3

paypalfunctions.asp and expresscheckout.asp files

I'm hoping to find help, and if not help then a developer for hire who is proficient in Classic ASP and PayPal and can help me resolve this.

We have a Windows 2008 R2 Server running Classic ASP. We have been sandbox testing development for over a year now and recently all PayPal Express Checkout "posts" seem to have stopped and now when you click the buttons to take you to expresscheckout the screen goes blank. White. Returns absolutely nothing.

So this would mean that either PayPal seems to have stopped or changed the way its working with WinHTTP.WinHTTPRequest.5.1 or our server has somehow updated itself?

PayPal is using WinHTTPRequest.5.1 in Classic ASP for sending NVP's with its Express Checkout.

We are using Classic ASP with IPN notification with API Signature.

When On Error Resume Next is removed in paypalfunctions.asp I get the following error;

500 Error - Description: An error occurred in the secure channel support.
Error Code: 80072f7d. Line: 176

Adding 

objHTTP.Option(9) = 128

to the WinHTTP Request and 

response.write(nvpStrComplete)

returns

METHOD=SetExpressCheckout&VERSION=93&USER=sdk%2Dthree%5Fapi1%2Esdk%2Ecom&PWD=QFZ
CWN5HZM8VBG7Q&SIGNATURE=A%2DIzJhZZjhg29XQ2qnhapuwxIDzyAZQ92FRP5dqBzVesOkzbdUONzm
OU&L%5FPAYMENTREQUEST%5F0%5FNAME0=My Order&L%5FPAYMENTREQUEST%5F0%5FDESC0=My 
Item&L%5FPAYMENTREQUEST%5F0%5FAMT0=4&L%5FPAYMENTREQUEST%5F0%5FNAME1=Handling 
Fee&L%5FPAYMENTREQUEST%5F0%5FAMT1=0%2E42&PAYMENTREQUEST%5F0%5FPAYMENTACTION=Sale
&PAYMENTREQUEST%5F0%5FCURRENCYCODE=USD&PAYMENTREQUEST%5F0%5FAMT=4%2E42&RETURNURL
=http%3A%2F%2Fwww%mysite%2Ecom%2F%23paymentcomplete&CANCELURL=http%3A%2F%2Fwww%2
Emysite%2Ecom%2F%23paymentcancel&ALLOWNOTE=0&BUTTONSOURCE=PP%2DECWizard

This looks ok to me?

Does anyone know how I can workaround WinHTTP.WinHTTPRequest.5.1 using the paypalfunctions.asp standard output Wizard Integration code?

Or if not and this is no longer an option can recommend a professional and competent Classic ASP / PayPal developer so he/ she can work/ revise with our existing code?

user692942
  • 16,398
  • 7
  • 76
  • 175
Steve
  • 75
  • 1
  • 9
  • 1
    What is the actual question? Are you positive that `WinHTTP.WinHTTPRequest.5.1` is no longer supported? Do you get an error? Can you show a snippet of the HTTP request code you are using *(without usernames and passwords)*? So far your not telling us very much it's hard to gauge what you expect us to do. – user692942 Mar 01 '16 at 11:17
  • Hi Lankymart. Yes I'm pretty sure it's WinHTTP.WinHTTPRequest.5.1. It seems that it works in the production environment (at least for now), but it is no longer supported in Sandbox. – Steve Mar 01 '16 at 11:21
  • I doubt very much that `WinHTTP.WinHTTPRequest.5.1` is not supported after all it's just making a HTTP request, it's likely the HTTP request has changed are you looking at the new docs? - [PayPal Name-Value Pair API Basics](https://developer.paypal.com/docs/classic/api/NVPAPIOverview/). **It's hard to guess though without seeing some of the code.** – user692942 Mar 01 '16 at 11:21
  • ASP pages don't expose their source code when called from a URL because the code is processed on the server before it reaches the client, those links don't help. Do you get a specific error? Can you elaborate on *"seems to have stopped"*? How do you know this, what led you to that conclusion? – user692942 Mar 01 '16 at 11:37
  • Sorry Lankymart. I have inlcuded the source files as a WinZip now so they can be downloaded. Ie. If there is a problem with the way in which the name paring is being done it could be seen? – Steve Mar 01 '16 at 11:42
  • When I disable On Error Next the specific error is this. "500 Error - Description: An error occurred in the secure channel support. Error Code: 80072f7d. Line: 176 ....which is where objHttp.Send nvpStrComplete executes the WinHHTPRequest – Steve Mar 01 '16 at 11:42
  • Is it a good idea posting your complete ASP source on the web, does it include merchant ids and security information for your paypal account?, when I said post the source I meant an extract using the code formatting tools available to you when editing the question. – user692942 Mar 01 '16 at 11:45
  • The code does not include merchant ids. It includes the standard PayPal test ids not ours. – Steve Mar 01 '16 at 11:48
  • To be honest didn't download the files, you would still be best just inserting snippets of the code into your question. – user692942 Mar 01 '16 at 11:49
  • I must admit Lankymart I don't understand why you down vote a question that informs of a problem and asks if anyone knows or has experience with it or if they can recommend a competent developer who can address it. – Steve Mar 01 '16 at 11:50
  • No problem you don't download the files, but when you ask for a code "snippet" it's a bit difficult based upon the structure of the PayPal files to know precisely which snippet is of interest/ where the problem lies. It seems it is in the use of the WinHTTP protocol but as I understand you don't believe this to be the case? – Steve Mar 01 '16 at 11:52
  • I've down-voted your question? Six people have viewed this question, I just took the time to interact with you, but no more. – user692942 Mar 01 '16 at 11:52
  • Surely you would start with the `WinHTTP.WinHTTPRequest.5.1` call and go from there?? – user692942 Mar 01 '16 at 11:53
  • Why it seems it is the 5.1 protocol: http://stackoverflow.com/questions/35089900/winhttp-winhttprequest-5-1-does-not-work-with-paypal-sandbox-after-tls-1-2/35276645 – Steve Mar 01 '16 at 11:54
  • I did start with the WinHTTP protocol Lankymart. But after several hours of getting nowhere and trying to see if Server.CreateObject ("Msxml2.ServerXMLHTTP.6.0") would be a solution I can't seem to make any progress. That's why I posted the question. – Steve Mar 01 '16 at 11:58
  • No wrong again the issue there is TLS 1.2 not the WinHTTPRequest object. Here's another one maybe it's not the TLS 1.2 maybe it's this http://stackoverflow.com/q/14691204/692942. My point is your question isn't clear enough and far too board to expect any meaningful help. – user692942 Mar 01 '16 at 11:58
  • By the way....sorry man. I thought you down voted the question. I'm just tired. Been at this for hours now. Too much coffee. Not enough sleep. you know how it is. No excuse form my side though. – Steve Mar 01 '16 at 11:59
  • That's fine but never a good idea to attack those trying to help you. Have you tried contacting PayPal Support may be they can shed some light on the issue? – user692942 Mar 01 '16 at 12:00
  • It does however look like your issue is likely related to the TLS 1.2 problem - Looking up the error code in relation to `WinHTTP` yields this - See [An error occurred in the secure channel support - Classic ASP HTTP Request](http://stackoverflow.com/q/21354992/692942). – user692942 Mar 01 '16 at 12:02
  • But this is exactly my point in the original question Lankymart. Does anyone know or have experience or seen this and why it's happening? I can't be more specific because I don't know which is also why I put out the call for a skilled developer who could maybe root out the problem. The link to the stackoverflow from you seems to be old one (3 years ago) and a problem that's been resolved. The link I posted was from a couple of weeks back which seems to be the same problem we are experiencing. – Steve Mar 01 '16 at 12:03
  • Oh man...PayPal support is as useful as rearranging furniture on the titanic ;) I asked for some help and they sent me PHP files?!?!? – Steve Mar 01 '16 at 12:04
  • You could try `.Option(9) = 2720` on your `WinHTTP.WinHTTPRequest.5.1` object, have seen this before used to set [secure protocols](https://msdn.microsoft.com/en-us/library/windows/desktop/aa384108(v=vs.85).aspx) used by the object. This might also be helpful - [WinHttp errors on option 9 / Win2008 / Classic ASP](http://stackoverflow.com/q/31886775/692942) – user692942 Mar 01 '16 at 12:07
  • Steve while I get your point, the question is still fundamentally too board, you can do something about this. What OS are you running *(Window 7, Windows Server...what versions??)* and what version of IIS?, Is it 64 bit or 32 bit? and include a "snippet" of your source code, ideally the part where the error occurs. – user692942 Mar 01 '16 at 12:12
  • Also might be useful - [ServerXMLHTTP.6.0 || WinHttpRequest connecting to TLS 1.2 server](http://forums.iis.net/t/1220682.aspx?ServerXMLHTTP+6+0+WinHttpRequest+connecting+to+TLS+1+2+server) – user692942 Mar 01 '16 at 12:17
  • You are of course right here Lankymart.you know when you get so bogged down in a problem...you forget the basics. I'll update the question. – Steve Mar 01 '16 at 12:17
  • Probably explains why sandbox doesn't work but production still does - https://www.paypal.com/uk/webapps/mpp/ssl-security-update – user692942 Mar 01 '16 at 12:25
  • Thanks for the input here Lankymart. When using objHTTP.Option(9) = 2720 I get a 500 error Description "Invalid procedure call or argument: 'objHttp.Option'" Error Code: 800a0005 – Steve Mar 01 '16 at 12:32
  • It entirely depends on what OS your using as to what option flags can be set, that particular one might not exist in your version of the `winhttp.dll` or you might need to hotfix to update it. – user692942 Mar 01 '16 at 12:33
  • Here's a [good example that has the flags defined](http://stackoverflow.com/a/29136119/692942), the `128` you are setting is TLS 1 which hopefully should be working for you. If you want to use TLS 1.2 you could try `2048` *(but might depend on how up to date `winhttp.dll` is or what OS it is running on)*. – user692942 Mar 01 '16 at 12:42
  • Hi Lanymart. Listen man you've been amazing here. Really. The real problem here I think on top of everything else is that I'm not a server expert by any means (Photoshop / css/ web design). This stuff is a whole other level for me and it seems no matter I do I just can't progress. I only get 500 errors no matter what I do so I don't even know if there's any progress with the problem. I think I have to pay for professional help because I'm not capable of resolving this issue. :( – Steve Mar 01 '16 at 13:37
  • Ok, its unclear from your question and the comments...but I thought you tried `objHTTP.Option(9) = 128 ` and it worked? – user692942 Mar 01 '16 at 13:40
  • Option(9) = 128 simply returns the blank white screen. No content. No html response. It appears precisely the same as when On Error Next is enabled. – Steve Mar 01 '16 at 14:03
  • Sorry Steve I'm lost now in the question you said that the response is coming back as you expected or am I misinterpreting what you wrote? – user692942 Mar 01 '16 at 14:06
  • It seems that Option(9) = 128 means that there is now no "Invalid procedure call or argument: 'winhttp.Option'" error. But "the response has no payload data" so a blank page loads on expresscheckout.asp. – Steve Mar 01 '16 at 14:12
  • It's most probably my fault Lankyman if I haven't been clear. No there are no results coming back at all. No response. Just a blank page loading on expresscheckout with no html response in it at all. The Option(9) = 128 seems to get past the error 500 issue. Now with all the On Error Resume Next commented out just to see if its another 500 error in the code (which it shouldn't as I say it was working for months) nothing loads. No response. – Steve Mar 01 '16 at 14:16

1 Answers1

3

Just to summarise the comments.

The error points to an issue with the secure channel which often is related to the wrong protocol being used to call the endpoint.

This does not mean that the WinHTTP.WinHTTPRequest.5.1 doesn't work it just means the wrong protocol is being used to make the HTTP request.

Due to the POODLE internet security vunerability in SSL 3.0 PayPal informed their users that support for SSL 3.0 would be disabled starting with the SandBox.

Quote from PayPal - Required security update

How is PayPal responding?

PayPal will completely disable SSL 3.0 support in a timeframe to be announced via PayPal Notify; however, based on security monitoring, we may need to move quickly to protect our customers so time is of the essence in making changes. Unfortunately, we realize shutting off SSL 3.0 may cause compatibility problems for a few of our customers resulting in the inability to pay with PayPal on some merchant sites or other processing issues that we are still identifying. To enable your assessment and potential remediation, we’ve put together this Merchant Response Guide to ensure your integration is secure from this vulnerability.

The workaround is to use TLS which should allow you to connect to the endpoint without a problem.

You can do this using the WINHTTP_OPTION_SECURITY_FLAGS with the Option property of the WinHttp.WinHTTPRequest.5.1 object.

'The WINHTTP_OPTION_SECURITY_FLAGS option
Const WinHttpRequestOption_SecureProtocols = 9

'Valid WINHTTP_OPTION_SECURITY_FLAGS option flags
Const SecureProtocol_SSL2   = 8       'SSL 2.0
Const SecureProtocol_SSL3   = 32      'SSL 3.0
Const SecureProtocol_TLS1   = 128     'TLS 1.0
Const SecureProtocol_TLS1_1 = 512     'TLS 1.1
const SecureProtocol_TLS1_2 = 2048    'TLS 1.2

You can then modify your WinHttp object (assuming the object is called winhttp) like so to switch the secure protocol;

winhttp.Option(WinHttpRequestOption_SecureProtocols) = SecureProtocol_TLS1_2

Note: Some versions of Windows Server do not support the SecureProtocol_TLS1_2 flag or may require an hotfix. It really depends on what version of winhttp.dll is installed on the system.

Useful Links

Community
  • 1
  • 1
user692942
  • 16,398
  • 7
  • 76
  • 175
  • 2
    OK...as far as I can tell...winhttp.dll in Windows 2008 R2 does not contain the protocols for TLS 1.1 or TLS1.2. It seems PayPal force the use of TLS 1.2 for sandbox meaning that even when TLS protocols are set up in the registry that Windows 2008 R2 does not recognise them. Ref also this with posts also from about 2 weeks ago showing no solution: http://forums.iis.net/t/1229018.aspx?winhttp+dll+on+windows+2008+r2+x64 – Steve Mar 01 '16 at 15:21
  • So in other words....if you're not running a minimum of Windows Server 2012 you are now can't run PayPal sandbox? Isn't this a bit extreme as there's no way to update the winhttp.dll in Windows 2008 R2 to one that contains the protocols? – Steve Mar 01 '16 at 15:24
  • @Steve I actual thought Windows Server 2008 does support them [this guy managed to find a hot-fix for Windows Server 2003](http://stackoverflow.com/a/29140418/692942) maybe there is one for 208 as well? – user692942 Mar 01 '16 at 15:32
  • @Steve Not ideal but might be worth a look - [How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll](https://support.microsoft.com/en-us/kb/245030). It looks doable just not straight-forward, the other option is to upgrade to Windows Server 2012. You might find that less painful in the long run. – user692942 Mar 01 '16 at 15:40
  • @Steve Looking at some of these Microsoft Support links like this one - [SHA512 is disabled in Windows when you use TLS 1.2](https://support.microsoft.com/en-us/kb/2973337) suggest that fixes are in place in updates provided via Windows Update. You might find just making sure the Windows Server 2008 R2 is fully patched sorts this problem if not a quick call to Microsoft might be the way to go. – user692942 Mar 01 '16 at 15:42
  • My friend. I'm xhausted. – Steve Mar 01 '16 at 16:13
  • All latest updates in place Lankymart. I think this is actually a massive problem for a lot of sites if they're testing Sandbox on servers below Windows 2012. I can't do anything more. My boss isnt' upgrading the server to 2012 and I can't solve this. There's no 2008 update like there is for 2003 so again my friend. One day later. Still stuck and no solution. I don't think this one can be. But thanks for all the help. All the input and all the advices. You're a top man Lanky! – Steve Mar 01 '16 at 17:38
  • 2
    You better tell your boss to not be so stubborn or you're going to be in a world of hurt come June when PayPal flips the switch on the live servers. – Drew Angell Mar 02 '16 at 00:41