As far as I can tell, PayPal IPN notifications get sent back using weak ciphers. If your server disallows the use of weak ciphers -- as is required for PCI compliance -- then PayPal IPN notifications will fail.

Are the payments module and uc_paypal module robust enough to handle IPN with SSL turned off? In other words, does it check the notification to make sure there is no spoofing of values?

Otherwise, if anyone has managed to get IPN to work over SSL/TLS on a properly PCI-compliant server, it would be great if you could share how you did it.

Comments

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave commented
Status: Active » Fixed

Whether we validate responses or not, this has nothing to do with SSL; if we did not validate it would not make any difference if the attacker used HTTP or HTTPS.

Anyway, we use IPN validation as described at https://www.paypal.com/uk/cgi-bin/webscr?cmd=p/acc/ipn-info-outside to ensure that the IPN is valid before processing it, so we never process a spoofed response.

aasarava’s picture

aasarava CreditAttribution: aasarava commented

Thanks, longwave. Great to know that the IPN is checked for validity.

The one issue I'm still seeing is that if you serve your cart from https://, then uc_paypal will tell PayPal to return its IPN response to https://. In other words, it's not possible (without hacking the module) to serve your site over SSL/TLS but to request that IPN notifications are over plain http. Is that something that we should make configurable so that others who are concerned about PCI compliance can still use PayPal IPN?

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave commented

If you use Secure Pages to control your https configuration, you should be able to configure it to serve the IPN callback page (uc_paypal/ipn) over http, even if your cart/checkout is https.

aasarava’s picture

aasarava CreditAttribution: aasarava commented

I've tried to use Secure Pages to force uc_paypal/ipn to use http, but it doesn't work because Secure Pages doesn't kick in until it's too late. Since PayPal tries to send its notification to https first, Apache rejects the connection due to PayPal's attempt to use weak ciphers. The request never makes it to Drupal, where Secure Pages can redirect to http.

I suspect that the URL in the NOTIFYURL parameter in uc_paypal_ec_submit_form_submit() needs to be built with http rather than automatically using the protocol at the time the function is called (which would be https on a secure site.)

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.