Paypal STILL Not sending back IPN data to our server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: victorsunited.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

Just a wild guess here (as I don't work for PayPal/LE and know almost nothing about IPN requirements).

Perhaps it has something do to with the weak ciphers in use:

IIS may require reg key modifications to get it secured [but that's a whole other forum].

3 Likes

Hi @noodles57,

Could you get a more specific error message from PayPal somehow?

As @rg305 mentioned, your TLS configuration looks a bit overly-specific

https://www.ssllabs.com/ssltest/analyze.html?d=victorsunited.com

In particular, those four ciphersuites, with TLS 1.2, are the only ones offered by your server. Is it possible that someone told you that your server had to support TLS 1.2 only (because of financial industry rules or something) and you then removed a whole lot of cipher options?

It's possible to support a much wider range of ciphersuite options than this in TLS 1.2, and it could be that a client will be more willing or able to negotiate a TLS connection given some other cipher choices.

3 Likes

I haven't worked with Paypal in years but I recall the following:

  1. PayPal has strict and often changing requirements on SSL.
    1A- Every 2-3 years they update the required/supported protocols
    1B- Ever 2-3 years they change their own trust anchors. You need to ensure their current trust anchor is in your server's trust store. IIRC, in the past few years it went from Verisign G2 to G5 and is now Digicert. If your server doesn't trust that cert, things break.

  2. Their documentation changes often. They used to offer a downloadable PDF of the current developer guidelines. If they still do, it was updated twice a year and is the authoritative source on the current standards. Their online docs and articles are a mess, as are their official posts on third party websites. You're often reading outdated information.

  3. The easiest way to address any of these things is to setup a PayPal sandbox account and test that against a test server you set up. That will let you trigger the notifications or mimic transactions on demand. Their sandbox is usually less than a year different from their production environment. Sometimes it's the same!

4 Likes

For what it's worth, I recommend the following free tool (in best practises mode) for a workable IIS server TLS config: Nartac Software - IIS Crypto - it will configure the appropriate registry keys and tighten up enabled TLS ciphers etc without making the server unusable.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.