Support » Plugin: PayPal for WooCommerce » PayPal Pro Notice for SHA-256!!

  • Hi there,
    I won’t paste the whole notice in here but just part of it. PayPal has notified us that we have to make sure we are using SHA-256 now instead of the older SHA-1. Is this part of your plugin or WooCommerce? Or is it about our hosting? I am unclear and could use some help. Thanks! Here is the message they sent…

    Global security threats are constantly changing, and the security of our merchants continues to be our highest priority. To guard against current and future threats, we are encouraging our merchants to make the following upgrades to their integrations:
    1.Discontinue use of the VeriSign G2 Root Certificate
    2.Update your integration to support certificates using the SHA-256 algorithm

    For detailed information on these changes, please reference the Merchant Security System Upgrade Guide. For a basic introduction to internet security, we also recommend these short videos on SSL Certificates and Public Key Cryptography.

    NOTE: The information below is in response to an industry-wide security upgrade and is not unique to PayPal. These updates will help secure your website’s interaction with the PayPal website and Application Programming Interface (API). Not all merchants are required to make these changes. Please ensure you are prepared for this event by consulting with your technology team, website vendor or individual(s) responsible for your PayPal integration.

    VeriSign G2 Root Certificate Upgrade Timeline

    In accordance with industry standards, PayPal will no longer accept secure connections that are signed by the VeriSign G2 Root Certificate.

    Please note that the following rollout dates are subject to change. We recommend that you check back for updates.

Viewing 15 replies - 1 through 15 (of 15 total)
  • Plugin Contributor angelleye


    PayPal has made this change in their sandbox servers quite some time ago, and all of our testing has shown that the plugin itself is perfectly fine.

    The notification is really more about server environment (hosting) than code. If you want to be sure I would contact your hosting company and ensure that your site is compatible with SHA-256.

    Thank you so much for the quick reply! Very appreciated and we will check with our host.

    We’ve just had this message through from a few clients.

    I’ve check with our host, and our hosting environment is already compatible with the new changes.
    So no action is required on WooCommerce to keep it working?

    Plugin Contributor angelleye


    Correct, you should be good to go! You can verify by running a test in the Sandbox if you want to. PayPal already made the changes to their sandbox servers.

    great, thanks!

    sorry if this is a dumb question but I have not been working with WooCommerce and Paypal for very long. What does sandbox mode do? And how does that verify if live mode is ok?

    Oh sorry, one more thing. In inspecting our checkout page code there are warnings that we are using an SHA-1 old certificate. So does that mean all we need to do is upgrade our SSL cert that’s on hosting with SHA-256?

    Plugin Contributor angelleye


    Sandbox mode allows you to run transactions against the PayPal sandbox, which is their test server. You can create PayPal sandbox accounts that look/feel/act just like a regular PayPal account, but it’s all fake money.

    PayPal already updated the sandbox to use the new SHA certificates a while ago, so if you are able to process payments successfully against the sandbox from your server then you know it’ll be fine live, too.

    Alternatively, you can use a site like this to check:

    I have noticed that Firefox/Firebug display a message about SHA-1 even when that’s not the case. My own site shows that it’s SHA-1 in Firebug, but any other tool I use to check (including the link above) shows that it’s not SHA-1.

    Thank you for the great added info! And yes I noticed that in firefox too and got confused. 🙂

    I feel like a pest sorry but after we just re-issued our SSL Cert in the hopes of updating to SSH-256, I just tried sandbox mode and when I tried to place order I get the error message:

    Security header is not valid.

    Do you happen to know what that means?

    Thank you!

    Plugin Contributor angelleye


    That means the API credentials are incorrect. When you switch to sandbox mode you need to make sure you’ve entered the API credentials from a sandbox seller account into the plugin settings. There are fields for live API credentials and sandbox API credentials so you can setup both at the same time, and then just turn Sandbox mode on/off any time you want to run test transactions.

    Oh that must be it. Although I do not see any fields in the plugin settings for sandbox API credentials. Just “API Credentials.”

    Plugin Contributor angelleye


    The fields are all grouped next to each other. Here is a screenshot:

    oh that’s interesting. Here are the only fields I have in the PayPal Pro Gateway settings:

    oh crap, I don’t have your plugin. That’s the problem! I will have to get it. 🙂

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘PayPal Pro Notice for SHA-256!!’ is closed to new replies.