Page 1 of 1

PayPal change to SHA-256

Posted: Fri Sep 11, 2015 10:30 pm
by sammysomerset
Hi there,

I've received an email from PayPal informing me that they are upgrading the certificate for to SHA-256 security, and that this endpoint is also used by merchants using the Instant Payment Notification (IPN). They have identified my site as using this (I use the PayPal Standard payments module - which is also used on a load of other sites I've worked on)...

So... does anyone know if the PayPal Standard module (i.e. the built in one) supports SHA-256? My technical knowledge doesn't stretch this far, so would really appreciate any help. I'm sure a large number of other users will be getting the same notification as me.

If it isn't supported, can anyone advise how to fix it to work?

I'm on (and have sites on It would also be good to know if v2 of Opencart is supported as I plan to use this going forwards.

Thanks in advance!


Re: PayPal change to SHA-256

Posted: Fri Sep 11, 2015 10:55 pm
by SimonArthur
The PayPal website gives some quick things to check: ... -upgrades/

"If your website uses an SSL Certificate (HTTPS encryption, padlock in browser bar on checkout), then you need to make sure that the SSL uses SHA-2. You can check this on the SSLLABS site."

According to SSLLabs, my website is OK. I don't know if this is the everything that needs to be done, but it's a start.

Re: PayPal change to SHA-256

Posted: Sat Sep 12, 2015 12:18 am
by postidol
I am wondering this as well. Most of my clients are using the Paypal Standard module. I have read around that the SHA-256 upgrade refers to if your site is using an SSL certificate. It needs to be upgraded to an SSL certificate that supports SHA-256.

But I am not sure if that is all, or if there is any implication to non-SSL sites using Paypal Standard module.


Re: PayPal change to SHA-256

Posted: Mon Sep 14, 2015 5:18 pm
by sammysomerset
I just posted this on another thread:

Right... I asked my host about this (as my website is non SSL), and they say...

"I can confirm this will not be an issue, PayPal's notification will likely relate to requiring system connecting to their IPN service be SHA-256 capable and this is the case with the system hosting your account with us."

So basically you need to check with your hosting company! I imagine if you are using a good one, they will be fine...