Urgent Notice Regarding SHA-256 Compliance for Paypal.com
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
September 16, 2015 Comments closed

Urgent Notice Regarding SHA-256 Compliance for Paypal.com

in ssl certificates

paypal SHA-256 Update
Urgent Action Needed! Paypal.com Change Impacting IPN
1. Do you use Instant Payment Notification (IPN)?
2. If, so you must be running a SHA-256 SSL compliant server as soon as possible!
3. Contact the person or the company who hosts your IPNs to ensure they are SHA-256 Compliant

Paypal.com is one of the most popular payment gateways in the world. As a payment processor, it is PayPal’s duty to ensure the highest level of security for their merchants, developers, and consumers. In accordance with this duty, PayPal is making upgrades to the SSL certificates on all their web and API endpoints.

If you are using Paypal.com for instant payment notification (IPN) and have a non SHA-256 compliant server or OS, you will need to upgrade to a SHA-256 compliant server / OS configuration.

If your IPN listener/validator is hosted by a partner, shopping cart or third-party hosting, please reach out to them and confirm that they have taken the necessary steps to ensure ongoing connectivity. Refer to online resources, such as those listed below, for details on compatible configurations, then contact your website technical team for development support.

Why is PayPal making these changes?

The industry is phasing out the now old and insecure SHA-1 Hashing Algorithm in favor of its successor SHA-2. This change is taking effect across the entire Internet – spearheaded by Google, Mozilla, Microsoft, and the CA/B Forum.
Since Google Chrome is deprecating support for SHA-1 by the end of 2015, and all support for SHA-1 will be deprecated by the end of 2016, you will need to act soon to implement these changes.

During the upgrade, ensure that all SSL certificates meet the following standards:

  • Discontinue support for secure connections that require validation with the Symantec G2 Root Certificate; only validate with the Symantec G5 Root Certificate.
  • That the server certificate and intermediate certificates use SHA-256 signatures

SHA2 supported Browser and Server List for Symantec, GeoTrust, Thawte & RapidSSL Certificates:

Operating Systems/Other – support SHA-256

  • Android 2.3+
  • Apple iOS 3.0+
  • Apple OS X 10.5+
  • Blackberry 5.0+
  • ChromeOS
  • Windows 7
  • Windows Outlook 2003+ running on Service Pack 3 (partial), complete on Windows Vista
  • Windows Phone 7+
  • Windows Vista
  • Windows XP SP3+ (patched)

Browsers – support SHA-256

  • Adobe Acrobat/Reader 7
  • Blackberry 5+
  • Chrome 26+
  • Chrome under Linux
  • Chrome under Mac from Mac OS X 10.5
  • Chrome under Windows Vista and higher
  • Firefox 1.5+
  • Internet Explorer 7+ and higher
  • Internet Explorer 7+ under Vista
  • Internet Explorer 6+ under Windows XP SP3 (patched)
  • Java 1.4.2+ based products
  • Konqueror 3.5.6+
  • Mozilla 1.4+
  • Mozilla products based on NSS 3.8+ (since April 2003)
  • Netscape 7.1+
  • Opera 9.0+
  • Products based on OpenSSL 0.9.8o+
  • Safari from Mac OS X 10.5+
  • Windows Phone 7+

Servers – support SHA-256

  • Apache server and OpenSSL 0.9.8o+
  • Apache 2.0.63+ , OpenSSL 1.1.x
  • OpenSSL based servers – OpenSSL 0.9.8o+
  • Windows Server 2003+ with patch 938397
  • Windows Server 2003+ or XP client with patch 968730
  • Windows Server 2008+
  • Java based servers – 1.4.2+
  • Cisco ACE module software version A4(1.0)

Citrix Receiver models

  • Oracle Mac 11.8.2
  • Windows 4.1 (std)
  • Windows 3.4 (ent)
  • Windows 8/RT (1.4)
  • Windows Phone 8 (1.1)
  • WebLogic v10.3.1+ see bug8422724
  • Oracle Wallet Manager 11.2.0.3+
  • IBM HTTP Server 8.5 (with Lotus Domino 9+)
  • Juniper Secure Access – SA 6.4R5, 6.5R3, and 7.0R1 and later releases.
  • WebSphere application Server v8.0.0.4

Servers which reportedly DO NOT support SHA-256 in their entirety

  • Juniper SBR
  • IBM Domino
  • Citrix Receiver models – see URL*
  • Linux 13.0
  • IOS 5.8.3
  • Android 3.4.13
  • HTML 5 1.2
  • Playbook 1.0
  • Blackberry 2.2 / BlackBerry 1.0 Tech Preview
  • Cisco ACE module software versions A2 and A3

Some Important FAQs for Upgrading to SHA-2 SSL?

Q. What is the SHA-256 rollout schedule?
To avoid service interruption, your clients must support SHA-256 per the schedule above.

Q. Can I update BOTH the G5 root and SHA-256 certificate at the same time?
Yes. First, confirm that the G5 Root Certificate is in your keystore. If not, then download and add it. Next, update your SSL certificate to process SHA-256 certificates.

Q. How do I check my existing SSL Certificate is SHA-1 or SHA-2 Support?
You can easily check the by visiting the SHA Checker Tool

Q. What is the status of the PayPal Sandbox used for integration testing?
PayPal Sandbox endpoints have been upgraded to accept secure connections signed by the G5 Root Certificate and the SHA-256 algorithm, so merchants can begin testing their integration.

Author

Recent Posts

Follow Us

Free Ebooks

eBook
Email Spoofing Defense 101 (A 5-Step Guide)

Download Now

eBook
Certificate Lifecycle Management Best Practices Guide

Download Now

eBook
10 Code Signing Best Practices

Download Now