On Dec 15, 2014 Chargify will begin using a new SSL certificate signed by SHA-2 instead of SHA-1.  The change should be seamless for most users, but old API clients may have issues.  We have set up a test system so you can check ahead of time that your API integration will continue to work.

Am I affected?

If you do not use the API, then you will likely not be affected.  API clients, like the .NET client or Ruby client MAY be affected. We’re recommending you test ahead of time to be sure.

Shopify Merchants

If you use Chargify solely through Shopify, you do not need to take any action. We have already ensured everything will continue to work.

API Clients

Your API client MAY be affected by this change. We can not know for sure, because it is dependent on your specific system configuration, library versions, and client settings whether or not your connection is compatible with SHA-2 SSL.

To test whether your API client will continue to work, you should use the URL https://ssl-check.chargify.com (or just use ‘ssl-check’ as the subdomain in your client settings).  You do not need to use your real API credentials.

If successful, you will receive a response of “OK” with a “200” code response header.

If unsuccessful, you will receive an error message. The exact message varies based on the client being used, but usually will make reference to SSL, SHA, or TLS in the message, making it clear that it could not establish a secure connection. Here are some examples:

SSL_connect returned=1 errno=0 state=unknown state: tlsv1 alert internal error

The request was aborted: Could not create SSL/TLS secure channel

Older Browser Users

Certain very old browsers do not support the SHA-2 signature used by newer SSL certificates. Therefore customers with these browsers will see a security warning or will be unable to connect to Chargify because of this change.  Known browsers that will be affected are:

Internet Explorer on Windows XP SP 2 (SP3, a free upgrade, includes a fix to support SHA-2)
Android OS prior to 2.3 (2.3 and later includes a fix to support SHA-2)

These browsers represent only a very small percentage of internet users today. Unfortunately there is no way to continue supporting them while also ensuring that all other internet users have a secure experience.

To check if your browser is affected, you can visit this page: https://ssltest39.ssl.symclab.com

The SHA-2 Migration Backstory

All major security providers, SSL certificate issuers, and all websites on the internet will be switched to using SHA-2.  SHA-1 or SHA-2 indicates which signature verification is used to help prove the owner of the certificate used to secure an SSL/TLS connection. SHA-1 has known security deficiencies and is being phased out because an attacker may be able to forge a fake certificate and pretend to be part of a website that they do not control.  The only way to ensure that website connections remain secure moving forward is to enforce that all browsers and clients use only SHA-2 signatures.

Chargify is not acting in isolation on this issue, but is instead following the best practices and timeline established by other major players on the internet, including Google, Firefox, Microsoft, Verisign, Comodo, etc.

As always, if you have any questions, please feel free to contact support@chargify.com.

More Information:

SHA-256 Compatibility | GlobalSign