PayPal Changes: URGENT Encryption Notice

Hi everyone – I recently received a notice from PayPal giving users less than three business days to see if their upgrading of 1028 certs to 2048 certs will affect customers making API calls.

After contacting them I was provided with this:
==============================
We are currently notifying global merchants about a change impacting API SSL certificates. In order to meet industry standards set by the Certification Authority/Browser (CA/B) Forum, PayPal will discontinue supporting 1024-bit key length certificates and will migrate to 2048-bit certificates for the live site starting on August 6, 2013.

The installation of 2048-bit SSL certificates for all API endpoints in the PayPal Sandbox has been completed. The installation of 2048-bit SSL certificates for all API endpoints for the PayPal Live Site will start on August 6, 2013.

Any merchant that is making their own API calls will receive this notification. If a business has a cart or service making API calls on their behalf, they will not receive this notification. As part of our request, we also send certificate file (*.p12) and private key.

If you need to import the new certificates to your application or system keystore/truststore you can download them from the following locations:

PayPal Live Site – https://ppmts.custhelp.com/app/answers/detail/a_id/960

Payflow Gateway – https://ppmts.custhelp.com/app/answers/detail/a_id/961

PayPal Sandbox – https://ppmts.custhelp.com/app/answers/detail/a_id/962

Can anyone tell me how this affects S2 Member Pro forms, specifically using Payflow accounts and what steps we need to take?

Thanks

s2Member® is unaffected by this change, because it uses an API Signature and not those certificates. Our tests against the Sandbox indicate that no change is necessary and this should not impact s2Member site owners.

Thanks Mike – how about the SSl certificate that you buy from your web hosting company.? Doesn’t that encryption matter

Yes, that matters. However, it is unrelated to this change.
This change impacts sites using API calls that want to verify the underlying SSL certificate on the PayPal side; and perhaps it also impacts site owners making API calls using an API Certificate file provided by PayPal.

s2Member uses an API Signature (not a certificate), and it uses the WP_Http class to deal with remote communication with PayPal. So this does not affect s2Member®. The only possible issue I can see here, would have more to do with your server configuration and installed version of OpenSSL on the server itself. If this is a problem (not likely) you will see it right away, because all checkout routines would start failing.

Again, this is highly unlikely, and from our tests against most of the popular hosting companies running WordPress® it’s a non-issue. If you want to be extra cautious, you could send an email with the above notice to your hosting company and ask them if they’re prepared as well.