2

I have a web app that utilizes PayPal's IPN. On October 15th PayPal made some modifications because of the Poodle security flaw: Venture Beat: paypal-says-its-poodle-security-flaw-fix-may-break-the-service-for-some-users-merchants

At this point my calls to https://www.paypal.com/cgi-bin/webscr started returning SSL3_READ_BYTES:sslv3 alert handshake failure

There seems to be fixes out there for php: PHP Fix

I am looking for a solution to fix this for Indy. My code below:

IdSSLIOHandlerSocket1 := TIdSSLIOHandlerSocketOpenSSL.create(nil);
try
  with IdSSLIOHandlerSocket1 do begin
    SSLOptions.Method := sslvSSLv3;
    SSLOptions.Mode :=  sslmUnassigned;
    SSLOptions.VerifyMode := [];
    SSLOptions.VerifyDepth := 2;
  end;
  IdHTTP1 := TIdHTTP.create(nil);
  with IdHTTP1 do begin
    IOHandler := IdSSLIOHandlerSocket1;
    ReadTimeout := 0;
    AllowCookies := True;
    ProxyParams.BasicAuthentication := False;
    ProxyParams.ProxyPort := 0;
    Request.ContentLength := -1;
    Request.ContentRangeEnd := 0;
    Request.ContentRangeStart := 0;
    Request.ContentType := 'text/html';
    Request.Accept := 'text/html, */*';
    Request.BasicAuthentication := False;
    Request.UserAgent := 'Mozilla/3.0 (compatible; Indy Library)';
    HTTPOptions := [hoForceEncodeParams];
  end;
  ss := TStringList.Create;
  ss.Add('cmd=_notify-validate');
  for i:= 0 to ARequestInfo.Params.count -1 do begin
    ss.Add(ARequestInfo.Params[i]);
  end;

  mPayPalServer := 'https://www.paypal.com/cgi-bin/webscr';
  mResult := HTTPDecode(IdHTTP1.Post(mPayPalServer, ss));

I have tried replacing the SSLOptions.Method with:

SSLOptions.Method := sslvTLSv1;

But this still does not work.

Community
  • 1
  • 1
M Schenkel
  • 6,294
  • 12
  • 62
  • 107
  • 2
    [ssl v3 poodle and move to tls with indy](http://stackoverflow.com/questions/26469274/ssl-v3-poodle-and-move-to-tls-with-indy) – bummi Nov 01 '14 at 19:51

1 Answers1

0

Your code explicitly configures the SSL handler to use SSL 3 with this line:

SSLOptions.Method := sslvSSLv3;

From https://stackoverflow.com/a/26513369/80901:

PayPal disabled SSLv3 in response to the "POODLE" vunerability. Read about in here: PayPal Response, so your Indy client will not be able to connect.

To connect, check which newer protocols are supported (TLS 1.0, 1.1 or 1.2) and configure the SSL handler to use this protocol.

For example to use TLS specify the allowed TLS versions:

SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
Community
  • 1
  • 1
mjn
  • 36,362
  • 28
  • 176
  • 378
  • From the question: "I have tried replacing the SSLOptions.Method with: `SSLOptions.Method := sslvTLSv1;` But this still does not work." Is your answer attempting to suggest that TLSv1 is still the wrong protocol to use? If so, that doesn't come across from your answer at all. If not, what *is* it you're trying to say? –  Nov 02 '14 at 10:45
  • @hvd I suggest to try TLS (1.2) and then check which error message you get, update your question, and see if somebody can answer why it does not work. The current code and error message definitely is caused by SSL v3 being blocked on the server side. – mjn Nov 02 '14 at 10:52
  • That's something you might include in your answer for the benefit of the OP. (To be clear, I'm not the one who asked the question.) –  Nov 02 '14 at 11:37
  • 1
    The `SSLOptions.Method` property is deprecated, you should use the `SSLOptions.SSLVersions` property instead: `SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];` – Remy Lebeau Nov 02 '14 at 15:54
  • 1
    @RemyLebeau - Ok, will try this... Version of my Indy does not have sslvTLSv1_2; only [sslvSSLv2, sslvSSLv23, sslvSSLv3, sslvTLSv1]. Will look for update. – M Schenkel Nov 03 '14 at 13:30