问题
I use IPN endpoints and have received emails from paypal saying PayPal is upgrading the certificate for www.paypal.com to SHA-256.
I just want to make sure my certificate will keep working.
I have tried checking on https://shaaaaaaaaaaaaa.com, https://shachecker.com, www.sslshopper.com/ssl-checker.html but none will check it (I assume they all require an https site, which mine isn't?).
I have tried a transaction though the sandbox and this works fine.
I have run openssl s_client -connect www.sandbox.paypal.com:443 -showcerts -CApath /etc/ssl/certs/ on my ubuntu server and see a lot of information ending in Verify return code: 0 (ok) it then just hangs. Does that mean there is a problem? What am I looking for in this information?
(If I run the same for www.paypal.com it pauses on the Verify line, then says closed)
回答1:
Here are the details for the Certificate Upgrade:
Merchant Response Guide
Certificate FAQ
This comes from the Merchant Response Guide:
Our Response: In accordance with industry standards, PayPal will no longer accept secure connections to the API/IPN endpoints that are expecting our Certificate/trust chain to be signed by the G2 Root Certificate. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.
Here is how to check your Certificate through Linux. This comes from GitHub:
How to Check All Certificates through Linux
#!/bin/bash
echo "All certificates in ca-certificates.crt, listed by subject:"
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
echo "All certificates in ca-certificates.crt, listed by subject, check for presence of VeriSign's 'Class 3 Public Primary - G5':"
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep "G5"
来源:https://stackoverflow.com/questions/32609093/how-can-i-tell-if-my-paypal-certificate-is-sha-256-paypal-service-upgrades