Immediate Attention Required: PayPal service upgrades

If your website consumes PayPal IPNs (Instant Payment Notifications) then you will probably have received an email today, September 11th 2015, with the subject: “IMMEDIATE ATTENTION REQUIRED: PayPal service upgrades”.

The English grammar in the email is a little dodgy in places but it is not a scam, it is really is from PayPal so you need to take action and make some checks.

Two upgrades are taking place at PayPal before the end of September 2015 which affect processing of PayPal IPNs.

G2 Root Certificate Replaced By G5 Root Certificate

Here SubscriptionBoss provides compatibility.

SubscriptionBoss comes packaged with the cacert.pem bundle. This contains the required G5 certificate and has done so since October 2013. The certificate is VeriSign Class 3 Public Primary Certification Authority – G5

SHA-1 Signing Algorithm Replaced By SHA-256 Signing Algorithm

SHA-256 Compatibility is provided (or not provided) by your web server. Most likely you are running Apache 2.x and so you will be fine. However you should check your server is on the first list and not the second list.

Servers – support SHA-256

  • Apache server and OpenSSL 0.9.8o+
  • Apache 2.0.63+ , OpenSSL 1.1.x
  • OpenSSL based servers – OpenSSL 0.9.8o+
  • Windows Server 2003+ with patch 938397
  • Windows Server 2003+ or XP client with patch 968730
  • Windows Server 2008+
  • Java based servers – 1.4.2+
  • Cisco ACE module software version A4(1.0)
  • Oracle WebLogic v10.3.1+ see bug8422724
  • Oracle Wallet Manager
  • IBM HTTP Server 8.5 (with Lotus Domino 9+)
  • Juniper Secure Access – SA 6.4R5, 6.5R3, and 7.0R1 and later releases
  • Websphere application Server v8.0.0.4

Servers which reportedly DO NOT support SHA-256 in their entirety

  • Juniper SBR
  • IBM Domino
  • Linux 13.0
  • IOS 5.8.3
  • Android 3.4.13
  • HTML 5 1.2
  • Playbook 1.0
  • Blackberry 2.2 / BlackBerry 1.0 Tech Preview
  • Cisco ACE module software versions A2 and A3

The full list is available at Symantec Certificate Support


PayPal have already upgraded their Sandbox area as indicated on their SSL Certificate Change Microsite so it is a matter of a running a test transaction using sandbox API keys instead of live ones and checking the IPN is processed.

PayPal Upgrade Schedule (click to enlarge)

PayPal Sandbox Testing

I made a subscription purchase in the PayPal Sandbox and the IPN was handled just fine.

Test Result - IPN processed (click to enlarge)


So if you’re NOT running an unusual or really old WebServer, then SubscriptionBoss handling of PayPal IPNs should be unaffected by the PayPal certificate upgrades later this month.

If you are unsure about your server’s SHA-256 compatibility then get confirmation from your host or webmaster.

To be 100% certain take PayPal’s advice and run some tests in the PayPal Sandbox and make sure the IPNs are processed successfully.


Digicert have a whole section on their website about SHA-256 migration if you want to get deep into this subject.

This includes a download of a DigiCert Certificate Agent Scanner which you can point at your websites to assess their readiness for SHA-256 as well as their general security. This is aimed at the webmaster rather than your average business site owner. But geeks will love it!

Leave a Reply