 compatibility
The version needs to be >= OpenSSL 0.9.8o+
[www-data]$ openssl version OpenSSL 1.0.1k 8 Jan 2015