PayPal integration and SHA-256


(Sue Lee) #1

Hello all. Have searched for this topic on here and can find nothing so no doubt I’m worrying about nothing (or completely misunderstanding the issue…) but I’m getting emails from PayPal about the demise of VeriSign and the arrival of SHA-256 and the fact that Instant Payment Notifications won’t be supported my site unless I’m fully up to date.

To be honest, the emails they’re sending me read a lot like white noise and are clearly intended for people far more technically proficient than a Luddite like me, so I’m not sure if I have to actually do anything to my RW site… Can anyone advise?

Thanks
Sue


SMTP Authentication
(Bill Pitcher) #2

I’m in the same camp, our store sells next to nothing, but I’d like to keep it.

I’m using RapidCart 3 and RapidLink 1.5, and PayPal IPN.

Any news on this issue.

From Paypal:
As we have previously communicated to you, PayPal is upgrading the certificate for www.paypal.com to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.

This upgrade is scheduled for 9/30/2015; however, we may need to change this date on short notice to you to align to the industry security standard.

You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!

Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.

Testing in the Sandbox is one of the best ways to make sure your integration works. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.

Full technical details can be found in our Merchant Security System Upgrade Guide. In addition, our 2015-2016 SSL Certificate Change microsite contains a schedule of our service upgrade plan.

Thanks for your patience as we continue to improve our services.

Thanks


(Sue Lee) #3

“I’m in the same camp, our store sells next to nothing, but I’d like to keep it.” – ha! I know what you mean.

I got this from Cartloom:
‘This is a policy change is a server issue, so you will need to contact your web host that serves any Rapidweaver/Yabdab product pages.’ - so I have to contact my hosting provider…? I’d assumed I’d have to contact Realmac as my (RW) website is where I initially input all my PayPal info. I’d assumed I’d have had soemthing about this from either Realmac/RW or my hosting provider which I’m (naively?) assuming means they have it all under control…


(Bill Pitcher) #4

I’ve just spent hours trying to understand what’s going on and I still don’t get it the PayPal site is a nightmare…

Best guess…
These RW carts are going to stop working with PayPal as the IPN they use has moved and as best I can tell going away.

I now can’t find my IPN details at all, thanks Paypal.


(Yabdab) #5

This is a “Server” issue and NOT something that is directly related to any RapidWeaver or RapidWeaver Add-on product/page.

Basically, wherever you have your site hosted needs to be SHA-256 compliant. The web hosting provider needs to make sure that their SSL supports certificates using the SHA-256 algorithm. Only secure connection requests that are expecting PayPal certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.

Please contact your web host, not RW Developers, to make sure you are ready.

I can tell you that Cartloom and Macdock web servers have been tested and are ready.


(Bill Pitcher) #6

Cut it anyway you want, the fact is if we can’t setup our servers, or the required PayPal IPN service then the carts are not going to work with PayPal and your sales are going to stop:-(

Saying it’s not your problem is not going to help us.

I’m my own host admin via cPanel so thanks for the advice. Good to know you can sell your stuff, but we won’t be able to use it.


(Sue Lee) #7

Hiya – So presumably any reputable web host provider will have got this sorted already?
Thanks


(Nigel) #8

Hi @goinup

Can you shed any light on this from a Chillihosting perspective?

Cheers Nigel


(Gregory Barchard) #9

This is a blanket email that PayPal sent out to everyone who has used IPN within the last year. Clearly, it’s cause a lot of confusion as users don’t necessarily know if they fall in this ‘bucket’.

Basically, you have to make sure the SSL certificate that you’re using is sufficiently secure. The process is:

  1. You’ve purchase a SSL certificate
  2. You’ve installed this certificate on your web host
  3. PayPal is sending IPN notices to your site

An easy way to check if your SSL certificate is sufficiently secure, simply click on the ‘Lock’ icon in the browser. This is where you’ll see this SHA-256 mentioned. Screenshot of the SSL certificate used on Chillidog Software and Chillidog Hosting is:

I hope that helps.

Your top dog,
Greg


(Bill Pitcher) #10

Yes, my store will break when they make this change :see_no_evil:

Thanks Greg, that was helpful. It cost money :umbrella:

A quick check for your stores, does the Lock (Safari) Green Text (other browsers) come up in the browser when you visit your store and checkout? No, then your store will break. Silently I think.

For those of us who manage their own hosting, this is a great resource:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO16226


(Sue Lee) #11

Thanks! Finally, someone explains it in terms even I can understand…
Soo


(Nigel) #12

I use Machfrom for bookings and payments and this is already ok with SHA. I think the email caused some panic. Certainly made me flutter!


(Sue Lee) #13

I got this from my web host provider just now: “This would only affect you if you have purchased an SSL certificate.” so if you haven’t (and I haven’t) then you should be fine. If only PayPal has mentioned this in their slightly alarming email…

Soo


(Bill Pitcher) #14

I tested my store (RapidCart) without “purchased an SSL certificate.” and mine was NOT fine. PayPal did not return any information back to the Cart or RapidLink, there was no notification sent to my email address telling me I had made a sale. It failed!!!

This requires us to purchase a SSL certificate and have our site host install it for our store domain.


(Richard Nicholls) #15

I spoke with my host last week, 1and1, who came back to me with the following:

This is an email regarding our conversation earlier regarding SHA. As checked here in our end, since you did not set up/installed the SSL in any of your domains you can just disregard the email from paypal.

I plan to make a purchase with my wife’s paypal account on the day to see what happens.
You can refund and you don’t have to pay any fees you see.

Richard