IPN: Why not connect over ssl?
| Project: | lm_paypal |
| Version: | 6.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | postponed (maintainer needs more info) |
Jump to:
Hi,
I'm running 4.7 on one site and had some issues with fsockopen and the donation module. While debugging I came across $fp = fsockopen($_lm_paypal_host, 80, $errno, $errstr, LM_PAYPAL_VALIDATE_TIMEOUT); and really wondered that it was connecting without encryption. Looked it up in 6.x-1.0, same here, in 6.x-2.0-alpha1 its done via drupal_http_request. Don't know too much about IPN, but it looks like its sending sensitiv information with it.
Looked it up on paypal and they recommend $fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30); http://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/ipn-codesamples-pop-outsi...
Why is the ssl connection not being used? What am I getting wrong? Don't feel to good about running it without encryption on my side at the moment.
#1
It seems that default behavior is SSL.
I explain, drupal_http_request() uses SSL if the given URL begins with "https://", and in our case, we always have HTTPS, it's somewhere hard-typed in the code.
Did you checked that the HTTP request is actually not HTTPS (with 6--2 version) ?
#2
Oh sorry, I was talking about 6--2 version! Did not see your bug report was for 6--1 version.
#3
If you want to manage a http request with SSL I believe the best way is to use the php extension CURL. Check to see if it is installed with the server you are using, or talk to your site adminitrator to install it. I was of the understanding that the standard fsockopen doesn't do the SSL handshake for you automatically. I have always had to use CURL in the past.
#4
Hi,
ok thanks for the info about drupal_http_request(). But it looks like in all other versions (4.7,5.x,6.x-1.0) it connects with
fsockopen($_lm_paypal_host, 80, $errno, $errstr, LM_PAYPAL_VALIDATE_TIMEOUT);I don't see how drupal or php could (should) turn that into an ssl connection, or to put in another way, why should it if we can directly connect over ssl. So, back to my question, why is that line not being replaced byfsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);as recommended on paypal. I don't see how that is not a security issue or why it shouldnt be replaced.#5
I assign this bug to the older versions dev.
#6
Ha pounard! Are you getting back at me for that comment in another issue?
I'm not inclined to change the existing behaviour of the module, out of concern for breaking existing working installations (firewalls, fake-paypal backends, ssl-certificate missmatches, etc). If someone wants to submit a patch that adds a checkbox to the configuration screen, that enables SSL (and this defaults to OFF), then I'll review it.
#7
subscribing
#8
#2: So the upcoming 2.x release does SSL only if the site or the current URL is HTTPS, and if not, will connect insecurely as version 1.0 is doing now??
#9
There's really no big deal about SSL, and it's not "insecure":
1) this module is NOT involved in accepting credit-card details from the user at all, this is done on paypal.com
2) paypal sends a HTTP request back to the drupal site, using plain HTTP, containing an XML document. There's no credit-card information in this request (the IPN - Incoming Payment Notification)
3) the drupal site sends the request back to paypal, to verify that the IPN was valid, and not spoofed (IPN validation)
So the only thing we're talking about here, and have control over, is #3. Since #2 was just sent to us, and the content in #3 is the same data.
In any case, in 2.x, if you put a hostname in /admin/settings/lm_paypal/settings, it will use HTTPS/SSL: 'https://'.$hostname.'/cgi-bin/webscr'. If you put a full URL, it'll use that instead.