PayPal upgrading SSL Certificates in 2015

1. It is recommended that you upgrade to the latest version V.1.8.53 to make future adjustments much simpler; and

2. EVEN IF YOU DON’T USE SSL ON YOUR WEBSITE, to communicate with any payment service DOES require that your server have a working SSL infrastructure in the back-end. This is almost always already present, but isn’t always up-to-date. So, you should still CHECK YOUR WEBSERVER for compatibility with the new SHA-256 certificate technology which will be required by most web services in 2015. At the very least you need to be using a minimum Apache version of 2.0.63 (if you’re using Apache. If you’re using IIS, talk to your server admin to fix that), and OpenSSL 0.9.8o or newer (v1.1.x is better).

3. If you use SSL on your website, test your site’s SSL here: https://www.ssllabs.com/ssltest/ and have your hosting company fix all issues so that you get an “A” grade. (While an “A” itself isn’t mandatory for the purposes of PayPal or Magic Members, any issues preventing you from getting an “A” deserve investigation by someone who understands such matters. Hopefully your hosting company is well versed in that area. If not, that’s a revealing piece of information to consider when renewing your hosting services.) We recommend you aim for an “A” rating, just to minimize possible issues (again, not specific to PayPal or Magic Members), and make your site compatible with as many browsers as possible while providing the best security and insulating against all known threats due to improper configuration.

FOR THE TECHNICALLY-INTERESTED:
PayPal’s update is occurring in 2 stages: A VeriSign G2-to-G5 Root Certificate Upgrade, and then a SHA-256 SSL certificate.

And, strictly speaking, those changes have NO IMPACT on the PHP code used in Magic Members. But they do affect underlying server technologies used on your webserver.

1. VeriSign Root Certificate Upgrade:
We’ve already tested Magic Members against the PayPal sandbox, which is already using the Verisign G5 Root Certificate, and it works fine. But that’s because the webservers we tested on already have the Verisign G5 Root Certificate authority files installed. Your host can help you with this. See the link below.

2. SHA-256 SSL certificate
PayPal isn’t updating the “api-3t.paypal.com” endpoint.
But in 2015 there is a big push for all webservers to start using SHA-256 SSL certificate chains. As such, you should ensure that your hosting company properly updates your server’s SSL certificate store.

a) PayPal offers some advice for your hosting company here: https://ppmts.custhelp.com/ci/fattac…20English).pdf

b) And you can also ask your hosting company to fix any SSL problems reported for your site as mentioned in #3 above.

1 Comment
  • Great information about PayPal’s update. I have heard about this from several sources but never got a clear explanation on what it is. I hope my host gets my SSL certificate installed correctly. I also appreciate the link to PayPal’s advice PDF. I found it very helpful when talking about this issue with my host.
    Thank you for the information on the SSL testing grades because I didn’t know there was a difference. I assumed all SSL certificates work the same regardless of your host. Come to find out my host did not receive an A grade. I’m currently working with them to get this issue resolved as quickly as possible. I also didn’t realize that different grade ratings could cause compatibility problems. This seems like a big issue and one that every hosting company should’ve already addressed since more people are using SSL certificates all the time.


Leave a comment

Your email address will not be published.


Post Comment