Paypal Ipn Chages?

Does anyone know anything about this? I use the standard PayPal checkout...?

As we have previously communicated to you, PayPal is upgrading the certificate for to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.

This upgrade is scheduled for 9/30/2015; however, we may need to change this date on short notice to you to align to the industry security standard.

You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!

Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.

Testing in the Sandbox is one of the best ways to make sure your integration works. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.

Full technical details can be found in our Merchant Security System Upgrade Guide. In addition, our 2015-2016 SSL Certificate Change microsite contains a schedule of our service upgrade plan.



Was getting ready to post the same thing.

It's about the certificates they use. If you use IPN, then your site (server) needs to support SHA-256 encrypted certificates.

if you don't use IPN then it doesn't apply.

If you do, contact your hosting and ensure that they have the proper cyphers and protocols installed on your server to support any incoming request from PayPal IPN.


Tony you are talking about IPN is that not an old protocol and similar to PayPal Express ?

Since we manage our own server I guess if you are right I have some work to do.

But we can be sure that CS Cart V4.3.3 and above are OK with this new protocol ?

Sub'd. Same questions.

My host replied below

I have taken a look at what PayPal is saying and researched the matter and I would like to start off by pointing out that PayPal is not referring to a GlobalSign Certificate.
The domains themselves are indeed secured by GlobalSign, however, when actively using PayPal on that website, it switches to a different secure connection which is using a VeriSign certificate. So the GlobalSign Certificate secures the Website, but the VeriSign one secures the data between the Website and PayPal.
What PayPal is saying here, is that they will no longer be using the Verisign G2 Root Certificate and that all websites that use this certificate to connect to PayPal must be updated to the G5 one. My recommendation there would be to contact PayPal as they should know exactly what the procedure here is.

Someone's gotta know the answer to this:

Does CS-Cart use PayPal's IPN?

Do CS-Cart store owners need to worry about this?



Tony you are talking about IPN is that not an old protocol and similar to PayPal Express ?

Since we manage our own server I guess if you are right I have some work to do.

But we can be sure that CS Cart V4.3.3 and above are OK with this new protocol ?

IPN has been around forever. It just wasn't supported in cs-cart until recently.

This really has nothing to do with cs-cart. By the time cs-cart gets any of the data it has already been decrypted by the system. So the issue is whether your system supports SHA-256 cyphers and the proper CA Bundles (Certificate Authority Bundles). The vast majority of servers running operating systems that have been updated in the past 2 years will have the proper support.

To test your site for raw SHA-256 support, SSH into your site and run the following. You should see results in same format. Odds are that if you don't have SHA-256 available on your server, you won't even have the sha256sum command.

root@vpsXXXX [functions]# sha256sum /etc/passwd
21cec58435540b623bff2bba1b2d13811bb41749df0739XXXXX4b6229de4ed2  /etc/passwd

As it relates to the certificates themselves, there are 2 "CA Bundles" on most servers. One for the base server that handles most all requests and then there is one for CURL. CURL is what's mostly used to connect to paypal. However, this has nothing to do with IPN since IPN is an inbound request and does not use CURL.

So your system needs to have both the raw cypher support (SHA-256) AND the proper "CA Bundle" (Certificate Authority Bundle) that allows the data to be decrypted based on the sender's certificate and the receiver's CA Bundle.

I know this is way confusing but that's half the point of encryption is to make it overly complicated.

Simple answer is to ask your hosting to ensure that your server:

  1. has SHA-256 cyphers installed
  2. has current CA Bundles for GeoTrust and other "authorities" installed.

Here was I thinking that just checking out the padlock was


Yes, that can work too. But note that a site can be a valid SHA256 certificate but not show it for the end-point, but instead you have to look at the "Details" tab to find that the SHA256 cyper is used.

Different "Authorities" will put different things in the name/path that they display.

As an experiment, I looked around at a few public sites at what the browser padlock shows as the encryption method. Take a look at

Two of the three are clear (Google is okay and Amalzon uses obsolete cnypers) and Yahooo (Symantec) only shows the protocol (TLS 1.2) and not the cypher. They all use different "Authorities" so it seems to be "authority dependent" on what information is actually shown in the certificate info.

Being a techy nerd, this was an interesting pursuit.

So there is nothing to do with CS-CART,right? Just make sure that the hosting server support SHA-256. Is my understanding correct?

It is a site security certificate issue.

Use the Padlock method above to check your site and then view the Details tab after View Certificate.

If it shows SHA256 as one of the "Fingerprints" or other indication that SHA256 is used

Or ask your hosting company to verify that SHA256 is supported by your site certificate and the underlying CA Bundle on your system.

Sorry, it's a difficult topic to explain completely in easy to understand terms (or at least it's beyond my capability).

How does this look ??


From a papyal perspective you are good to go (your signature hash is SHA256)

From a PCI compliance standpoint you need to get rid of RSA as a protocol (it's now considered insecure).

I don't accept direct credit card payments. Only PayPal or Bank Transfer.

Out of curiosity, is this PCI non-compliance due to my SSL Certificate

or CS-Cart's 4.3.3 design ?

It is due to your server accepting rsa connections.

For pci compliance, rsa must be disabled along with ssl2 and ssl3 and tls 1.1. But if you’re not required to be pci compliant I wouldn’t worry about it. Nothing for them to steal if no cardholder data on your site.