Hi,

Paypal recommends to use "ipnpb.paypal.com" instead of "paypal.com" when using HTTPS.

Could this be an option in the admin UI to be able to choose which endpoint to use?

From Paypal:

"The ipnpb.paypal.com and ipnpb.sandbox.paypal.com endpoints only accept HTTPS connections. If you currently use www.paypal.com, you should move to ipnpb.paypal.com when you update your code to use HTTPS."

Merchants and partners use Instant Payment Notification (IPN) to receive notifications of events related to PayPal transactions. The IPN message service requires that you acknowledge receipt of these messages and validate them. This process includes posting the messages back to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these postbacks. For increased security going forward, only HTTPS will be allowed for postbacks to PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal to the merchant’s IPN listener.

To avoid any disruption of service, you must verify that your systems
are ready for this change by June 30, 2017

Comments

jukka792 created an issue. See original summary.

TR’s picture

Title: Paypal IPN address for HTTPS » New Paypal IPN address for HTTPS
Version: 7.x-3.10 » 8.x-4.x-dev
Category: Feature request » Task

Could you provide a direct link to the PayPal document please, so we can verify the complete URL for the new IPN server - all that text tells me is the domain.

Ubercart has always used HTTPS for IPN, so we have no need for a configurable URL to support non-HTTPS connections. We will just switch to the new URL. Marking this as a task to complete before PayPal turns off the old URL next year ...

Patches are welcome, if you'd like to help out.

TR’s picture

Status: Active » Postponed (maintainer needs more info)

Paypal recommends to use "ipnpb.paypal.com" instead of "paypal.com" when using HTTPS.

PayPal documentation still shows the old URLs, so before we change anything here I really need a link to change notice or whatever new documentation PayPal has showing that this is what we should do.

longwave’s picture

Some documentation about this is here: https://www.paypal-knowledge.com/infocenter/index?page=content&widgetvie...

However, I think we can do nothing for now. PayPal "strongly recommends the use of ipnpb.paypal.com going forward" but it seems that www.paypal.com will still accept HTTPS IPNs for the foreseeable future.

TR’s picture

Yeah, I saw that, but it's not clear to me that "paypal-knowledge.com" and "paypal-techsupport.com" are legitimate PayPal-owned domains.

And what I consider to be the official site for developer documentation, developer.paypal.com, does NOT have that new URL anywhere - all the documentation and examples on developer.paypal.com has the same URL as we use.