Hi,

Paypal recommends to use "ipnpb.paypal.com" instead of "paypal.com" when using HTTPS.

Could this be an option in the admin UI to be able to choose which endpoint to use?

From Paypal:

"The ipnpb.paypal.com and ipnpb.sandbox.paypal.com endpoints only accept HTTPS connections. If you currently use www.paypal.com, you should move to ipnpb.paypal.com when you update your code to use HTTPS."

Merchants and partners use Instant Payment Notification (IPN) to receive notifications of events related to PayPal transactions. The IPN message service requires that you acknowledge receipt of these messages and validate them. This process includes posting the messages back to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these postbacks. For increased security going forward, only HTTPS will be allowed for postbacks to PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal to the merchant’s IPN listener.

To avoid any disruption of service, you must verify that your systems
are ready for this change by June 30, 2017

CommentFileSizeAuthor
#17 paypal_ipnpb-2800003-16.patch863 bytesmar4ehk0
#8 2800003-8-ipn-url.patch762 bytesTR
#7 paypal_ipnpb-2800003-7.patch752 bytessah62
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jukka792 created an issue. See original summary.

TR’s picture

TR CreditAttribution: TR commented
Title: Paypal IPN address for HTTPS » New Paypal IPN address for HTTPS
Version: 7.x-3.10 » 8.x-4.x-dev
Category: Feature request » Task

Could you provide a direct link to the PayPal document please, so we can verify the complete URL for the new IPN server - all that text tells me is the domain.

Ubercart has always used HTTPS for IPN, so we have no need for a configurable URL to support non-HTTPS connections. We will just switch to the new URL. Marking this as a task to complete before PayPal turns off the old URL next year ...

Patches are welcome, if you'd like to help out.

TR’s picture

TR CreditAttribution: TR commented
Status: Active » Postponed (maintainer needs more info)

Paypal recommends to use "ipnpb.paypal.com" instead of "paypal.com" when using HTTPS.

PayPal documentation still shows the old URLs, so before we change anything here I really need a link to change notice or whatever new documentation PayPal has showing that this is what we should do.

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave commented

Some documentation about this is here: https://www.paypal-knowledge.com/infocenter/index?page=content&widgetvie...

However, I think we can do nothing for now. PayPal "strongly recommends the use of ipnpb.paypal.com going forward" but it seems that www.paypal.com will still accept HTTPS IPNs for the foreseeable future.

TR’s picture

TR CreditAttribution: TR commented

Yeah, I saw that, but it's not clear to me that "paypal-knowledge.com" and "paypal-techsupport.com" are legitimate PayPal-owned domains.

And what I consider to be the official site for developer documentation, developer.paypal.com, does NOT have that new URL anywhere - all the documentation and examples on developer.paypal.com has the same URL as we use.

sah62’s picture

sah62 CreditAttribution: sah62 commented

Does this help? https://www.paypal-notice.com/en/IPN-Verification-Postback-to-HTTPS/

This looks like a legitimate PayPal-owned domain:

$ whois -h whois.markmonitor.com paypal-notice.com
Domain Name: paypal-notice.com
Registry Domain ID: 2002991382_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-12-09T04:00:05-0800
Creation Date: 2016-02-15T08:30:52-0800
Registrar Registration Expiration Date: 2019-02-15T08:30:52-0800
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: PayPal Inc.
Registrant Street: 2211 North First Street,
Registrant City: San Jose
Registrant State/Province: CA
Registrant Postal Code: 95131
Registrant Country: US
Registrant Phone: +1.8882211161
Registrant Phone Ext:
Registrant Fax: +1.4025375774
Registrant Fax Ext:
Registrant Email: hostmaster@paypal.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: PayPal Inc.
Admin Street: 2211 North First Street,
Admin City: San Jose
Admin State/Province: CA
Admin Postal Code: 95131
Admin Country: US
Admin Phone: +1.8882211161
Admin Phone Ext:
Admin Fax: +1.4025375774
Admin Fax Ext:
Admin Email: hostmaster@paypal.com
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: PayPal Inc.
Tech Street: 2211 North First Street,
Tech City: San Jose
Tech State/Province: CA
Tech Postal Code: 95131
Tech Country: US
Tech Phone: +1.8882211161
Tech Phone Ext:
Tech Fax: +1.4025375774
Tech Fax Ext:
Tech Email: hostmaster@paypal.com
Name Server: ns2.p57.dynect.net
Name Server: pdns100.ultradns.com
Name Server: ns1.p57.dynect.net
Name Server: pdns100.ultradns.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2017-12-21T15:25:39-0800 <<<

The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
information purposes, and to assist persons in obtaining information about or
related to a domain name registration record. MarkMonitor.com does not guarantee
its accuracy. By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail (spam); or
(2) enable high volume, automated, electronic processes that apply to
MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.

MarkMonitor is the Global Leader in Online Brand Protection.

MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services

Visit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220

For more information on Whois status codes, please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en

sah62’s picture

sah62 CreditAttribution: sah62 commented
FileSize
paypal_ipnpb-2800003-7.patch752 bytes

The PayPal developer documentation is now using ipnpb.paypal.com instead of www.paypal.com:

https://developer.paypal.com/docs/classic/ipn/ht_ipn/

https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNTesting/

If this ever becomes a real problem for anyone and no fix is provided, the code can be changed manually. Look at lines 72 and 75 in file uc_paypal.pages.inc. Change this:

 if (variable_get('uc_paypal_wpp_server', '') == 'https://api-3t.paypal.com/nvp') {
    $host = 'https://www.paypal.com/cgi-bin/webscr';
  }
  else {
    $host = variable_get('uc_paypal_wps_server', 'https://www.sandbox.paypal.com/cgi-bin/webscr');
  }

to this:

 if (variable_get('uc_paypal_wpp_server', '') == 'https://api-3t.paypal.com/nvp') {
    $host = 'https://ipnpb.paypal.com/cgi-bin/webscr';
  }
  else {
    $host = variable_get('uc_paypal_wps_server', 'https://ipnpb.sandbox.paypal.com/cgi-bin/webscr');
  }

7.x patch attached.

TR’s picture

TR CreditAttribution: TR commented
Status: Postponed (maintainer needs more info) » Needs review
FileSize
2800003-8-ipn-url.patch762 bytes
sah62’s picture

sah62 CreditAttribution: sah62 commented

I've been running my D7 installation with the patch I shared in #7 for about one month. It's working just fine with no unintended side-effects.

Cayenne’s picture

Cayenne CreditAttribution: Cayenne commented

Patch tested. Works on my fairly vanilla D8 site.

TR’s picture

TR CreditAttribution: TR commented

OK, I've checked out the URL provided by @sah62 in #7 and confirmed that the official PayPal documentation now shows the new recommended URLs.

But to be perfectly clear, it also shows:

 Valid Postback URLs (HTTPS):
Live:
    https://ipnpb.paypal.com/cgi-bin/webscr 
    https://www.paypal.com/cgi-bin/webscr 

Sandbox:
    https://ipnpb.sandbox.paypal.com/cgi-bin/webscr 
    https://www.sandbox.paypal.com/cgi-bin/webscr

We currently use the second form of this URL, and going forward this will still be supported.

The change notice mentioned in the original post has been put off several times, and is now scheduled to go into effect in June 2018, more than a year after the original notice.

And specifically, the change is that the www... URLs for IPN postback will no longer accept HTTP as of that date. UBERCART HAS NEVER USED HTTP FOR IPN POSTBACKS. Therefore this is a change that does not affect us at all.

However, PayPal is now recommending, but not requiring, the ipnpb... URLs. So we should switch to that.

The reason this has remained open so long is that:
1) There was no official PayPal documentation showing the "new" URLs until recently.
2) The "new" URLs are not required, and the "old" URLs are not going away, so it would be irresponsible to change Ubercart without an actual patch that had been tested by actual PayPal users. That has now occurred, so now we can proceed with the change.

  • TR committed 101168a on 8.x-4.x 
    Issue #2800003 by TR: New Paypal IPN address for HTTPS

  • TR committed cf3ed00 on 7.x-3.x 
    Issue #2800003 by TR: New Paypal IPN address for HTTPS
TR’s picture

TR CreditAttribution: TR commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

mar4ehk0’s picture

mar4ehk0 CreditAttribution: mar4ehk0 commented

Hello, I found some errors
After set up ubercart and wps, variable "uc_paypal_wps_server" stores URL https://www.sandbox.paypal.com/cgi-bin/webscr for sandbox or https://www.paypal.com/cgi-bin/webscr for live, so this variable will not equal new URL for postback IPN. And when paypal will not support old url for postback then will error. see code

  if (variable_get('uc_paypal_wpp_server', '') == 'https://api-3t.paypal.com/nvp') {
    $host = 'https://ipnpb.paypal.com/cgi-bin/webscr';
  }
  else {
    $host = variable_get('uc_paypal_wps_server', 'https://ipnpb.sandbox.paypal.com/cgi-bin/webscr');
  }

I suggest to change code.

  if (variable_get('uc_paypal_wpp_server', '') == 'https://api-3t.paypal.com/nvp') {
    $host = 'https://ipnpb.paypal.com/cgi-bin/webscr';
  }
  else {
    if (variable_get('uc_paypal_wps_server') == 'https://www.paypal.com/cgi-bin/webscr') {
      $host = 'https://ipnpb.paypal.com/cgi-bin/webscr';
    }
    else {
      $host = 'https://ipnpb.sandbox.paypal.com/cgi-bin/webscr';
    }

  }
mar4ehk0’s picture

mar4ehk0 CreditAttribution: mar4ehk0 commented
FileSize
paypal_ipnpb-2800003-16.patch863 bytes

Created patch