[not a bug] Disabling SSL3 in Apache prevents Paypal IPN Callback

[diablotf]

We've recently disabled SSL3 on our servers due to the poodle vulnerability by adding the following :

 

SSLProtocol All -SSLv2 -SSLv3

SSLHonorCipherOrder on

 

to : /usr/local/apache/conf/includes/pre_virtualhost_global.conf

 

Using WHMCS version : 5.3.10

 

Almost immediately Paypal is no longer able to send IPN data. There is no entry in the Gateway Log, it's like nothing is being received by WHMCS at all. When the changes are reverted the problem goes away.

 

I've also found other people having the same issue:

 

http://stackoverflow.com/questions/26378351/error1408f10bssl-routinesssl3-get-recordwrong-version-number-paypal-maybe

 

http://forum.whmcs.com/showthread.php?94371-paypal-turning-off-sslv3-support-due-to-POODLE

[WHMCS Nate]

Hello,

 

There are two types of connections that need to be addressed here:

 

A) WHMCS -> paypal server

B) Paypal IPN -> WHMCS server

 

The stackoverflow link only discusses connections from your client to paypal's server (A). Changing your apache configuration only effects (B).

 

Our code handles (A), paypal's code handles (B). I checked our code after the POODLE issue was released and Paypal made this blog post:

 

https://www.paypal-community.com/t5/PayPal-Forward/PayPal-Response-to-SSL-3-0-Vulnerability-aka-POODLE/ba-p/891829

 

Our code has libcurl auto negotiate the most secure protocol / cipher that the remote server can handle. Paypal removing support for SSLv3 on their API servers will not cause any trouble for our existing code base. If Paypal's IPN system can't connect to your server with your specific SSL configuration, that really is something you need to talk to Paypal about.

 

If you have spoken with Paypal's Merchant Services and they are not able to help you, we can try contacting them as well and see if we can get your issue escalated, but that really requires you having specific communication with Paypal already.

 

Because the behavior which is not what we want is happening in someone else's system we have no control over, I do not consider this a defect in the software.

 

Have a great day,

 

Nate C