Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Paypal Security Changes: Make Sure Your Server Is Ready Rate Topic   * * * * * 1 votes

 
  • yakulakov
  • CS-Cart
  • CS-Cart Architects
  • Join Date: 26-Jan 15
  • 97 posts

Posted 15 January 2016 - 02:46 PM #1

Hello,

 

PayPal is making security upgrades in 2016, so be sure that your server is ready.

 

You don’t need to change your store PayPal settings or modify CS-Cart’s code—all

the changes only apply to your server.

 

Things You Have to Check

PayPal has already scheduled improvements—the security upgrade starts on January 16, 2016. To prepare PayPal users for these changes in advance, PayPal published a 2016 Merchant Security Roadmap checklist, which shows the upgrades you need to apply to your server.

 

Most likely, your server supports these upgrades already, but you must check it to be sure.

 

Please pay special attention to these changes:

 

1. TLS 1.2 and HTTP 1.1 Upgrade and SSL Certificate Upgrade

 

PayPal confirms that TLS 1.2 and HTTP 1.1 protocols, which provide a secure communication over a computer network, will be mandatory in 2016.

Also, PayPal is currently upgrading the SSL certificates, which will be signed using a more secure SHA-256 algorithm and VeriSign’s 2048-bit G5 Root Certificate used for trust validation.

To ensure that your server supports the required security standards, run this command from your server’s console:

GET https://tlstest.paypal.com

A successful connection will return the “PayPal_Connection_OK” text confirming that your server supports HTTP 1.1, TLS 1.2, and SHA-256, and has VeriSign’s 2048-bit G5 Root Certificate installed.

 

 

 

To get the list of all the installed certificates on your server, use the instructions for your server’s operating system image.

 

If the above command results in an error, forward this information to your system administrator or a hosting company so that they can update your server’s software.

 

Please be sure that your server supports these security standards by June 17, 2016.

 

2. Merchant API Certificate Credentials Upgrade

 

PayPal is now upgrading its API certificate credentials to the more secure 2048-bit certificates used for API authentication.

 

 

This change will only affect merchants who use API certificate for authentication in PayPal.

To verify whether you use a certificate as a PayPal authentication method or not, do this:

 

1. Go to Administration → Payment methods

 

2. Click your PayPal payment method that uses PayPal Pro or PayPal Express Checkout processors

 

3. Switch to the Configure tab

 

4. Check the PayPal authentication method property: if this property is set to Certificate, then you use the API certificate for authentication in PayPal and you’ll need to renew it

 

Check the Technical Details section of the API certificate credentials article to learn about the renewal of your current certificate.

Please take care of your API certificate credentials between January 31, 2016 and January 1, 2018.



 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 15 January 2016 - 03:39 PM #2

Hi

Thanks for heads up and info!!!

 

Barry


BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 971 posts

Posted 15 January 2016 - 10:12 PM #3

I just forwarded the PayPal email to my web host.

All good....whew !!



 
  • kogi
  • Senior Member
  • Members
  • Join Date: 16-Aug 07
  • 620 posts

Posted 15 January 2016 - 11:18 PM #4

I feel very noob. wtf is GET? is it same as wget?

 

wget https://tlstest.paypal.com
--2016-01-16 10:12:29--  https://tlstest.paypal.com/
Resolving tlstest.paypal.com (tlstest.paypal.com)... 104.97.189.171
Connecting to tlstest.paypal.com (tlstest.paypal.com)|104.97.189.171|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20 [text/html]
Saving to: ‘index.html’
 
100%[======================================>] 20          --.-K/s   in 0s      
 
2016-01-16 10:12:30 (1.11 MB/s) - ‘index.html’ saved [20/20]

find / -type f -name '*.base' -exec chown kogi.kogi {} \;

 
  • straygecko
  • Advanced Member
  • Members
  • Join Date: 01-May 13
  • 93 posts

Posted 22 January 2016 - 01:12 AM #5

I feel very noob. wtf is GET? is it same as wget?

No GET is not wget and wget doesn't support HTTP 1.1.  I'm not sure what they are talking about.  Try curl, it uses HTTP 1.1 by default and supports TLS 1.2:

 

curl  --tlsv1.2  https://tlstest.paypal.com



 
  • yakulakov
  • CS-Cart
  • CS-Cart Architects
  • Join Date: 26-Jan 15
  • 97 posts

Posted 22 January 2016 - 08:25 AM #6

No GET is not wget and wget doesn't support HTTP 1.1.  I'm not sure what they are talking about.  Try curl, it uses HTTP 1.1 by default and supports TLS 1.2:

 

curl  --tlsv1.2  https://tlstest.paypal.com

 

Hi guys,

 

curl will work just fine, but we recommend to use the GET command. And yes, wget and GET are not the same things.

 

Another thing, that you cannot execute the GET command on some servers because they don't have lwp-request installed (from the libwww-perl library). So to make the GET command work on your server you may need to intstall libwww-perl.

 

Sorry that we haven't mentioned that in the post.



 
  • straygecko
  • Advanced Member
  • Members
  • Join Date: 01-May 13
  • 93 posts

Posted 22 January 2016 - 04:04 PM #7

Why don't you recommend curl?  Its what cs-cart uses under the covers, not lwp-request.  So its a better test IMO.  The best test is probably what Paypal recommends for php:

php -r '$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); var_dump(curl_exec($ch)); var_dump(curl_error($ch));'