openssl PayPal compatibility

General support questions including new installations
Post Reply
jonium
Posts: 2
Joined: 2016/08/23 10:34:54

openssl PayPal compatibility

Post by jonium » 2016/08/23 11:14:52

Hello,
I also have Centos 5.11 and OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Specifically:

# cat /etc/redhat-release
CentOS release 5.11 (Final)

# openssl version -a
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
built on: Tue May 31 06:47:28 CDT 2016
platform: linux-elf
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict-aliasing -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: padlock dynamic


I need that system to be compatible with the Paypal update https://www.paypal-knowledge.com/infoce ... cale=en_US
If I try to update I get:

# yum update openssl
Loaded plugins: downloadonly, fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.prometeus.net
* extras: mirrors.prometeus.net
* updates: mirrors.prometeus.net
Excluding Packages in global exclude list
Finished
Setting up Update Process
No Packages marked for Update


How to do?

Thanks for your help
Top
User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:
Contact avij

Re: openssl PayPal compatibility

Post by avij » 2016/08/23 12:18:55

I split your post from an older topic, because your (possible) issue does not seem to be relevant to the FREAK vulnerability (CVE-2015-0204).

You seem to be running the latest available openssl for CentOS 5, which is fine. I looked through the PayPal page you linked to, and I don't see anything that would not work with the latest CentOS 5 openssl. In particular, I seem to get a connection when I run openssl s_client -connect sha2-test-api.sandbox.paypal.com:443. Is there some particular problem you are running into?
Top
jonium
Posts: 2
Joined: 2016/08/23 10:34:54

Re: openssl PayPal compatibility

Post by jonium » 2016/08/23 16:50:42

I tried too, it should be ok:
openssl s_client -connect sha2-test-api.sandbox.paypal.com:443
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=PayPal Production/CN=SHA2-test-api.sandbox.paypal.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=PayPal Production/CN=SHA2-test-api.sandbox.paypal.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGlTCCBX2gAwIBAgIQIr0zjsjG4wEyE7U6/TbdkjANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDUyNDAwMDAwMFoX
DTE4MDUyNTIzNTk1OVowgZMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y
bmlhMREwDwYDVQQHDAhTYW4gSm9zZTEVMBMGA1UECgwMUGF5UGFsLCBJbmMuMRow
GAYDVQQLDBFQYXlQYWwgUHJvZHVjdGlvbjEpMCcGA1UEAwwgU0hBMi10ZXN0LWFw
aS5zYW5kYm94LnBheXBhbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQChdpp8j/yvoeq2pwzn5Aq9SV2NccS0daaiNe+QpZB1/Bj05TAco8XYm6GQ
/JG3XAnA9Unf0m4UveU59Q3lU8NzzPSo8rjuUOyMkfbzxitk1RIY97+x2pEtI8P9
q9D0qZ+fXdZXLmjx7gzZCDdiP6N6lcqIeXUFl6KGKkR24Q7JGS5m4dKSBfMcWfmD
iJoXvJmdhijbB02656AJRaoSamoF40dKzBldBVsK92U2PHvtmuUhujuxKT5l/5r9
sAYe5cf9yqUquZKIdHak9HtDUaWzYvOd2JNyB9gT1gMuZt05QevW/FnOlPGsbXyH
A0xrBIHVq0Ov+MUEgNCQSbqe8W6vAgMBAAGjggL3MIIC8zArBgNVHREEJDAigiBT
SEEyLXRlc3QtYXBpLnNhbmRib3gucGF5cGFsLmNvbTAJBgNVHRMEAjAAMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwYQYDVR0g
BFowWDBWBgZngQwBAgIwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNv
bS9jcHMwJQYIKwYBBQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYD
VR0jBBgwFoAUX2DPYZBV34RDFIpgKrL1evRDGO8wKwYDVR0fBCQwIjAgoB6gHIYa
aHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsG
AQUFBzABhhNodHRwOi8vc3Muc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8v
c3Muc3ltY2IuY29tL3NzLmNydDCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHYA
3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswAAAFU5OcJuAAABAMARzBF
AiAv8/b/8Yyg6BY/DkcOW8Xgd3WUmhPK/HxLf9P8bhmWuQIhAKNBgdZY/NUZx8ww
cbba4YUBYUDoGsHCuhpYQAIY3JbxAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+4
43fNDsgN3BAAAAFU5OcJ0QAABAMARzBFAiEA6cnZYJ9ls2APmlAeGt7+3DYW4vNZ
8ZNsNsGp/LB9RfQCIDMq4bggIGo/u2tCxhkxUUbpj9MCfqueVnGPIIIYQctqAHYA
aPaY+B9kgr46jO65KB1M/HFRXWeT1ETRCmesu09P+8QAAAFU5OcJ1gAABAMARzBF
AiALMmnEbKWb36JmSovA+StKTRqNbBAY6VqlqrnSru4xNAIhANX/puYyAD+CQ7ca
VX0KpvQSVzMpcNXJ1F8fjk0FOn2CMA0GCSqGSIb3DQEBCwUAA4IBAQCUowT7fC4O
LEBWIabeaWwAY1/Ju9ek3khwDpDUHSaPHlpO0L0pVv8zLNoNn1TRdXKPYGpiHTl6
EODCZU1FSCPBSDfEuLSkzH/b6OI7Y208wu5ztdIo+YSjDrB0fa2p85o5S9tyUsh7
PsmX6SwqdxzrCFUnZbYJN7wBcJc6L3tjF/9v4sdy9cWgTjJaYueP1/9aJO8qewRO
QQRgjr1vRM05ZPhw4AvdXPO4BRNhgQZ3M8qeZ07GjLO2AQBah0cBLUJTPyW0LGnU
sAZdNJlakJfuLq3Dbm0VFU5vLmfqVHtfjuBpZiHXwUWIoXBucSMIMs3mRJ8wF0ID
fqq/pgusdsTi
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=PayPal Production/CN=SHA2-test-api.sandbox.paypal.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
Acceptable client certificate CA names
/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=sandbox_certs/CN=sandbox_camerchapi/emailAddress=re@paypal.com
/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=stage1_certs/CN=stage1_camerchapi/emailAddress=re@paypal.com
/C=US/ST=CA/L=San Jose/O=PayPal Inc./OU=Mobile Client Certificate Authority/CN=PayPal Sandbox Client CA/emailAddress=DL-PP-ApplicationSecurity@paypal.com
/CN=gtorel_1310486522_per_api1.paypal.com/L=Napoli/ST=Napoli/C=IT
/CN=Sandbox_RootCA/OU=PayPal Crypto Mgt/O=PayPal Inc./L=San Jose/ST=California/C=US
/CN=Sandbox_MerchantIssuingCA/OU=Platform Security/O=PayPal Inc./L=San Jose/ST=California/C=US
---
SSL handshake has read 4124 bytes and written 426 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 9E01CD86FA9DC503AD505F17E34C089B6DE725ED6C61E83EF2946F8858FDB6A5
Session-ID-ctx:
Master-Key: 62CD34F44857169F6909F8FEF0BFEABCF26BE73191D29546791F21E9A2601E54A8DF0544F0056FB7EE28D7AD7CC34251
Key-Arg : None
Krb5 Principal: None
Start Time: 1471970979
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

Thanks for your reply
Top
User avatar
TrevorH
Site Admin
Posts: 33216
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openssl PayPal compatibility

Post by TrevorH » 2016/08/24 10:50:48

Looks like a hint from paypal that CentOS 5 is reaching its EOL! The distro goes out of support in about 6 months so you should be looking to migrate to a newer version soon anyway...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Top
Post Reply

Return to “CentOS 5 - General Support”