Paypal recommends to use "ipnpb.paypal.com" instead of "paypal.com" when using HTTPS.
Could this be an option in the admin UI to be able to choose which endpoint to use?
"The ipnpb.paypal.com and ipnpb.sandbox.paypal.com endpoints only accept HTTPS connections. If you currently use www.paypal.com, you should move to ipnpb.paypal.com when you update your code to use HTTPS."
Merchants and partners use Instant Payment Notification (IPN) to receive notifications of events related to PayPal transactions. The IPN message service requires that you acknowledge receipt of these messages and validate them. This process includes posting the messages back to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these postbacks. For increased security going forward, only HTTPS will be allowed for postbacks to PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal to the merchant’s IPN listener.
To avoid any disruption of service, you must verify that your systems
are ready for this change by June 30, 2017