Create a gist now

Instantly share code, notes, and snippets.

@avoelkl /checks.md
Last active Jun 16, 2016

PayPal Security Update on June 17th 2016

So, here's the thing: PayPal is rolling out a security update on June 17th 2016. A friday, for the joy of all developers and agencies I think. Those who are not prepared and did not check the requirements first will have websites/shops with a non-working PayPal integration after June 17th.

The main 2 points are:

Support SHA-256

PayPal is upgrading SSL certificates on all Live and Sandbox endpoints from SHA-1 to the stronger and more robust SHA-256 algorithm. You will need to update your integration to support certificates using SHA-256.

Discontinue use of the VeriSign G2 Root Certificate

In accordance with industry standards, PayPal will no longer honor secure connections that require the VeriSign G2 Root Certificate for trust validation. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.

Links:

What do do and what to check

  1. Try a PayPal order on the system of your choice
  2. Check error logs and see if order was successful
  3. Check if G5 Root Certificate is installed
  4. Check for SHA-256 algorithm

Check if G5 Root Certificate is installed

see Merchant Security System Upgrade Guide (PDF) on page 2: "Follow these guidelines to ensure you are securely connecting using a supported VeriSign G5 Root Certificate"

  1. Check your certificate store

For Linux: https://gist.github.com/robglas/3ef9582c6292470a1743

or run ls -la /etc/ssl/certs/ | grep G5

[www-data]$ ls -la /etc/ssl/certs/ | grep G5
lrwxrwxrwx 1 root root     99 Apr 21  2015 VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem -> /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
lrwxrwxrwx 1 root root     64 Apr 16 00:00 b204d74a.0 -> VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
lrwxrwxrwx 1 root root     64 Apr 16 00:00 facacbc6.0 -> VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem

If there is a VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem or VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt in the list, that looks good.

Check the serial number of this certificate (it needs to be 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a according to the PDF)

[www-data]$ openssl x509 -in /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt -serial -noout serial=18DAD19E267DE8BB4A2158CDCC6B3B4A

Check for SHA-256 algorithm

Website to check your server configuration and certificate: https://www.ssllabs.com/ssltest/

  • Run the check for your domain

  • Wait till all checks are complete

  • In the "Cipher Suites" section, check if there are cipher suites supporting "SHA256" for example:

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • Check the openssl version on your server (if in use). More information: SHA-2 compatibility

  • The version needs to be >= OpenSSL 0.9.8o+

[www-data]$ openssl version
OpenSSL 1.0.1k 8 Jan 2015
@Marko-M
Marko-M commented Jun 8, 2016

Thanks!

To amend, here's reliable way to check for SHA-256:

marko@marko-pc:~$ openssl s_client -connect example.com:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption

Replace example.com with target domain.

@avoelkl
Owner
avoelkl commented Jun 8, 2016

Cool! Thanks @Marko-M!

@Marko-M
Marko-M commented Jun 8, 2016

Np. Thank you @avoelkl for summing it all up, good work 👍

@centerax
centerax commented Jun 8, 2016

Thanks you both for putting this together.

@gwillem
gwillem commented Jun 15, 2016 edited

So to clarify, afaik Paypal doesn't do reverse connections or SSL checks. So the only thing you need to validate, is whether outbound SSL connections to the Paypal server support SHA-256 and the G5 certificate. Whether your server supports them for incoming, doesn't matter.

Edit I don't run a Paypal integration so please correct me here if Paypal does reverse https connections

@nickw108

PayPal IPN (instant payment notification) does reverse connections afaik, but it is recommended to use the PayPal API instead. All default Magento PayPal modules are using the API afaik. Please correct me if I'm wrong.

@udovicic

Hi,

Even though these tests are passing, you still might experience some issues. For an example, if the required services were updated, but end point is not aware of changes (eg. Apache was not restarted). To fully test this, you have no other choice than to make test request on those service, and see if it is working(something that is not always possible in production environment).

In order to test this on PHP, you can execute this script from Zen cart: https://gist.github.com/udovicic/68057e68c2fcca90b2ce7756a5c0ecb0

Basically, you would place it in web root folder, and open it from your browser. If nothing is reported, your are good. Otherwise, google for errors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment