PayPal changes for SHA-256 compatibility coming on September 30

Hi Winhost,

I received info from PayPal recently regarding: PayPal is making changes to be SHA-256 compatible.

Is Winhost aware of this impending change and are Winhost web servers SHA-256 capable?

My site has PayPal payment buttons and a .Net web app that does an Https handshake with PayPal after a payment notification is received.

PayPal - Security-Related Changes Required to Avoid Service Disruption
https://devblog.paypal.com/upcoming-security-changes-notice/

 

Yes.

The problem with these kinds of changes though are things like this (from the PayPal article you linked): "You will need to ensure that your environment [...] discontinue(s) the use of SSL connections that rely on the VeriSign G2 Root Certificate."

Shared servers like ours can't simply drop support for specific root certificates because one site or connection wants us to. That can cause a lot more problems than it solves.

Having said that, I'm not sure whether VeriSign G2 is still in the certificate chains on the servers. I'll have to check with the system admins. There are hundreds of certs supported, out of necessity. But even if it is there and we can't drop it, we do offer "hardened" servers that don't support any older cryptography methods (you can read more about the issue here).

While those servers are as secure as a public-facing server can be, dropping support for older methods introduces some other problems for you as a site owner. The main problem being older web browsers will often fail to create a secure connection to a server that doesn't support older crypto methods. So you can see where this gets tricky and becomes a catch-22 kind of situation.

But I'll check on the VeriSign G2 issue and post back here, or have one of the SAs post here to answer the specific question.

 

Thank you Michael.
I'm reading the link you provided and will watch for your update.

 

FredC, Ok thank you for this info.
My web app does indeed use PayPal IPN Verification Postback to HTTPS infrastructure. So this does apply to my site.

First step for me is to figure out how to recode my app for TLS1.2. Looks like this is gonna be an adventure. ;-)

 

Here's the results of this adventure for anyone needing to do it in the future.

1) The site migration to the Windows 2012 server was quick and easy. Thank you WinHost Dmitri G. for the excellent and speedy support.

2) To get the Https IPN request to use TLS1.2 you need to turn it on within the web app code with this statement prior to creating the WebRequest.
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

There's more detail in this forum post with some code to test that it is working (H/t to Colonel Panic, 2nd answer on the page )
http://stackoverflow.com/questions/4137106/are-there-net-implementation-of-tls-1-2

 

Thanks for posting your update Alex.

 

Hi Michael,
Can you please check to see that "VeriSign G5 Root Certificate" is included the server trust store on the Windows 2012 servers?

According to this Paypal doc,
"Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections."

https://www.paypal-techsupport.com/...urity System Upgrade Guide (U.S. English).pdf

 

FYI, according to a reply to a Support ticket...
"VeriSign G5 Root Certificate is already installed in the trust root certificate store. Your application should have no problem for the paypal certificate upgrade."

This is for a Windows 2012 shared server.

 

Alex, thanks again for posting the response from support. Sorry I didn't get back to you on Friday.