Jump to content

CCV4/ PayPal 2016 merchant security upgrades / IPN Verification Postback to HTTPS


john mccoy

Recommended Posts

My customers site uses a customised version of CC4 but with the standard Paypal Gateway

Paypal now required the IPN verification to be updated to use HTTPS rather than HTTP as at present

In CC4 I can see that you could use admin to set the whole site to use SSL/ HTTPS, but I'm sure that would really slow the whole site down.

I can't see a way in CC4 to use the admin system to just set IPN verification to use HTTPS. Have I missed something?

I've looked at the code and it looks like the verification is in file modules\gateway\PayPal\call.inc.php

Has anyone managed to modify this gateway / file to work with the new 'HTTPS-only' PayPal sandbox IPN url ipnpb.sandbox.paypal.com  ?

more info here:

https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1916&viewlocale=en_US

TIA

John

Link to comment
Share on other sites

I don't do PayPal, so I am no help with having tested anything.

Yes, you can set the CC4 site to SSL mode, but that isn't necessary. What is necessary is to get an SSL certificate installed for your site.

I am confident that CC4 will accept a HTTPS IPN request that does not actually involve CC4's SSL switch-over feature.

 

Link to comment
Share on other sites

Thanks fro your reply. An SSL cert is in place, and it looks like the cert is OK, unfortunately I think IPN needs sorting out because the site admin got an email from PayPal saying that IPN via HTTPS was an issue that needs to be corrected by 30/9/16

Extract from email from PayPal

>>

Step 2: Understand how these changes affect your integration. Here are the key areas requiring your attention.

  • If the chart shows “Yes”, you may require changes to be compatible with that security upgrade.
  • If you see a “No,” our data shows that you are already compliant or do not use that functionality.

There may be other changes you need to make, but please pay particular attention to the following areas:

Change

Do I need to make a change?

SSL Certificate Upgrade to SHA-256

No

TLS 1.2 and HTTP/1.1 Upgrade

No

IPN Verification Postback to HTTPS

Yes

IP Address Update for PayPal Secure FTP Servers

No

Merchant API Certificate Credential Upgrade

No

Discontinue Use of GET Method for Classic NVP/SOAP APIs

No

>>

Link to comment
Share on other sites

Let's try this. In the file /modules/gateway/PayPal/transfer.inc.php:

Find:

$hiddenVars .= "<input type='hidden' name='upload' value='1' />
  <input type='hidden' name='notify_url' value='".$GLOBALS['storeURL']."/index.php?_g=rm&amp;type=gateway&amp;cmd=call&amp;module=PayPal' />
  <input type='hidden' name='return' value='".$GLOBALS['storeURL']."/index.php?_g=rm&amp;type=gateway&amp;cmd=process&amp;module=PayPal&amp;cart_order_id=".$orderSum['cart_order_id']."' />
  <input type='hidden' NAME='cancel_return' value='".$GLOBALS['storeURL']."/index.php?_g=rm&amp;type=gateway&amp;cmd=process&amp;module=PayPal&amp;cart_order_id=".$orderSum['cart_order_id']."&amp;c=1' />";

Replace every instance of:
$GLOBALS['storeURL']
with:
$config['storeURL_SSL']

These are the URLs that the CubeCart gateway module is telling the payment processor how to contact CubeCart with the payment notification.

If CC4 was running under SSL anyway, then $GLOBALS['storeURL'] would have the HTTPS Absolute URL as specified in admin, Store Settings, Directories and Folders section.

But if not, then by using the HTTPS Absolute URL absolutely, it won't matter (hopefully) that Cubecart hadn't enabled its SSL feature.

Link to comment
Share on other sites

  • 3 weeks later...

Hi I receiving email from paypal,  PayPal Instant Payment Notification Warning

Please check your server that handles PayPal Instant Payment Notifications (IPN). Instant Payment Notifications sent to the following URL(s) are failing:

http://www.noshahitech.co.uk/index.php?_g=rm&type=gateway&cmd=call&module=PayPal

If you do not recognize this URL, you may be using a service provider that is using IPN on your behalf. Please contact your service provider with the above information. If this problem continues, IPNs may be disabled for your account.
 can you tel me where and how to sort out

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...