Recently My One of the Product PayPal IPN was not working.
I thought my code had some problems but after changing whole codes, it was not working. Then I discovered using Paypal IPN Simulator (https://developer.paypal.com/developer/ipnsimulator/) that IPN was not handshaking with my domain as my domain was using very basic SSL.
So, I found that there are 4 types of SSL:
1. ECDSA, P-256 (prime256v1)
ECDSA allows websites to support Internet Explorer 11 and retain compliance with PCI standards. ECDSA is recommended for systems running LSWS.
CurrentECDSA allows websites to support Internet Explorer 11 and retain compliance with PCI standards. secp384r1 is more secure than prime256v1, but may perform slower. ECDSA is recommended for systems running LSWS.
RSA is more compatible with older clients (for example, browsers older than Internet Explorer 11) than ECDSA. New installations of cPanel & WHM ship with this setting.
RSA is more compatible with older clients (for example, browsers older than Internet Explorer 11) than ECDSA. This is more secure than RSA, 2,048-bit, but will perform slower than RSA, 2,048-bit keys.
———–
I use always RSA 2048-bit but for my domain that will process Credit Card, I decided to buy EssentialSSL from Namecheap that will use Hashing algorithm SHA-2 & ECDSA, P-256 (prime256v1) SSL that retain compliance with PCI standards.
I have generated CSR file using the below commands:
1. First generate Private Key file from command line in Linux CentOS:
# openssl ecparam -out zserver.key -name prime256v1 -genkey
2. Then generate CSR file from command line in Linux CentOS:
# openssl req -new -key zserver.key -out zserver.csr
After I have my CSR file generated & provided it to Namecheap SSL purchase area, I have got the Certificate File with Bundle & I have installed it. I am happy that My Domain SSL is PCI standard & protects certificate forgery.
P.S. To make RSA-2048 Bit SSL:
—————————————
# openssl genrsa -out server.key 2048
2. Then generate CSR file from command line in Linux CentOS:
———————————————————————————————————————
<?php
$ch = curl_init(‘https://www.howsmyssl.com/a/check’);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($ch);
curl_close($ch);
$json = json_decode($data);
echo “Server Current Version of TLS: “.$json->tls_version;
———————————————————————————————————————
Reference:
https://sectigo.com/resource-library/how-to-generate-certificate-signing-request-on-apache-ecc
https://www.paypal.com/re/smarthelp/article/migration-to-digicert-root-certificates-ts2240
https://www.paypal.com/re/smarthelp/article/where-can-i-find-paypal-ssl-server-certificates-ts1510
https://docs.cpanel.net/knowledge-base/security/ssl-tls-key-types/#ecdsa
There are 0 comments