[BlueOnyx:21937] Re: Paypal test fails HTTP 1.1

Michael Stauber mstauber at blueonyx.it
Wed Apr 11 11:57:30 -05 2018 

Hi Robert,

> One of my customers received a notice from Paypal that their server
> needs to be upgraded to support TLS 1.2 and HTTP 1.1. They have a test
> URL to use from the server. I didn't know how to use from the server
> except the text browser lynx and received this result:
> 
> lynx https://tlstest.paypal.com
> ERROR! Connection is using HTTP1.0 protocol. Please use HTTP1.1
> 
> Does something need to be done?

The thing here is that you're making an *outgoing* connection to a
Paypal URL. For incoming HTTP and HTTPs connections we're fully
supporting HTTP/1.1 and TLSv1.2. Once the Nginx-Update for BlueOnyx
5209R is out, we're even supporting HTTP/2 HTTPS connections. Which is
as good as it gets.

Now for outgoing connections from your server to somewhere else (such as
Paypal) the type of connection, protocols and used chiffres depends on
what tool you are using to make the connection.

In your example you use "lynx", which is a shell based browser. It can
do HTTP and HTTPS, even supports TLSv1.2, but (as far as I know) it uses
HTTP/1.0 instead of HTTP/1.1 by default. I checked the manpage of Lynx
and I don't see a switch that allows us to force HTTP/1.1.

However, you can also use "curl" instead of "lynx" to make the test:

]# curl -v https://tlstest.paypal.com
* About to connect() to tlstest.paypal.com port 443 (#0)
*   Trying 104.72.43.36...
* Connected to tlstest.paypal.com (104.72.43.36) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=tlstest.paypal.com,OU=CDN Support,O="PayPal,
Inc.",L=San
Jose,ST=California,C=US,serialNumber=3014267,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private
Organization
*       start date: Okt 04 00:00:00 2017 GMT
*       expire date: Sep 27 12:00:00 2019 GMT
*       common name: tlstest.paypal.com
*       issuer: CN=DigiCert SHA2 Extended Validation Server
CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: tlstest.paypal.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Content-Length: 20
< Date: Wed, 11 Apr 2018 16:47:54 GMT
< Connection: keep-alive
<
* Connection #0 to host tlstest.paypal.com left intact
PayPal_Connection_OK

As you can see there: That finishes with "PayPal_Connection_OK" as it
was using "HTTP/1.1" for the connection.

Whatever application on the server you're using to connect to Paypal
needs to be checked to see what tools and methods it's using for the
callback to Paypal. Perhaps there is an update to their Shop or the
Paypal payment gateway module in that shop. If not, they should check if
what methods they're using for the callback and perhaps change them to
"curl" calls or to something else that supports "HTTP/1.1".

It's not a server problem, but rather something with their shop itself.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list