This note corresponds to the 4.0.16 release of Seamless Donations, which adds necessary support for secured http communications for PayPal IPNs. This both future-proofs Seamless Donations for the upcoming PayPal-mageddon when PayPal goes all https for IPN-based donations Internet-wide and provides Seamless Donations users with the ability to once again use the PayPal sandbox, which as of last week stopped accepting http IPN URLs.
This release also adds Hebrew and Norwegian translations, courtesy of user semistazic and a user who wishes to remain anonymous. As always, I’m deeply grateful for the translators, and if you’d like to participate, the best starting point is this thread.
You (or your hosting provider) will need to modify your server
This new version of Seamless Donations includes a server compatibility tester in the PayPal section of the Seamless Donations Settings menu. It will check to see if you have all the elements you need to reliably be able to talk to the PayPal sandbox, and, as of September 30, 2016, take donations via PayPal online.
These new https requirements are not unique to Seamless Donations — anything offering PayPal integration will need to make these changes in its code and anyone using PayPal integration on their sites will need to add SSL security features.
The new server compatibility tester not only includes compatibility results and explanations, but a list of follow-up reading and resources to help you get started. If you’re unsure what to do, you definitely should read those articles and tutorials.
As it turns out, the process may not be as hard as it originally seemed. Although it is wise to encrypt your entire WordPress site (just as a general best practice), you do not need to convert your WordPress install to use https with Seamless Donations.
As long as your server itself has a valid SSL certificate for your domain (more on that in a minute), the special IPN URL provided in Seamless Donations 4.0.16 and above will work securely with PayPal and will meet PayPal’s requirements, both now and after the September 30, 2016 cutoff point.
Most hosting providers offer SSL support for their Web hosting customers. While this is sometimes an upsell, we’ve started to some hosting providers also support the free Let’s Encrypt SSL service. When I asked Joe at my favorite hosting provider, WPMU-Hosting, if he could add Let’s Encrypt to his cPanel, he first told me it was a beta product and wasn’t supported.
Two days later, he sent me a note. It was integrated with his cPanel. So it should be easy for your host to add it. And no, I don’t get an affiliate payment from Joe. I’ve just known him for years and he’s awesome.
If Let’s Encrypt is installed in cPanel, turning it on is trivial. You just click the icon, choose your domain, wait a few minutes and you’re done. That is it. The cPanel implementation also seems to take care of the automatic renewal, so even that’s taken care of.
I also decided to do it the manly-man way and install a purchased, $9 SSL certificate by hand on my Linux development VM running on Digital Ocean. That’s completely documented in this Lab Note, so I won’t repeat the steps here.
My big conclusion after a week of testing on a variety of servers (see below) is that adding an SSL certificate to your server to support secure PayPal donations is a mild annoyance, but no real effort or expense. It’s a to-do item, not a major worry. So don’t stress on it.
Finally, one more note about the server compatibility tester in Seamless Donations 4.0.16. As you can see in the testing below, a number of machines indicated compatibility failures based on the published requirements for TLSv1.2, but still worked.
If you show a too-low version for any of the libraries required by PayPal and TLSv1.2, you should definitely ask your hosting provider to upgrade. What works now may well be a fluke and may change over time. Besides, it’s really important to be running the latest versions of security software on your server.
Security compatibility tests performed
The following set of security tests are performed in seamless_donations_get_security_status():
- Determine if file_get_contents can be used to check the SSL page
- Determines if the cURL library was found and enabled
- Determines if the current SSL version is high enough (TLSv1.2 requires OpenSSL v1.0.1 or above)
- Determine if the current cURL version is high enough(TLSv1.2 requires cURL v7.34.0 or above)
- Determine if the SSL https IPN is functional
- Determine if the basic http IPN is functional
The function returns an associative array containing the above results as either true or false, along with the current versions of cURL and OpenSSL. It should be noted that Seamless Donations does not explicitly require either cURL or SSL. The IPN can meet PayPal’s TLSv1.2 requirements if cURL is not installed and if another SLL library is available. However, for common compatibility testing and to retrieve version information and testing, the baseline versions of cURL and OpenSSL are the ones tested against.
Security status compatibility testing results
The following dataset shows the results of compatibility testing using the new seamless_donations_get_security_status() function across four hosts and my local machine (as of 2016). Site results are likely to have changed since then.
Local DesktopServer on OS X
- System: Local dev machine running XAMPP on Mac OS X
- Seamless Donations warnings: cURL out of date (7.30.0)
- SSL: “fake” SSL installed by Desktop Server. Pasting the https IPN resulted in a typical SSL browser security warning for a page that doesn’t have a current certificate, but then delivered the page
- IPN via: newly added https URL and IP address routing via NAT port forwarding
- PayPal round trip: failed – donation completed but IPN never processed
WPMU Hosting non-SSL
- System: cPanel
- Seamless Donations warnings: OpenSSL out of date (OpenSSL/1.0.0), https not responding
- SSL: none
- IPN via: old, original, pre-existing http URL
- PayPal round trip: succeeded
WPMU Hosting SSL
- System: cPanel
- Seamless Donations warnings: OpenSSL out of date (OpenSSL/1.0.0)
- SSL: Let’s Encrypt SSL via cPanel
- IPN via: newly-added https URL
- PayPal round trip: succeeded
Digital Ocean SSL
- System: Ubuntu LAMP stack
- Seamless Donations warnings: none
- SSL: Comodo SSL certificate via NameCheap
- IPN via: newly added https URL
- PayPal round trip: succeeded
Pagely non-SSL
- System: Pagely managed hosting
- Seamless Donations warnings: cURL out of date (7.22.0)
- SSL: none, although unexpectedly not getting an https error. Pasting the https IPN resulted in a typical SSL browser security warning for a page that doesn’t have a current certificate, but then delivered the page
- IPN via: newly added https URL
- PayPal round trip: succeeded (quite unexpectedly)
SiteGround non-SSL
- System: SiteGround cPanel
- Seamless Donations warnings: cURL out of date (7.30.0), https not responding
- SSL: none
- IPN via: http IPN not accepted by PayPal
- PayPal round trip: n/a
SiteGround SSL
- System: SiteGround cPanel
- Seamless Donations warnings: cURL out of date (7.30.0)
- SSL: Let’s Encrypt SSL via cPanel
- IPN via: newly added https URL
- PayPal round trip: succeeded