[BlueOnyx:20120] Re: PayPal SHA256 change?

Michael Stauber mstauber at blueonyx.it
Sat Oct 1 18:57:22 -05 2016 

Hi Michael,

> So I got an email from a client about a SSL upgrade paypal is doing. Details
> are here:
> 
> https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=t
> rue&ID=FAQ1766&viewlocale=en_US#Footer
> 
> I tried to read through it and run their test script but the output is not
> user friendly. Has anyone else looked at this? Do our servers have the
> correct G5 CA-Certificate and if not what is the right way to install it?

This is one part an OS issue and one part an SSL certificate issue.

Any SSL certificate you buy is signed by a Certificate Authority that is
in the trust chain. This trust chain contains the certificates of all
trusted authorities. Some certificates are signed more than once and
that's why you have to install an "intermediate cert" so that browsers
trust them.

The signature is also hashed and in the past the hash was usually SHA-1.
But this has been discontinued, because it wasn't secure enough. Since
quite some time no more certificates hashed with just SHA-1 should have
been released by SSL cert vendors. But some of the more shady ones
violated that agreement and delivered SHA-1 signed certificates after
the cut off day. Or backdated certificates to be able to continue
signing with SHA-1.

Pretty much all good certificates that have been purchased in the last
year or so should be SHA-256 anyway. Let's Encrypt certificates use
SHA-256 as well, so they are good. Just in case someone wonders.

The part that affects us is the certificate chain that our OS uses. That
CA chain is found here: /etc/pki/tls/certs/ca-bundle.crt

And running the Paypal test script against it, it does indeed find the
G5 chain that they demand to be present:

All certificates in ca-certificates.crt, listed by subject, check for
presence of VeriSign's 'Class 3 Public Primary - G5':

subject= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5

So it should be all good.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list