1

Paypal has updated its sandbox API endpoint and certificate to use sha256 instead of sha1. To migrate my application (which connects to paypal for express checkout) to use sha256,

a) Deleted and downloaded new certificate from my paypal account and converted it to .p12 format Using openssl confirmed that the certificate is using sha256withRsa

b) Confirmed that /etc/ssl/certs/ca-certs.crt is having the verisign G5 CA certificate as given in the link https://gist.github.com/robglas/3ef9582c6292470a1743

Still unable to connect to paypal sandbox from my java code which uses HttpClient. Failing during handshake

In the java code - using SSLContext.getInstance("SSL")

Using custom Truststore

Class CustomTrustManager implements X509TrustManager {

public boolean checkClientTrusted(java.security.cert.X509Certificate[] chain) {
    return true;
}

public boolean isServerTrusted(java.security.cert.X509Certificate[] chain) {
    return true;
}

public java.security.cert.X509Certificate[] getAcceptedIssuers() {
    return null;
}

public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {
}

public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {
}

}

I am using a KeyManagerFactory of instance SunX509 and initializing it the pkcs12 keystore.

Am I missing anything . Please help!

cooldev
  • 497
  • 1
  • 3
  • 17
  • You don't need a custom TrustManager for this, and this one is no good whatsoever, however often you may see it posted as a 'solution'. Don't use this code. `getAcceptedIssuers()` cannot return null, and the whole thing is 100% insecure. You may as well use plaintext as this. – user207421 Jan 22 '16 at 06:21

2 Answers2

1

This is more suitable for comment, but I don't have enough reputation. I had similar problems in the past with other service the problem was that java 7 uses old ssl algorithm by default, try using java 8 if you can. If you have to stick with you current java version, try using different algorithms or see if you can obtain some information about the ssl configurations from paypal. This link might help

Borislav Stoilov
  • 3,247
  • 2
  • 21
  • 46
  • Thanks a lot for the link. Paypal downloaded API certificate has signature algorithm as "sha256WithRsa". sha256WithRsa is supported by "Provider" SunRsaSign and not by SunJSSE. Now pkcs12 does not seem to be supported by SunRSASign. KeyStore.getInstance("PKCS12", "SunRsaSign"); throws error. SunRsaSign provides the Signature Class and do not provide implementation of jks/pkcs12. How can the signature class be used for making ssl ssl connection? – cooldev Jan 22 '16 at 05:59
  • See Link http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunRsaSignProvider – cooldev Jan 22 '16 at 06:06
  • I think [this](http://www.oracle.com/technetwork/articles/javase/security-137537.html) , should help. At the bottom of the page ( I cant link it scrolled for some reason) , there is "Import and Export PKCS#12 Keystores". Hope it helps. – Borislav Stoilov Jan 22 '16 at 09:09
  • This is not about SSL algorithms, it is about certificate signing algorithms. – user207421 Jan 28 '16 at 05:06
1

The issue was with the open-jdk 7 version. It seems open jdk by default has the JCE unlimited strength policy files (required to support 256 bit ciphers) . However some versions have the ciphers disabled (might be a bug). Upgrading open jdk to version 1.7.0_91 resolved the issue.

cooldev
  • 497
  • 1
  • 3
  • 17