To improve the level of security, PayPal is upgrading SSL certificates on all web and API endpoint. If you are using PayPal in your website then you should meet all these recommendations from PayPal. The full information is available here.
PayPal is making three major changes.
1. PayPal is upgrading SSL certificates on all Live and Sandbox endpoints from SHA1 to SHA2 algorithm.
If your website uses a SSL certificate, then you need to make sure that the certificate have stronger SHA-256 algorithm. You can check this with the help of https:// www.sslshopper.com/ssl-checker.html Access this link and paste your website in the server hostname field. It will show all the information about your site SSL certificate. To get information about algorithm please search for Signature Algorithm.
If your SSL certificate uses weak SHA-1 algorithm and expires during 2016 or after 2016, then you need to contact your SSL provider to re-issue it with new SHA-256 algorithm.
2. TLS 1.2 upgrade.
PayPal is upgrading TLS version to 1.2 and will become mandatory for communication with PayPal. You need to verfiy that your webhosting environment will support this.
From a linux machine you can check this with the help of following command
openssl s_client -connect shop.domainname.org:443 -tls1_2
If you get the certificate chain and the handshake you know the system in question supports TLS 1.2. If you don’t see the certificate chain, and something similar to “handshake error” you know it does not support TLS 1.2.
3. Discontinue use of the VeriSign G2 root certiifcate.
PayPal will no longer support VeriSign G2 root certificate. If your host using G2 root certificate then you need to upgrade it to VeriSign G5 root certificate. You can download G5 root certificate from the link.
After everything is setup based on the PayPal recommendation customers still may get following errors while connecting to the PayPal TLS endpoint from your server.
curl: (35) Unknown SSL protocol error in connection to tlstest.paypal.com:443
–2016-03-07 11:48:29– https://tlstest.paypal.com/
Resolving tlstest.paypal.com… 184.108.40.206
Connecting to tlstest.paypal.com|220.127.116.11|:443… connected.
Unable to establish SSL connection.
It may due to the outdated curl or wget installation. To fix this modify your code as follows.
# php -r ‘$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, “https://tlstest.paypal.com/”); var_dump(curl_exec($ch));’
This is a very useful article.It made me to understand much about PAYPAL SSL Upgrade.