PayPal service upgrade to SHA256


I got following email from PayPal, I use it in my website with IPN…

As we have previously communicated to you, PayPal is upgrading the certificate for to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.

This upgrade is scheduled for 30/9/2015; however, we may need to change this date on short notice to you to align to the industry security standard.

You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!

Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.

Testing in the Sandbox is one of the best ways to make sure your integrations work. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.

Full technical details can be found in our Merchant Security System Upgrade Guide. In addition, our 2015-2016 SSL Certificate Change microsite contains a schedule of our service upgrade plan.

I use the following code for IPN, do I have to make any change ?

$req = 'cmd=_notify-validate';

foreach ($_POST as $key => $value) 
    $value = urlencode(stripslashes($value));
    $req .= "&$key=$value";

$header = "POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Host:\r\n";
$header .= "Connection: close\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('ssl://', 443, $errno, $errstr, 30);

// assign posted variables to local variables
$custom = $_POST['custom'];
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payer_email = $_POST['payer_email'];

if (!$fp)
        // HTTP ERROR
	fputs ($fp, $header . $req);
	while (!feof($fp)) 
		$res = fgets ($fp, 1024);
		$res = trim($res); //NEW & IMPORTANT

                if (strcmp ($res, "VERIFIED") == 0)
			// Its good
                else if (strcmp ($res, "INVALID") == 0)
			// Its bad
        fclose ($fp);

Please help.


the PayPal Technical Support should be your first address for such issues. It may be as simple as changing the SSL certificate, but the people over at PP definitely are the most fit to ask.

that’s what the more detailed instructions say to do.

It is the security level required for the certificate that has changed and there is nothing in the code to alter.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.