Hello,

Thank you for the information.

Just wondering, is there a need to reconfigure on Magento's end or just the server's?

Thanks,

Richard

This only affect to stores that use any SSL certificate, I'm right? In our store we don't use any SSL certificate, so we don't are affected with this, or we need to do any change in the magento configuration too?

Thank you!

I would also like to know what is affected and what we need to do to ensure no issues arise.

How can we discover if we are using old IPN system or the new SHA-256 ?

I looked in var/log folder and found a  paypal_standard.log file  containing a "suspect" row:

 [ipn_track_id] => c2c8fd81a5014

is it an IPN based system ? How could I reconfigure it ?

---

@GiorgioBignozzi wrote:

How can we discover if we are using old IPN system or the new SHA-256 ?

I looked in var/log folder and found a  paypal_standard.log file  containing a "suspect" row:

 [ipn_track_id] => c2c8fd81a5014

 

is it an IPN based system ? How could I reconfigure it ?

---

I need this information too.

By Default magento sends its own NotifyUrl with each PayPal transaction. In CE 1.7 to 1.9 this is a non secure URL (http://<yourdomain>/paypal/ipn/ ), even if you have an SSL cert on your store. If you turn IPN off in your PayPal settings, magento will still send this URL regardless and PayPal will send back IPN data.

So, unless this update on the 30th also requires IPN to use https urls it does not look like anything would need to be changed. Alternativly if you have modified your paypal core files to use a secure URL, then you may need to use a 256 cert if you are not already (and you should be!).

Geez, the information in this therad is as useful as **bleep** on a bull.

There seem to be quite a some confusion as a result of the email by PayPal.

What they basically means is that PayPal IPN will only work with websites with SSL Certificates that are using 2048-bit and also SHA-256.

2048-bit should now be standardized for all SSL Certificates so it shouldn't be a problem.

SHA-256 is something that you need to take note of as your SSL Certificate may still be running the older SHA-1 cryptographic hash algorithm.

You can check if your SSL Certificate is using SHA-1 or SHA-256 at this website:-

https://shaaaaaaaaaaaaa.com/

If you are still using SHA-1, you will need to contact your SSL Certificate issuer (not your hosting provider) to reissue the SSL Certificate into SHA-256 and install it in your server to replace the SHA-1 SSL Certificate.

Thanks for this, very useful and the first bit of serious info in pretty much plain English.

I have just checked and our certificate is definitely SHA-256 (SHA-2). Does that mean I can safely ignore the confusing communication from PayPal?