Paypal moving to SHA-256 certificate

[estratos]

I recently received an e-mail from Paypal asking us to do the necessary changes in the webstore to become compliant with their new SHA-256 algorithm. They seem to be discontinuing the old VeriSign G2 Root Certificate method in fact.

 

Does the Paypal module already takes this into account? We have version 3.9.0 of this module.

 

Our version of Prestashop is 1.5.6.2

 

Thanks in advance for your help.

 

 

 

[Eolia]

It is not a module issue.

If your website use ssl (https) please verify your VeriSign Root Certificate. If it'a a G2, you must change it to a G5.

[carmy]

My shop does not use SSL, I have to do updates anyway?

[Eolia]

no, no update need.

[carmy]

no, no update need.

Thanks

[bellini13]

Thats not entirely true.  PAYPAL is upgrading their SSL certificates, that means when your server connects to PAYPAL, it needs to do so using the newer encryption.  So depending on your module and version, it may or may not work...

Edited September 11, 2015 by bellini13 (see edit history)

[Eolia]

Thats not entirely true.  PAYPAL is upgrading their SSL certificates, that means when your server connects to PAYPAL, it needs to do so using the newer encryption.  So depending on your module and version, it may or may not work...

What do you say ?

Certificates are available and sent ONLY if you communicate with a ssl protocol between your site and Paypal server

[carmy]

Thats not entirely true.  PAYPAL is upgrading their SSL certificates, that means when your server connects to PAYPAL, it needs to do so using the newer encryption.  So depending on your module and version, it may or may not work...

Hello,

I installed version v3.10.2 module Paypal

Prestashop version 1.6.0.14

 

Not having installed SSL in my shop, I upgraded to the latest version module Paypal.

 

We hope well.

[bellini13]

This has nothing to do with an SSL certificate being installed on your store.  This is Paypal upgrading THEIR SSL certificates on their servers

[Eolia]

??? please read this : https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766&expand=true&locale=en_US

[inweb]

PayPal is upgrading their SSL certificates. No action is required since official PayPal modules for PrestaShop (at least all the version we've ever seen) do not verify the certificate.

 

Technical details:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

Some old PayPal modules use fsockopen() when curl library is not available and there is no certificate verification as well.

 

It means everyone is safe (in the meaning of the SSL upgrade - otherwise it is actually great idea to always verify the certificate).

[FoodFromCyprus]

I received the same email and contacted our hosting providers. I have not received a reply yet but if they come up with anything useful I will post it here.

[CARIBEE ITALIA]

What about website using prestashop cloud version? I have no host partner to contact for any update paypal require!

[FoodFromCyprus]

I received the same email and contacted our hosting providers. I have not received a reply yet but if they come up with anything useful I will post it here.

 

This is the reply from our hosting providers:

 

'We have been receiving a number of questions regarding this change by PayPal. The deprecation of SHA-1 has been occurring for some time and we have updated our servers accordingly. The most common issue we have encountered with this change is with customers that have older SSL certificates installed for their domains. In these cases, we are able to reissue these to the new SHA-256 algorithm (if you have purchased the certificates from us). Our server's are updated properly for Apache and OpenSSL. To know the status of your SSL certificate please reply to this email as a form of verification so that we can assist you further. If you have any queries, please get back to us.'

 

So, from the above reply, it seems that this might only affect sites that have SSL installed depending on the SSL certificate used. You might also like to check with your own hosting providers if their servers have been upgraded to be compatible to SHA-256.

[Eolia]

Sometimes I ask myself what's the point of explaining things ...

 

It is not a module issue.

If your website use ssl (https) please verify your VeriSign Root Certificate. If it'a a G2, you must change it to a G5.

[selectshop.at]

What about website using prestashop cloud version? I have no host partner to contact for any update paypal require!

This topic is related only to paypal module and has nothing to do with main use of SSL on your server or not.

 

For Paypal Module and the mail they've sent to their customers please read topic #11. The Prestashop Paypal module bypasses the SSL, so it is not necessary to have SSL installed on the server for to use paypal, and you can ignore the mail.

Edited September 17, 2015 by selectshop.at (see edit history)

[Elfvy]

ok thanks that is good to know, I did email the module developers but no word from them yet

[dkountouris]

I have version 1.4.8.2 and paypal v3.8.0

 

Will I have a problem with the SHA-256 certificate?

[Elfvy]

ok so I sent a message to prestashop addons, got a message back saying to send a message to the developer, now I just received an email asking to open a support ticket which I did I will post here what they say when they get back to me.

 

am still worried about the IPN issue with this

[Eolia]

I have version 1.4.8.2 and paypal v3.8.0

 

Will I have a problem with the SHA-256 certificate?

 

ok so I sent a message to prestashop addons, got a message back saying to send a message to the developer, now I just received an email asking to open a support ticket which I did I will post here what they say when they get back to me.

 

am still worried about the IPN issue with this

 

But you read what is written or not ????

 

If your site is not in mod ssl, ignore this message.

 

Otherwise check with your hoster / webmaster validity of your certificate.

 

This is not a problem with the Paypal MODULE, okay?

[Elfvy]

Hi yes I did read it, This message worries me 

 

You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!

 

 

while some of the posts are saying its to do with a SSL cert on your website paypal has said its also to do with IPN endpoints which apparently the module does use,

 

I understand partially what is going on, and that it is about a SSL cert on your website ahs to be 256bit but paypal mentions IPN also and I have an IPN.php in my module folder for paypal, also in a thread I started another user asked if I have IPN.php and I do, my IPN notifictions in paypal were never switched on since it was created so it can only come from the module itself.

 

I only use the paypal module as my only form of payment so you can understand that if I could not receive any payments then it would be a devastating blow to my business.

[Guest locen]

Hi, now i received email to upgrade prestashop, in email i have these links: 

https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1766&viewlocale=en_US

https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US

 

i should contact my hosting?

[inweb]

You will need to either:

• install curl PHP extension (ask host support or adjust custom php.ini file if suPHP is there)
• edit /modules/paypal/validation.php file (to make fsockopen() connection compatible with HTTP 1.1 and TLS).

[Guest locen]

So i must contact paypal and my hosting providers?

[inweb]

The most easiest way is to contact your host support (it is not a PayPal issue - they service is ok).

[Guest locen]

I contacted them, i hope they will can help me

[inweb]

If they will not help you, post your modules/paypal/validation.php file here and we will adjust it.

[Guest locen]

Thanks, i will wtite when they teply to me

[Guest locen]

Hi, my hosting told me that i should buy another hosting because the actual has not these certificate. is it possible?

[selectshop.at]

Hi, my hosting told me that i should buy another hosting because the actual has not these certificate. is it possible?

If your provider is answering so, than you should buy another hosting package, cause it does not include what needed.

 

BTW which is exactly your problem ? As told before, there is the possibility to adjust one file on the module. See here some post before: https://www.prestashop.com/forums/topic/468657-paypal-moving-to-sha-256-certificate/page-2?do=findComment&comment=2273181

[Guest locen]

but if I install this i will have some problem? 

i contacted also paypal and they reply to me that it will release new paypal version to solve this but i don't know if my website supported this. 

I suppose that my hosting provider told me this to still spend some money

[inweb]

Please post your modules/paypal/validation.php file and we will take a look at that.

[Guest locen]

Hi, I can't find this file under this address: modules/paypal/validation.php

[Guest locen]

Payments and Gateways

PayPal v3.8.1 - by PrestaShop -  Official

Accepts payments by credit cards (CB, Visa, MasterCard, Amex, Aurore, Cofinoga, 4 stars) with PayPal.

[inweb]

What's the version of your PayPal module?

[inweb]

In modules/paypal/ipn.php file

Find:

return Tools::file_get_contents($action_url.$request);

Replace with:
 

return Tools::file_get_contents($action_url.$request, false, @stream_context_create(array('http' => array('timeout' => 5, 'verify_peer' => false))));

That should resolve the problem.

In fact, this issue affects the entire PrestaShop. If you want to fix it globally:

In classes/Tools.php file:

Find:

$stream_context = @stream_context_create(array('http' => array('timeout' => $curl_timeout)));

Replace with:

$stream_context = @stream_context_create(array('http' => array('timeout' => $curl_timeout, 'verify_peer' => false)));

(applies to PrestaShop 1.6, for other PS versions the instructions may differ)

 

The problem you are having actually affects all users without curl enabled on their severs - we will report this to PS team.

Edited March 18, 2016 by inweb (see edit history)

[Guest locen]

ok but if i will modify these lines will cause problems on safety? paypal told me that they will do the upgrade.

But my host told me that my site is not compatible with these certificates, with these changes will be compatible? I can take fines?

[inweb]

No issue with security or compatibility - curl code does not verify the peer (certificate) as well.

[Guest locen]

but if it does not verify the certificate is not correct from a legal point of view right?

[inweb]

It's legal (it works this way in PS on 90% of hosts where curl extension is enabled). On the other hand, verifying the peer is a great idea (but it would NOT work on most hosts).

Edited March 18, 2016 by inweb (see edit history)

[Guest locen]

sorry, i didn't understand. 

What i should verify?

[inweb]

You don't need to verify anything. Your website URL will not help to see whether certificates used by PHP to make a connection are installed.

 

Follow the instructions we've sent you and it starts to work. If you are in doubt, change your host (however, it will just cost you money & peer will not be verified anyway).

[Guest locen]

can i give my url website and you can tell me is these certificate are available or can't you know this?

[TiaNex Shopping]

i am confused too,

[Guest locen]

Hello,

I'm switching old hosting to new to have SHA-256, G5 e TLS 1.2, HTTP/1.1. 

but someone told me that the cURL version must be updated to the latest version available but the provider told me that is only used with SSL ..

 

I use paypal europe

Could you help me understand?

Edited May 16, 2016 by locen (see edit history)

[bellini13]

cURL is used by PHP to communicate with the Paypal servers.  Having the cURL PHP extension installed and enabled is required, I don't know that it needs to be the "latest version".

[inweb]

Are you switching to the new host to get SHA-256 SSL certificate for your domain? It may or may not resolve the problem with PayPal module since it does not depend on each other.

 

cURL support SHA256 for a very long time already. This issue is about certificates installed along with cURL - see the previous posts including this post that come with a quick fix (no need to change host or carry out any complex tasks).

[Guest locen]

Yes but in my actual server SHA256, TLS 1.2 and HTTP 1.1 are not available.

So I will discover it on June or now if I updated the new module i will discover if all security is ok?

[inweb]

No doubts, using the SHA256 certificate for your domain is a great idea.

 

PayPal Europe v3.10.8 module uses cURL or fsockopen() function to connect to the PayPal server. It could resolve the problem because as far as I know fsockopen() does not verify the peer (can not guarantee it).

[Guest locen]

so i will know if all will be ok when all website is transferred or i will know this on June?

 

another question..i need only to update paypal version, no need to make the changes that you written before?

Edited May 16, 2016 by locen (see edit history)

[inweb]

1) You will find out whether it is working on new host as soon as your website is transferred.

 

2) Updating the PayPal module should help.

[Guest locen]

tomorrow agency will transfer my website and i will test it after update.

 

Then i mean: if it is fully in line to the new standard security, I can see it immediately after trasnsfer or I should I wait 17 June for updates?

[inweb]

You will find out whether it is working on new host as soon as your website is transferred. If it is gonna be transferred before June, you will need to wait until June 17 (or test via PayPal Sandbox that has already been updated to SHA-256).

[Guest locen]

How can i test it via sandbox? 

[inweb]

PayPal Sandbox Testing Guide

[Guest locen]

But i should test it on website, in your guide can't test website's module

[inweb]

Of course you can.

1. You need to switch PayPal Module to Sandbox mode.
2. Test it using sandbox PayPal accounts (both customer and the module need to use sandbox accounts).

Edited May 16, 2016 by inweb (see edit history)

[Guest locen]

but if i test this i can't receive payment in these minutes.

Paypal account is connected at several ebay platforms and i can't set it off.

[inweb]

About Sandbox Accounts

[bellini13]

Disable Paypal as a payment method on your store for a few minutes while you test.  Create a new customer group in Prestashop, assign your test customer to this group, and then configure Paypal to allow only this group.

 

Now you can configure the Paypal module to use the sandbox API settings, and perform your testing.

 

When you are finished with your testing, reconfigure the paypal module to use your live paypal account settings, and then add back all the appropriate customer groups to the module.

 

This testing will not affect your ability to accept Paypal payments on ebay or other stores

[Guest locen]

and how can i set only one group for this payment? and with sandbox it pay really or it simulate?

thanks

[Guest locen]

another question, after paypal upgrade sha-256, tls 1.2, http 1.1 i must activate IPN or can I keep this option disabled? NOW IPN is DISABLED and i have not SSL CERTIFICATE.

Can i keep this option disabled without ssl certificate?

 

help me please

Edited May 19, 2016 by locen (see edit history)

[bellini13]

If you are talking about activating IPN in your Paypal account, then the answer is No.  You do not need to activate IPN in order for the module to work, the module will tell Paypal where to send the IPN

[Guest locen]

so if don't activate IPN i don't have to install SSL certificate before Paypal Upgrading in 17June 2016,right?

and about G5 what is?

Edited May 19, 2016 by locen (see edit history)

[Guest locen]

Hi, i made test in sandbox mode but order status is "waiting for paypal payment" not "payment accepted". is this correct?

Edited May 24, 2016 by locen (see edit history)

[inweb]

No. There needs to appear "Payment accepted".

[Guest locen]

How can i have this result?

[inweb]

When it's correctly setup.

 

Does your PayPal module works when is set as live?

[Guest locen]

yes it works. 

I made test with sandbox to know if all ssl is ok before 17June 2016

Edited May 24, 2016 by locen (see edit history)

[Guest locen]

in live mode all works and i see payment accepted.

In sandbox mode when i make payment i see "waiting for paypal payment".

I made test in sandbox because i want to know if all ssl are ok before 17June 2016.

if in sandbox I receive this status, after 17june it will works, right?

[inweb]

If you don't see the "Payment accepted" status in Sandbox mode than it highly likely will not work after June 17 2016 (because PayPal Sandbox is already using SHA-256).

[Guest locen]

but my server use sha-256

[inweb]

Do you mean your SSL certificate?

[Guest locen]

yes, i have all: sha-256, tls 1.2, http 1.1 and g5.

I don't see any error in paypal's module page.

[inweb]

As stated a million times before in this thread: the PayPal SHA-256 requirement has nothing to do with SSL certificate of your domain.

[Guest locen]

you speak about buy ssl certificate?

 

I spoke with paypal official (not module developer) and they told me that i can not install ssl certificate if i don't have IPN active. now IPN is not active.

Edited May 24, 2016 by locen (see edit history)

[inweb]

you speak about buy ssl certificate?

 

I spoke with paypal official (not module developer) and they told me that i can not install ssl certificate if i don't have IPN active. now IPN is not active.

• You can install a SSL certificate on your domain any time, no need PayPal.
• IPN requires SSL certificate of your domain only in certain cases.
• The reply from PayPal (if stated as above) is a non-sense.

[Guest locen]

yes but i can not install SSL if i have not IPN. I don't want install SSL.

i have no IPN and it should be work in sandbox. 

[inweb]

Why do you think your PayPal module is not using IPN?

[Guest locen]

I see in my account ipn is disabled

[inweb]

What is actually set in your PayPal account is not reflected - all the details are setup by the PrestaShop PayPal module.

 

@bellini13 already told you:
 

If you are talking about activating IPN in your Paypal account, then the answer is No.  You do not need to activate IPN in order for the module to work, the module will tell Paypal where to send the IPN

[Guest locen]

I'm not talking to activate IPN, if ipn can stay disabled is better. My question is: if now i receive "waiting for paypal payment" can i will have problems? I missed to say that i use europe version. Tomorrow i will post all settings

[Guest locen]

These are all configuration. when i make test I only enable live mode, no other changes.

Edited May 25, 2016 by locen (see edit history)

[bellini13]

You are not listening to what you have been told already.

 

The module tells Paypal where to send the IPN.  Your account setting can be disabled, and still use IPN.  This only means that Paypal will send the IPN to the module, and it will not send it anywhere else.

 

So...

1) IPN is required

2) The paypal module will tell Paypal where to send the IPN

3) IPN should remain disabled in your Paypal profile account

 

With that information, you need to investigate why the IPN was not received when testing in the Sandbox.  It is time to go back to Paypal support with this information, and find out if SSL is required or not...

[Guest locen]

but in live mode it functions now.

[Guest locen]

i realized that account used for test was not customer but guest

and these are all paypal module configuration

 

Paypal is europe version

Edited May 25, 2016 by locen (see edit history)

[bellini13]

@locen, in a different post you said you were trying to test this on your local pc, with a host name change. 

https://www.prestashop.com/forums/topic/268052-paypal-sandbox-prestashop-very-confusing-setup/?p=2333266

 

I replied to you that you cannot test the paypal module like that.  Paypal Europe uses IPN, and the IPN will not be able to reach your localhost pc.  You are also completely missing the point of this test, which is to confirm that your SERVER meets the new requirements, so why would you test this on your local pc...

[Guest locen]

i'm not testin in my local pc. i chaned my files host to view new website but website is in the server.

Sorry but i'm not very expert and i make a lot of confusion

[Guest locen]

sorry @bellini13 for my ignorance: my doubt is: i have to install SLL certificate? 

all payment are not in my website, thery are connected to paypal.

help me

Edited May 26, 2016 by locen (see edit history)

[wippa]

To make that easier to understand, this big change has 2 little things on it.
The cert used to make the https connection, and the sha function to "hash" everything with the certs.

Now everything is moving to sha256, and your root certs have to be updated.

Old certs still works due to backward compatibility, but will end some day, so the better if you upgrade it now.

Also, your Paypal module should be updated to last, otherwise will still be using sha1 function.

Edited June 3, 2016 by wippa (see edit history)

[jamess]

So I see a lot of "it's not the module" and "you don't need to do anything [ about the security upgrades, it's their SSL ]." However, the PayPal tech document specifies new URLs and deprecates others. When I checked the code of the most recent Prestashop PayPal module, it looked like URL changes were needed. Additionally, Prestashop has announced that they will be updating the module security in the 2nd quarter of 2016.

 

Do we need to change those URLs?

 

Where's the module update?

 

Thank you.

 

J

[Guest locen]

you should only update your module in back office from your version to 3.10.9 

[jamess]

My version is currently:

 

PayPal USA, Canada v1.3.9 - by PrestaShop 

 

Is that going to work with the PayPal changes as is?

 

Thanks for your help.

[La Tienda]

Hi guys,

 

I've read through the posts, but still don't understand if my prestashop cloud page version 1.6.1.1. (domain from onlydomain) will work with the Paypal module:

 

PayPal Mexico v1.3.11 - by PrestaShop -  Official

 

For now it is the latest version of Paypal Mexico I've seen in my modules. 

When I try to activate the Sandbox Test format, it says:Your Paypal API crendentials are not valid, please double-check their values or contact PayPal.

And when I try to connect to the Sandbox Apis, it says some information is not correct.

I don't know if this means that the version is not compatible with the SHA upgrade or if it is another type of issue.

 

Could you clear me? Help

 

P.S. oh no, I'm getting this error now too from my checkout:

Unexpected payment error

Unfortunately, an error occured while communicating with PayPal.

Unfortunately, an error occured while communicating with PayPal.

Short Error Message: Security error
Detailed Error Message: Security header is not valid
Error Code: 10002
Please contact our Customer service and mention this error code to get this issue resolved.

 

uuuupsss... no wonder we've not had too much of orders!

Edited June 15, 2016 by La Tienda (see edit history)

[catzarov]

Hello Comrades 

 

I Use the official version "3.10.9 PayPal" with account in Bulgaria.

My question is: This module support SHA-256 ?

 

Already I wrote to the hosting provider, they told me that the server supports SHA-256 and I need to check if the module and it supports SHA-256!

 

Can I confirm the hosting provider that the module supports SHA-256 ?

[Guest locen]

Hi guys,

 

I've read through the posts, but still don't understand if my prestashop cloud page version 1.6.1.1. (domain from onlydomain) will work with the Paypal module:

 

PayPal Mexico v1.3.11 - by PrestaShop -  Official

 

For now it is the latest version of Paypal Mexico I've seen in my modules. 

When I try to activate the Sandbox Test format, it says:Your Paypal API crendentials are not valid, please double-check their values or contact PayPal.

And when I try to connect to the Sandbox Apis, it says some information is not correct.

I don't know if this means that the version is not compatible with the SHA upgrade or if it is another type of issue.

 

Could you clear me? Help

 

P.S. oh no, I'm getting this error now too from my checkout:

Unexpected payment error

Unfortunately, an error occured while communicating with PayPal.

 

Unfortunately, an error occured while communicating with PayPal.

 

Short Error Message: Security error

Detailed Error Message: Security header is not valid

Error Code: 10002

Please contact our Customer service and mention this error code to get this issue resolved.

 

uuuupsss... no wonder we've not had too much of orders!

try to do this: 

Make sure you are in LIVE mode and NOT SANDBOX

- Make sure that the APIs that you specified are the LIVE mode, the Sandbox mode has different APIs

- Make sure that your PayPal account is unlocked and enabled to receive payments

- The 10002 error occurs when using the Express Checkout mode. Try to disable it and see if it solves the problem

Edited June 15, 2016 by locen (see edit history)

[Guest locen]

 

Hello Comrades 

 

I Use the official version "3.10.9 PayPal" with account in Bulgaria.

My question is: This module support SHA-256 ?

 

Already I wrote to the hosting provider, they told me that the server supports SHA-256 and I need to check if the module and it supports SHA-256!

 

Can I confirm the hosting provider that the module supports SHA-256 ?

 

Hi, i use paypal europe and developer from this module told that this is the version support all new upgrades

Edited June 15, 2016 by locen (see edit history)

[bellini13]

the module is only half of the solution, your hosting server also needs to support the required encryption levels and algorithms

[Guest locen]

yes, but it says that his server is ok

[jamess]

"you should only update your module in back office from your version to 3.10.9 "

 

Which PayPal module has that version? I see two modules in the marketplace and both are on 1.x versions.

 

The one I'm using:

http://addons.prestashop.com/en/8277-paypalusa.html

 

A paid module:

http://addons.prestashop.com/en/5314-paypal-direct-payments.html

 

It's the URL changes that concern me.

 

Best regards,

James