Paypal was no longer sending back IPN data to our server

Hello all,

We’ve installed the Let’s Encrypt cert a few weeks back once Paypal was no longer sending back IPN data to our server since around 2/16/2020 but it did not make any difference. My error logs seem to suggest SSL3, which Let’s Encrypt does not support could be the culprit.

I’ve run cert detail tests from several sites and am getting mixed expiration dates.

one site states:
https://www.sslshopper.com/ssl-checker.html#hostname=http://victorsunited.com
“This Site is Secure Until 6/23/2019”

another:

yet another shows it will expire even further out:

My domain is: http://victorsunited.com

My web server is (include version): win 2012 R2

My hosting provider, if applicable, is: Me

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

PLEASE ADVISE as we have been manually upgrading memberships on our site until this issue can be solved.

Thank you in advance.

The SSL/TLS version number is not related to the (Let's Encrypt) certificate, but is a webserver configuration.

Hi @noodles57

that's

wrong. A certificate has nothing to do with the Tls-Protocol.

You can use the same certificate with SSL3, Tls.1.0, 1.1 and 1.2.

But SSL3 is insecure, so you shouldn't use it.

Checking your domain - https://check-your-website.server-daten.de/?q=victorsunited.com - there is no https answer, only timeouts. So it's impossible to check your domain.

I was just restarting the app pool, sorry.

Thank you for the replies, but I’m not really sure where the issue needs addressing. Paypal tech support is limited due to the health issue.

They could only state "Some of our certificates were decommissioned to meet with industry standards. "

For years our Paypal IPN Listener was http://xxx never https:// and worked fine. I don’t know if Paypal is suggesting we even needed a cert installed, which was only installed about last week.

If my server is creating this error each time a Paypal IPN is trying to send back:
“The request was aborted: Could not create SSL/TLS secure channel.” where would the issue lie??
My server techs also state the cert should not be the issue, but I wanted to check here to be sure.

Well, there's way too little information to say anything definitive about the reason why the TLS connection couldn't be created. You could of course maximise the logging of your webserver temporarily and see what your logs say at the moment a Paypal IPN fails.

Furthermore, if you'd check your webserver with SSLLabs (SSL Server Test: victorsunited.com (Powered by Qualys SSL Labs)), you'll see it gives a few warnings. One "red" level warning and three "orange" level warnings, all saying your webserver has unsecure settings enabled. It might be Paypal refuses the connection, because you allow SSLv3, an insecure protocol version. But that's just pure speculation.

There is a new check of your domain.

You have mixed content. Ok, that's not a problem with Paypal.

And

Chrome-Connection: info. obsolete connection settings. The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_256_CBC with HMAC-SHA1.

That may be a problem a deprecated Cipher Suite.

And Tls.1.0 / 1.1 is active.

Your replies are being very helpful!

I researched how to update the registry to disable SSL 3.

In the registry I see the key had been removed - the path to 'Protocols' had been left open by my tech support who just changed this about a week ago.

I'm reading that the key should have been left in but changed to 'disabled', so that's one concern.

I'm also reading how to fix the Cipher Suite issues shown in the ssllabs.com report.

I will research a bit more before making and registry changes, but it makes sense these need to be addressed.

Thank you again!

IISCrypto

https://www.nartac.com/Products/IISCrypto/

is the standard tool checking the SSL configuration of a Windows-system.

After installing IISCrypto directly on the server, I backed up the registry. I chose 'best practices' setting and set the server to reboot at 3am this morning.

The ranking improved from a C to a B:
https://www.ssllabs.com/ssltest/analyze.html?d=victorsunited.com

Some of the entries under Cipher Suites still show issues AND the Paypal IPN is still giving me errors mainly these same errors:

"Returned Guid from PayPal passthrough not parsed right"

"The request was aborted: Could not create SSL/TLS secure channel."

Still no word back fro Paypal tech support, but I still suspect the issue is they changed their data string which is now not being parsed correctly.

Windows 2012 has some limitations, no good RSA GCM Cipher Suite.

If possible, create an EC certificate and use that. Then Windows 2012 supports some GCM Ciphers.

Thanks for your reply. I have forwarded that info to the server techs. I’d need to research what it is and am pressed for time for the next few hours.

Your replies are much appreciated!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.