• I have just received an email from PayPal, pasted below. Will this effect anything within S2Member?

    We’re contacting our merchants with some important information in response to an industry-wide security upgrade, not unique to PayPal. This change involves upgrading Secure Sockets Layer (SSL) certificates over the course of 2015 and 2016.

    Since these changes are technical in nature, we advise you to consult your partner, website provider, or the people responsible for your PayPal integration. They will be able to identify if any changes will be needed. If you don’t have a technology team, you should change this, and we can work with them to ensure that you continue to process payments through your current integration with PayPal.

    Future-proof Your Integration
    Global security threats are constantly changing, and the security of our merchants continues to be our highest priority. To guard against current and future threats, we are encouraging our merchants to make the following upgrades to their integrations:
    1. Discontinue using the VeriSign G2 Root Certificate
    2. Update your integration to support certificates using the SHA-256 algorithm
    Why change?
    The public Certificate Authority (CA) industry continues to improve the security of SSL certificates. In preparation for requiring the use of the SHA-256 signing algorithm in 2016, the VeriSign G2 Root Certificate that was historically used for connecting to PayPal API and Instant Payment Notification (IPN) endpoints will no longer be supported.
    When do I need to act?
    In February 2015, PayPal will upgrade the SSL certificates for the API/IPN endpoints in the Sandbox environment so they are no longer signed by the legacy VeriSign G2 Root Certificate. Merchants will have approximately 4 months to test their integrations to verify they can work with the PayPal Live environment. For a detailed timeline, including upgrade dates for Live and Sandbox API endpoints, see the 2015-2016 SSL Certificate Change Microsite.
    NOTE: It is important to note that these changes are to address industry-wide security issues and are not unique
    to PayPal. When implemented, they will improve the privacy and reliability of your PayPal integrations.
    Since the details of these changes vary by system, we recommend they be made with the help of a qualified system administrator.
    The Issue: In the past, VeriSign issued SSL certificates that had a trust chain signed by a 1024-bit G2 Root Certificate. In recent years, the government and Public CA industry have moved to more secure 2048-bit certificates, so VeriSign now issues SSL certificates that have a trust chain signed by a 2048-bit G5 Root Certificate issued in 2006.
    Our Response: In accordance with industry standards, PayPal will no longer accept secure connections to the API/IPN endpoints that are expecting our certificate/trust chain to be signed by the G2 Root Certificate. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections

    https://wordpress.org/plugins/s2member/

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘PayPal SSL Changes?’ is closed to new replies.