With no changes on our side and perhaps related to POODLE/SSL3 our PayPal API call to PPIPNMessage::validate is now failing with.
SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
The checkout and receipt of IPN is fine (and we have never supported SSL3 incoming), it's just failing when acknowledging the IPN (oddly PayPal doesn't try again, even though we have failed)
Running curl from the same server command line succeeds
$ curl -iv https://ipnpb.paypal.com/cgi-bin/webscr
* About to connect() to ipnpb.paypal.com port 443 (#0)
* Trying 173.0.88.8... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
* subject: 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=Delaware; businessCategory=Private Organization; serialNumber=3014267; C=US; postalCode=95131-2021; ST=California; L=San Jose; street=2211 N 1st St; O=PayPal, Inc.; OU=PayPal Production; CN=ipnpb.paypa
* start date: 2013-06-28 00:00:00 GMT
* expire date: 2015-08-02 23:59:59 GMT
* subjectAltName: ipnpb.paypal.com matched
* issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)06; CN=VeriSign Class 3 Extended Validation SSL CA
* SSL certificate verify ok.
> GET /cgi-bin/webscr HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: ipnpb.paypal.com
> Accept: */*
I did note that ssllabs.com shows 1 out of 4 IPs still supporting SSL3 on this endpoint.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…