科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>ssl - PayPal IPN stopped working: gnutls_handshake() failed: An unexpected TLS packed was received - Stack Overflow

    ssl - PayPal IPN stopped working: gnutls_handshake() failed: An unexpected TLS packed was received - Stack Overflow

    programmeradmin5浏览0评论

    Few days ago our web server (Debian 12, nginx 1.22.1, OpenSSL 3.0.15) stopped getting any HTTPS requests from PayPal (PayPal IPNs or Webhooks calls).

    The TLS check by / shows grade A without any issues for our domain. Connectivity tests by any online tools don't show any issues with calling our URL from different locations.

    PayPal merchant support finally sent me this screenshot demonstrating the issue. They are using some proxy server that can't talk to our server due to gnutls_handshake() failed: An unexpected TLS packed was received issue.

    The issue may be somehow related to our webserver, otherwise the same issue should prevent too many shops using PayPal from working.

    Our nginx SSL configuration is like this:

    # SSL Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY>
ssl_prefer_server_ciphers on;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;

    Of cause, we've checked there are no firewall rules blocking IP addresses of PayPal.

    Any ideas how to troubleshoot the issue on our side?

    Update: I can 'reproduce' the issue. After triggering a webhook by the Webhook Simulator at using ssldump -ndA host notify.paypal we can see connection attempts from PayPal at our server but only like this:

    New TCP connection #1: 173.0.81.65(39165) <-> 172.86.113.246(443)
1    0.0445 (0.0445)  C>S  TCP RST
New TCP connection #2: 173.0.81.65(6878) <-> 172.86.113.246(443)
2    0.0396 (0.0396)  C>S  TCP RST
New TCP connection #3: 173.0.81.65(45419) <-> 172.86.113.246(443)
3    0.0385 (0.0385)  C>S  TCP RST
New TCP connection #4: 173.0.81.65(42282) <-> 172.86.113.246(443)
4    0.0464 (0.0464)  C>S  TCP RST
New TCP connection #5: 173.0.81.140(11283) <-> 172.86.113.246(443)
5    0.0398 (0.0398)  C>S  TCP RST
New TCP connection #6: 173.0.81.140(47538) <-> 172.86.113.246(443)
6    0.0445 (0.0445)  C>S  TCP RST

    A also tried a webserver on Debian 11 with OpenSSL 1.1.1w. The same result.

    Update 2: The issue is somehow related to the domain name used. Using another domain name (sub-domain doesn't help!) on the same (!) webserver with the same CA provider resolves the issue. Some of our domain names seem to be blocked by PayPal IPN/webhook proxies even though PayPal supports tells there is nothing blacklisted. Maybe it's all related to this issue: My server is suddenly not receiving IPN requests from Paypal any more, worked for years But we can't see our domains to be classified as malware anywhere.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论