My SellerDeck Account | Newsletter | Free Trial

Community and Knowledge Base

  #1  
Old 03-Mar-2016, 12:17 PM
feemish feemish is offline
Registered User
Join Date: Dec 2005
Full Name: Mark Carroll
Posts: 945
Thanks: 101
Thanked 45 Times in 42 Posts
Paypal 2016 Merchant Security Upgrades

I've seen the other thread called 'what does Upgrade to SHA-256 mean for us' but it doesnt actually have an answer to the question does it?

I use the integrated Paypal Express Checkout on V14. I'm expecting that this means I have nothing to worry about... but does anyone know? Are there any announcements from Sellerdeck regarding this?


Quote:
We recently announced several security upgrades planned for this year, some of which may require you to make changes to your integration. You’re receiving this email because we’ve identified areas of your integration that may need to be upgraded.

What you’re about to read is very technical in nature – we understand that. Please contact the parties responsible for your PayPal integration, or your third party vendor (for example, shopping cart provider, and so on) to review this email.


They’re best positioned to help you make the changes outlined in this email and in the 2016 Merchant Security Roadmap Microsite.

What do I need to do to as a merchant?

Here are the steps you’ll need to take to ensure your integration is up to date and you don’t experience a disruption of service when the changes happen.

Step 1:
Consult with someone who understands your integration. We encourage you to consult with the parties that set up your integration, which could be a consultant or third-party shopping cart. You may also need to find someone who can assist with making your integration changes.

Step 2: Understand how these changes affect your integration. Here are the key areas requiring your attention.
• If the chart shows “Yes”, you may require changes to be compatible with that security upgrade.
• If you see a “No,” our data shows that you are already compliant or do not use that functionality.

There may be other changes you need to make, but please pay particular attention to the following areas:

Change Do I need to make a change?

SSL Certificate Upgrade to SHA-256
Yes

TLS 1.2 and HTTP/1.1 Upgrade
Yes

IPN Verification Postback to HTTPS
No

IP Address Update for PayPal Secure FTP Servers
No

Merchant API Certificate Credential Upgrade
No

Discontinue Use of GET Method for Classic NVP/SOAP APIs
No

Step 3:
Get the technical details about these changes. Detailed information about each of the changes and a location to test your integration are available on our 2016 Merchant Security Roadmap Microsite. Select the hyperlinks in the chart for information about specific change events.

Step 4: Make the appropriate changes by each “Act by” date*. It’s important to have your changes in place by the “Act by” date for each change event.

Step 5: Future-proof your integration. We recommend that you go through the Best Practices section on our 2016 Merchant Security Roadmap Microsite.
__________________
Arka Tribal Jewellery
Reply With Quote
  #2  
Old 04-Mar-2016, 09:22 AM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 7,979
Thanks: 258
Thanked 448 Times in 396 Posts
I just received the same email. In my case I use the standard paypal integration which is probably used by the majority of sellerdeck users.

My understanding of this is that it has nothing to do with SSL certificates used on the website but is all about the secure communications channels used to communicate with paypal and the IPN / success callback.

So between us, paypl express and paypal standard users, I think we clearly need sellerdeck to take a look at what needs doing and explain how they're going to go ahead with any changes that might be necessary.

Could someone from sellerdeck at least acknowledge that they're aware of this issue and are looking into it? That would be better than the total silence we usually get until it really p's people off and gets escalated.
__________________
-----------------------------------------

First Tackle - Fly Fishing and Game Angling

-----------------------------------------
Reply With Quote
  #3  
Old 04-Mar-2016, 10:44 AM
feemish feemish is offline
Registered User
Join Date: Dec 2005
Full Name: Mark Carroll
Posts: 945
Thanks: 101
Thanked 45 Times in 42 Posts
support pointed me towards this;

http://community.sellerdeck.com/showthread.php?t=56358
__________________
Arka Tribal Jewellery
Reply With Quote
  #4  
Old 04-Mar-2016, 02:09 PM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 7,979
Thanks: 258
Thanked 448 Times in 396 Posts
So,

After digging around a bit on this here's my understanding of the situation:

1. SSL upgrade to SHA256.

Paypal are upgrading their SSL certificates to SHA256 with a higher level of certificate signing. We just need to make sure that our servers are able to accept an SSL connection using these specifications.

I haven't figured out yet how to test this, paypal have describe a php test that can be run from a putty SSH shell but I haven't been able to get this to work yet. I'm still looking at it.

2. http/1.1 and TLS1.2

Both these must be support by the server. In the the case of 1and1:

- http/1.1 - Yes
- TLS1.2 - No. Only TLS1.0 is currently supported on the shared servers.

I have spoken to 1and1 about this this and they have confirmed that this has already been escalated internally and is now being looked at. My ticket has been added to the original so I'll be copied on the response when they get an answer and will post back here.
__________________
-----------------------------------------

First Tackle - Fly Fishing and Game Angling

-----------------------------------------
Reply With Quote
  #5  
Old 04-Mar-2016, 03:16 PM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 7,979
Thanks: 258
Thanked 448 Times in 396 Posts
Paypal have put in place a test url so you can test your server.

I've written some php code to test your server against this url. Copy and paste the following code to a .php file and then upload to your site and visit the page. I called mine TSLcheck.php but you can use whatever name you like.

Quote:
<html>
<head>
<title>Paypal TLS tester</title>
<meta name="author" content="Mike Hughes">
</head>
<body>

<p><b>Paypal TLS Tester</b></P>

<p>If you see, 'PayPal_Connection_OK' below - Great, everything is OK.</p>
<p>If you see 'bool(false)' then it looks like there's a problem.</p>

<?php
$curl = curl_init();
curl_setopt ($curl, CURLOPT_URL, "https://tlstest.paypal.com/");
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

echo "<p><b>Test Result:</b></P>";
var_dump(curl_exec($curl));
echo "<p><b> Error Message:</b></p>";
var_dump(curl_error($curl));
?>
<p><b> Error Message meanings:</b></p>
<P> According to paypal the following error messages might be seen:</p>
<p>HTTPS – tlstest.paypal.com will return an HTTP 400 response with the following text in the body:
“ERROR! Connection is not HTTPS. Please use https://tlstest.paypal.com”</p>
<p>HTTP/1.1 - tlstest.paypal.com will return an HTTP 400 response with the following text in the body:
“ERROR! Connection is using HTTP/1.0 protocol. Please use HTTP/1.1”</p>
<p>TLS 1.2 (SHA-256) - An SSL connection error will be thrown by your code.</p>


</body>
</html>
I've tested it on my site on a 1and1 shared server and it confirms there is a problem. I get the error message

string(67) "Unknown SSL protocol error in connection to tlstest.paypal.com:443 "

It would be nice if other people could try it to see if works for them.

Mike
__________________
-----------------------------------------

First Tackle - Fly Fishing and Game Angling

-----------------------------------------
Reply With Quote
The Following 2 Users Say Thank You to Mike Hughes For This Useful Post:
Goz (06-Mar-2016), MDN (10-Mar-2016)
  #6  
Old 04-Mar-2016, 04:24 PM
NormanRouxel's Avatar
NormanRouxel NormanRouxel is offline
Registered User
Join Date: Dec 2002
Full Name: Norman Rouxel
Posts: 10,760
Thanks: 9
Thanked 738 Times in 620 Posts
Same error here on 1&1 Business / Linux. I get error:
Code:
If you see 'bool(false)' then it looks like there's a problem.

Test Result:

bool(false)
Error Message:

string(67) "Unknown SSL protocol error in connection to tlstest.paypal.com:443 "
__________________
Norman - www.drillpine.biz
Edinburgh, U K / Bitez, Turkey
Reply With Quote
  #7  
Old 04-Mar-2016, 05:09 PM
guccij's Avatar
guccij guccij is offline
Registered User
Join Date: Feb 2008
Full Name: Jules
Posts: 1,959
Thanks: 177
Thanked 160 Times in 146 Posts
Yup our 1and1 dedicated server has the same result:

"string(67) "Unknown SSL protocol error in connection to tlstest.paypal.com:443 ""
Reply With Quote
  #8  
Old 05-Mar-2016, 07:22 AM
Duncan Rounding's Avatar
Duncan Rounding Duncan Rounding is offline
Administrator
Join Date: Sep 2005
Full Name: Duncan Rounding
Posts: 10,284
Thanks: 123
Thanked 465 Times in 422 Posts
SellerDeck are aware of this and will issue an update regarding the impact.
__________________
SellerDeck/Actinic Report Modifications - Add your logo to your invoice - email for information
Integrated e-Commerce Web Design
SellerDeck/Actinic Upgrades, Custom Designs, Layout Modifications and General SellerDeck/Actinic Help
Reply With Quote
  #9  
Old 05-Mar-2016, 10:30 AM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 7,979
Thanks: 258
Thanked 448 Times in 396 Posts
Thanks Duncan,

While Sellerdeck are looking at this can you make sure that the September change is looked at too.

Quote:
If you are using PayPal’s Instant Payment Notification (IPN) service, you will need to ensure that HTTPS is used when posting the message back to PayPal for verification. HTTP postbacks will no longer be supported. For information, click HERE. https://www.paypal-knowledge.com/inf...ewlocale=en_US

Act by September 30, 2016
It sounds to me as if they're saying the callback to Paypal to verify the IPN will have to be made using https. If it isn't already done this way then it should be a simple change to the code but it would be nice to have confirmation of what, if anything, will be done and when.
__________________
-----------------------------------------

First Tackle - Fly Fishing and Game Angling

-----------------------------------------
Reply With Quote
  #10  
Old 09-Mar-2016, 12:00 PM
zgap111 zgap111 is offline
Registered User
Join Date: Oct 2006
Full Name: Tak Chiu
Posts: 318
Thanks: 21
Thanked 9 Times in 9 Posts
I've contacted 1and1, we have our sites on their Dedicated Managed Servers, their answer is:

Quote:
Our Managed Dedicated servers do not support TLS1.2 and unfortunately due to the configuration of the managed servers this cannot be upgraded.
I will try to push them to escalate also...

The php fails on our sites.
Reply With Quote
  #11  
Old 09-Mar-2016, 12:52 PM
guccij's Avatar
guccij guccij is offline
Registered User
Join Date: Feb 2008
Full Name: Jules
Posts: 1,959
Thanks: 177
Thanked 160 Times in 146 Posts
Right so we're all leaving 1&1 then? Grr.
Reply With Quote
  #12  
Old 09-Mar-2016, 02:31 PM
Goz's Avatar
Goz Goz is offline
Developers
Join Date: Aug 2005
Full Name: Andrew Gosling
Posts: 714
Thanks: 121
Thanked 35 Times in 29 Posts
Heart Internet Shared Hosting gives :

Code:
If you see 'bool(false)' then it looks like there's a problem.
  Test Result:
bool(false)

 Error Message:
string(17) "SSL connect error"
__________________
Elysium:Online - Official Accredited SellerDeck Partner
SellerDeck Design, Build, Hosting & Promotion
Based in rural Northants
Reply With Quote
  #13  
Old 09-Mar-2016, 02:41 PM
Goz's Avatar
Goz Goz is offline
Developers
Join Date: Aug 2005
Full Name: Andrew Gosling
Posts: 714
Thanks: 121
Thanked 35 Times in 29 Posts
Same result with Heart Internet VPS


Have asked their support the question...... I'll report back.
__________________
Elysium:Online - Official Accredited SellerDeck Partner
SellerDeck Design, Build, Hosting & Promotion
Based in rural Northants
Reply With Quote
  #14  
Old 10-Mar-2016, 10:24 AM
Mike Hughes Mike Hughes is offline
Registered User
Join Date: Jan 2003
Full Name: Mike Hughes
Posts: 7,979
Thanks: 258
Thanked 448 Times in 396 Posts
Just as a check, I ran the script on some cheap hosting I have with M247 and everything passes.

Quote:
string(20) "PayPal_Connection_OK"
So at least I know the script is working and where I can go if 1and1 don't get their act together.
__________________
-----------------------------------------

First Tackle - Fly Fishing and Game Angling

-----------------------------------------
Reply With Quote
  #15  
Old 10-Mar-2016, 11:07 AM
MDN's Avatar
MDN MDN is offline
Registered User
Join Date: Jun 2010
Full Name: Lee Phillips
Posts: 115
Thanks: 26
Thanked 20 Times in 14 Posts
Hi,

Thanks for the script, I have two sites hosted with teclan personally and a friend has 3, just tried it and it confirms a problem to so will get hold of teclan
__________________
Many Thanks
Lee
www.mdnsupplies.co.uk
www.hookandloopfasteners.co.uk
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT. The time now is 04:05 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.