Jump to content

[Resolved] Paypal SHA-256 and Cubecart


avyona

Recommended Posts

I received a notice from paypal regarding us using IPN on our CC3 store:

Rehbecca Lowder,

As we have previously communicated to you, PayPal is upgrading the certificate for www.paypal.com to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.

 

 

 

This upgrade is scheduled for 9/30/2015; however, we may need to change this date on short notice to you to align to the industry security standard.

 

You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!

 

Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.

It looks like the API connection endpoints that CC 3 uses is being phased out. I'm totally freaking out because I dont want our website to break. Does anyone know how I might upgrade the IPN protocol so that we will be compliant when the change happens? Thanks in advance for your thoughts! I hope someone can shed some light.

Link to comment
Share on other sites

planetapplique.com and we dont have a SSL install since we use PP for processing

Ian I think you are right about the SSL.  There were some links in the email as well and when I clicked on them and read over the actions needing to be taken they were all related to using SHA-1 SSL certificates.  I supposed then since we dont use a SSL on this domain ( I do have one for our other website which uses a EV SSL through comodo) then it doesnt affect me?

Link to comment
Share on other sites

I tried it on the IPN sandbox and i'm not 100% sure it worked properly.  It seems to have passed my details to PayPal correct, and processed the payment, but on going back to the store it said:

Error: No payment gateway variable is set!

To be fair, i've not tested with the sandbox before - so this could well be normal sandbox to CC3 behaviour.

 

Link to comment
Share on other sites

Every single PayPal customer that has ever used IPN at any time is receiving this email - it does not mean that there is a problem with your website !  If you are using V5 or V6, download the latest versions of the PayPal modules that Al has released this morning and then test your installation. We have done this already for multiple sites across a range of our servers and all are fine

Ian

Link to comment
Share on other sites

As V3 and V4 get older and older and are not supported, things like this are going to continue to crop up - both are based on very old technology and while there are no known security issues with these versions, there could be some that havent been disclosed and areas like this that could become problems in the future - upgrading to V6 is the only real way forward

Ian

Link to comment
Share on other sites

Upgrading is easier said than done - particularly if you have a lot of modifications.  If it isn't broken, i'm not fixing it :)

But if/when it does break are you or your developer experienced enough get it working again? PHP 7 will be with us before we know it. I can't say if v3 & v4 will work with it or not.

If you do upgrade I would recommend doing so in a staging environment. Make an exact duplicate of your existing store (database & files), upgrade, tweak then set live when ready. <shamless_plug>This is standard procedure for new customers who sign up to our Technical Support & Management plan. </shamless_plug>

Link to comment
Share on other sites

planetapplique.com and we dont have a SSL install since we use PP for processing

I supposed then since we dont use a SSL on this domain ( I do have one for our other website which uses a EV SSL through comodo) then it doesnt affect me?

This is a common fallacy that you only need an SSL certificate (which incidentally should now really be called a TLS certificate as SSL should not really exist as a protocol any longer but I digress !) if you are using certain forms of payment gateway !  It is a legal requirement that all E-Commerce stores are PCI validated (probably 99% of them arent but still) and while having a SSL isnt a mandatory requirement, PCI validation companies do still like to see them. Secondly having an SSL helps secure not just your admin login pages but also any customer that logs in and enters their name, address, email and password into your system - people dont realise how incredibly easy it is to snoop on internet traffic and pick this information up.  Thirdly, Google are already giving a ranking boost in their search engine for pages that are secure and while this is still relatively small, that is set to increase quite significantly this year if the gossip around Google is to be believed.

I personally would never register an account on any website at all where I had to give any sort of personal information and certainly would never use any sort of E-Commerce store if it didnt have SSL protection

Ian  

Link to comment
Share on other sites

Please see the latest announcement.... your CubeCart v3 and v4 shop should continue to work ok too. Surely it's WAY past time to upgrade though!!?? :rolleyes: 

It IS way past time haha!  We are working on it. I have done so many modifications on my own and we have just under a million orders...my main concern is database tables matching up. Its taking some time to work on...but its coming along haha and thanks for the heads up about PHP 7!

Link to comment
Share on other sites

Hi,

I use last cubecart 6.04 for my 2 online store and also i receive PayPal service upgrades notifaication email today

 

As we have previously communicated to you, PayPal is upgrading the certificate for www.paypal.comto SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product. 

This upgrade is scheduled for 30/9/2015; however, we may need to change this date on short notice to you to align to the industry security standard.

You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!

 

Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.

Testing in the Sandbox is one of the best ways to make sure your integrations work. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.

Full technical details can be found in our Merchant Security System Upgrade Guide. In addition, our2015-2016 SSL Certificate Change microsite contains a schedule of our service upgrade plan.

Thanks for your patience as we continue to improve our services.

Link to comment
Share on other sites

I use last cubecart 6.04 for my 2 online store and also i receive PayPal service upgrades notifaication email today

As said previously, just because you get this email, doesnt mean that there is a problem - it seems every PayPal user that has ever at any time taken payments and used IPN is receiving this.  As you are already using V6, simply install the latest PayPal gateway module and use the Test Connection button to see if your server is configured correctly

Ian

Link to comment
Share on other sites

In conclusion merchants using v6, v5, v4 or v3 will not need to make any changes to their store.

If in the unlikely event PayPal IPN does stop working (this controls the automatic order status change) you'll need to contact your web hosting provider and ask them to make sure that the server can connect to www.paypal.com under SSL (port 443) with both fsock and cURL without error.

Please note that this issue has absolutely no relation to your stores SSL certificate. Whether you have secure https or not is irrelevant. This only concerns PayPal SSL configuration.

Please also note that this issue only affects payment notifications there is no risk of payments stopping.

Edited by Al Brookbanks
Link to comment
Share on other sites

I thought the order status change was a separate http (not HTTPS) call from PayPal which called:

modules/gateway/PayPal/ipn.php

So, I don't think the change being talked about here is related to that (please correct me if i'm wrong).

The PHP fsock calls are when the shop software calls paypal to request processing of a payment - and this includes all the billing details, what was bought, etc.  In my test in the sandbox - I think this part is working.    The http IPN callback didn't work - but i'm not sure this is a separate issue.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...