Post by xsteved » Mon Mar 23, 2015 11:05 pm

March, 2015--

PayPal has begun to warn merchants that PayPal is changing their secure connection settings in stages during 2015. They are changing from Verisign G2 certificates to G5, and from the SHA-1 to the SHA-256 encryption algorithm.

Some key phrases and sentences from the PayPal information about this change--
In accordance with industry standards, PayPal will no longer accept secure connections to the API/IPN endpoints that are expecting our certificate/trust chain to be signed by the VeriSign G2 Root Certificate. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.

We advise merchants and programmers to:
  • Discontinue use of the VeriSign G2 Root Certificate
  • Update your integration to support certificates using the SHA-256 algorithm
  • To avoid service interruption, your clients must support SHA-256 by mid-2015.
Question-- How do I know if my integration is affected?
Answer-- We are making changes to the Sandbox environments prior to any Live changes, so you can verify your integration against the Sandbox for any required testing. If you see these or similar error messages in the Sandbox environment, you will need to update your integration before we make changes to our Live environment (per the timeline above).
  • “Unable to find valid certification path to requested target”
  • “SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled”
  • “alert handshake failure”
  • “Problem with the SSL CA cert (path? access rights?)”
In OpenCart, I changed both the PayPal Standard and PayPal Express payment methods to use PayPal's sandbox mode (the sandbox does not transfer any money, but does test the interaction between merchants and their customers, and PayPal). Neither OpenCart 2's PayPal Standard nor PayPal Express payment methods now work using the PayPal test-area sandbox, which has already been updated (in February) to use the new G5 certificates and SHA-256 algorithm, according to PayPal.

Are the OpenCart PayPal payment methods being worked on by the developers to accommodate these annoying changes by PayPal. PayPal is warning merchants that they may not be able to process payments as early as the end of this month (March, 2015) or possibly as late as September of this year.

---

New member

Posts

Joined
Tue Dec 24, 2013 4:47 am

Post by joer80 » Wed Mar 25, 2015 1:18 pm

I would like to know as well. We are quickly approaching the first step..

I currently use Version 1.5.5.1 and the Paypal Express (14x and 15x) and PayPal Payflow Pro Payment Gateway payment modules.

https://www.opencart.com/index.php?rout ... _id=510091 https://www.opencart.com/index.php?rout ... _id=510095


Here is the micro site for more info: https://ppmts.custhelp.com/app/answers/detail/a_id/1236

New member

Posts

Joined
Fri Sep 30, 2011 2:19 am

Post by coolshop » Sun Mar 29, 2015 12:24 pm

We use Paypal Website Payments Pro and it also does not seem to work with the sandbox.

Not sure why more folks aren't concerned?

New member

Posts

Joined
Sun Sep 09, 2012 10:31 am

Post by labeshops » Sun Mar 29, 2015 7:41 pm

Sandbox has *never* worked for me. Did you try doing an actual test order?

Running Opencart v2.2 with multi-stores from http://www.labeshops.com which has links to all my stores.

Image


User avatar
Expert Member

Posts

Joined
Thu Aug 04, 2011 4:41 am
Location - Florida, USA

Post by coolshop » Mon Mar 30, 2015 8:04 pm

Doing a test order in the live environment is not going to test the pending changes that they are rolling out over the next few months.

New member

Posts

Joined
Sun Sep 09, 2012 10:31 am

Post by labeshops » Mon Mar 30, 2015 8:29 pm

True, but in 15 years (actually about 20 years of using Paypal), I NEVER got sandbox mode to work no matter what cart I used or what changes they made. Just saying you may not be able to go by those results.

Since version 2 is more tightly integrated with paypal, I would think it would adapt to the new changes. Though I do hope Daniel or some other integration expert will let us know for sure and if changes are needed for 1.5x ?

Running Opencart v2.2 with multi-stores from http://www.labeshops.com which has links to all my stores.

Image


User avatar
Expert Member

Posts

Joined
Thu Aug 04, 2011 4:41 am
Location - Florida, USA

Post by coolshop » Tue Mar 31, 2015 8:44 am

Yeah, I'm just not prepared to upgrade to 2.0 at the moment. On 1.5.3.1.

Hoping for some guidance!

New member

Posts

Joined
Sun Sep 09, 2012 10:31 am

Post by coolshop » Mon Apr 06, 2015 1:38 am

I'm not sure why no one else seems concerned about this. Isn't this impacting all Opencart Paypal sites?

New member

Posts

Joined
Sun Sep 09, 2012 10:31 am

Post by granddaddy » Mon Apr 06, 2015 2:14 am

I too am concerned about this and would like to know what to do.
I scanned all OC files for the occurrence of the word "verisign" and found it in the controller file for paypalproUK, but not in the main paypalpro file. In the file it is actually a URL at verisign.com that it uses.
This was the case in OC 1.5.1.3.
I then checked OC 1.5.6 and found NO occurrence. That file has been changed completely as uses a totally different URL.
I don't know if any of this is relevant, but it suggests to me that the problem could affect paypal pro/express but perhaps not paypal standard.
Could someone look deeper into this? Was this actually FIXED somewhere between 1.5.1.3 and 1.5.6.4 ? Or does the problem still exist in later versions?

Active Member

Posts

Joined
Sat Feb 18, 2012 5:48 pm

Post by coolshop » Mon Apr 06, 2015 11:11 pm

grandaddy, that kind of echoes my testing findings with the Sandbox.

Paypal standard worked, but I got an error with "Paypal Website Payments Pro", if that is the same as "Paypal Pro" that you reference.

New member

Posts

Joined
Sun Sep 09, 2012 10:31 am

Post by coolshop » Tue Apr 07, 2015 8:17 pm

In studying this further, I have come to the realization that this is about the SSL certificate that is used on one's site rather than the Opencart or site code. They are just saying that the 'referring' certificate (i.e. the SSL certificate in place on your site) must meet SHA-256 standards. I would think that most reputable certificate authorities are well up to speed on this.

New member

Posts

Joined
Sun Sep 09, 2012 10:31 am

Post by takayuki » Sat May 16, 2015 6:48 am

so if my opencart site is using Paypal Standard module and all paypal stuff is handled at paypal.com then this doesn't affect me. correct?

New member

Posts

Joined
Thu Aug 13, 2009 10:16 pm

Post by deanodv8 » Fri Jun 12, 2015 1:46 am

I am having the same problems it would seem, but am unsure of how to resolve the issue with PayPal Pro on OC 2.0.2.0 -

We are experiencing an error message ‘this transaction cannot be processed’. I have tried deleting and creating a new API key via PayPal, but it makes no difference. Our site has no SSL Certificate in place; is that likely to be the cause?

I have read the main updates centre around the SSL certificate that is used on websites rather than Opencart or site code, but surely there must be an PayPal Pro Extension upgrade to deal with the changes PayPal are imposing... right?

It seems that the 'referring' certificate (i.e. the SSL certificate in place on your site) must meet SHA-256 standards. It seems PayPal will discontinue using SSL connections that rely on the VeriSign Root Certificates with a G2 identifier, so we need to ensure we are securely connecting using a supported VeriSign G5 Root Certificate.

Now this is going a bit over my head, but surely ( to my mind), there must be an upgrade to the plugin? Right? IF so, where to do we get it?

Second, can someone tell me if a SSL Cert is a MUST to use Pro?

HELP!

Newbie

Posts

Joined
Sat Oct 06, 2012 12:31 am

Post by vsnaustralia » Fri Sep 11, 2015 12:45 pm

Hi,

We are now also getting emails from our clients regarding the SAME PayPal security upgrade. Will this affect ALL OC versions?

Please enlighten us.

Thanks,

Ann
VSNAustralia

Newbie

Posts

Joined
Mon May 28, 2012 8:59 am

Post by Moggin » Fri Sep 11, 2015 7:42 pm

They emailed me this morning.
The installation concerned is old now, v1.4, so this could be fun

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am

Post by nestle » Fri Sep 11, 2015 9:05 pm

Any news? the standard paypal method of opencart is affected or not?

Newbie

Posts

Joined
Fri Sep 11, 2015 6:12 pm

Post by i2Paq » Fri Sep 11, 2015 10:00 pm

nestle wrote:Any news? the standard paypal method of opencart is affected or not?
I don't think so.

I think its related to you using an soon to be outdated SSL on your website and connection to PayPal.

Using the standard PayPal module will say working; but, I could be wrong.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

UPGRADE to 2.x: Contemplate before thou begins!

Our FREE search: Find your answer FAST!.

BUGs?: Known BUGS for All OC Versions.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by jrfcomputing » Fri Sep 11, 2015 11:26 pm

Surely the changes are to the Paypal SSL

You do not currently have to have an SSL if using the Paypal Standard as the customer gets sent to paypal for the payment details.

If using the pro version you will have to make sure the SSL certificate on your site matches the standard in the email

https://www.paypal-knowledge.com/resour ... ish%29.pdf

Opencart sites I am currently working on:
http://www.cablecafe.co.uk
http://www.exclusivelygorgeous.co.uk/


User avatar
Active Member

Posts

Joined
Mon May 09, 2011 11:29 pm

Post by Moggin » Sat Sep 12, 2015 2:33 am

I think you are right.

Putting on my stooopid person hat, because although it's a legitimate looking mail - PayPal key, correct username etc - I do not think the mail was legitimate. :clown:

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am

Post by simonkraus » Sat Sep 12, 2015 4:09 am

I also got in touch with this today and here are some facts:

The changes affect the communication between your server and the PayPal endpoint.

It isn't really related to OpenCart.

Your server must support sha2 and your SSL certificate must be a G5.

It just affects old versions of the VeriSign certs.
If you use a Globalsign / Comodo / Thawte or whatever certificate you mustn't check your cert.

If you're using VeriSign you should check the certificate.
To do so you could ssh to your server and call the following:

Code: Select all

awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep "G5"
If this outputs your SSL cert everything is fine. If this outputs nothing you may really have to do something.
But i think the old G2 certs are rarely in use nowadays. I didn't get in touch with one in the last years.

I hope this could help one or the other.

Newbie

Posts

Joined
Sat Sep 12, 2015 4:00 am
Who is online

Users browsing this forum: No registered users and 15 guests