Can't read the files used for encryption between site and paypal

now I made some further investigations...may be it could help you to help me

I logged into the db's (of both environments) and extracted the 'params' column of the 'jos_cbsubs_gateway_accounts' table ( here the path to the files is stored) ....below I send you now the content of this 'params' column for both environment (production and pre_production) REMARK: some entries I marked with HIDDEN because I do not want to communicate this content for the public:

environment: Production:
table: jos_cbsubs_gateway_accounts
column: params


gateway_paypal_url=
paypal_business=ehb-consulting-gmbh@hotmail.com
paypal_receiver_email=ehb-consulting-gmbh@hotmail.com
paypal_identity_token=*********************** HIDDEN ***********************
paypal_api_username=
paypal_api_password=
paypal_api_signature=
paypal_country=
paypal_image=components/com_comprofiler/plugin/user/plug_cbpaidsubscriptions/icons/cards/cc_big_paypal.gif
paypal_custom_image=
paypal_subscribe_image=components/com_comprofiler/plugin/user/plug_cbpaidsubscriptions/icons/cards/cc_big_paypal_subscribe.gif
paypal_subscribe_custom_image=
paypal_page_style=
paypal_regLogoImage=
paypal_no_note=1
paypal_no_shipping=1
givehiddenaddress=0
givehiddenemail=1
givehiddenphonenumber=0
paypal_encrypted=1
paypal_public_certificate_path=/home/www/web180/html/joomla/prod_paypal_certificate/paypal_cert_pem.txt
paypal_private_key_path=/home/www/web180/html/joomla/prod_paypal_certificate/idp-prvkey.pem
paypal_public_key_path=/home/www/web180/html/joomla/prod_paypal_certificate/idp-pubcert.pem
paypal_private_key_password=
paypal_certificate_id= *************************** HIDDEN *********************
notifications_host=


environment: Pre_Production:
table: jos_cbsubs_gateway_accounts
column: params

{"gateway_paypal_url":"","paypal_business":"ehb-consulting-gmbh@hotmail.com","paypal_receiver_email":"ehb-consulting-gmbh@hotmail.com","paypal_identity_token":"********************** HIDDEN **************************","paypal_api_username":"","paypal_api_password":"","paypal_api_signature":"","paypal_country":"","paypal_image":"components\/com_comprofiler\/plugin\/user\/plug_cbpaidsubscriptions\/icons\/cards\/cc_big_paypal.gif","paypal_custom_image":"","paypal_subscribe_image":"components\/com_comprofiler\/plugin\/user\/plug_cbpaidsubscriptions\/icons\/cards\/cc_big_paypal_subscribe.gif","paypal_subscribe_custom_image":"","paypal_page_style":"","paypal_regLogoImage":"","paypal_no_note":"1","paypal_no_shipping":"1","givehiddenaddress":"0","givehiddenemail":"1","givehiddenphonenumber":"0","paypal_encrypted":"1","paypal_public_certificate_path":"\/home\/www\/web180\/html\/joomla\/prod_paypal_certificate\/paypal_cert_pem.txt","paypal_private_key_path":"\/home\/www\/web180\/html\/joomla\/prod_paypal_certificate\/idp-prvkey.pem","paypal_public_key_path":"\/home\/www\/web180\/html\/joomla\/prod_paypal_certificate\/idp-pubcert.pem","paypal_private_key_password":"","paypal_certificate_id":"******** HIDDEN *********","notifications_host":""}


Analysis: Ok - the format how the content of 'params' colum is stored seems to be different compared to the production env. This is not the problem I think. But look closer how the path to the 'prod_paypal_certificate' folder is stored:

"paypal_public_certificate_path":"\/home\/www\/web180\/html\/joomla\/prod_paypal_certificate\/paypal_cert_pem.txt",
"paypal_private_key_path":"\/home\/www\/web180\/html\/joomla\/prod_paypal_certificate\/idp-prvkey.pem",
"paypal_public_key_path":"\/home\/www\/web180\/html\/joomla\/prod_paypal_certificate\/idp-pubcert.pem"

...is it possible that the substring with 'back slash' and 'slash' impacts negatively the parsing process done by the CB Subs component ? ....in the productive environment this path is stored totally different and easy to read.....

It's just json encoded. Those backslashes will be gone once it's json decoded. Do payments actually fail when testing? It could just be the debug check isn't working right.

so the payments triggered from /pre_production installation (built with CB Subs: 4.x) ....do not work....the following message appears:



The translation of the text in the yellow triangle ist:
"The seller accepts only encrypted website payment solutions. You cannot do a payment via a not encrypted payment button. Please ask the seller to get further information"

...but now i tried to do a payment via /production (very old installation built with CB Subs 3.x but running so far) ........and exactly the same message appears....but this I do not understand. Because i didn't touch the /production installation for 1.5 years....an I also didn't change settings on my productive paypal buisiness account....and approx. 1.5 years ago I tested the payment via /production and it worked 100% ?!? ...so how is it possible that non touched code will change ?!?

...so the question ist: did paypal change some of its internal settings ? ....or did so my hoster ? what do you recommend ? (PS: may be you are right, that here is also an other issue...I thing the path is not the problem)

Within configuration.php ensure live_site is set to '' (blank) or if you have to set it that it's using https:// or just // (for dynamic schema). Sounds like your issue is HTTPS just isn't being used or isn't working. Are you using PayPal Standard, Advanced, or Pro?

I use:

public $live_site = ''

...even if I change this field to...

public $live_site = 'https://';

...the result ist the same

yes: I use the sandard PayPal Gateway...(CBSubs 3.x)

further setings on my website are:

PCI-DSS settings:

field: 'Post all forms to https and return from gateways to https:'
Content: 'keep http/https mode as is'

..and in the PayPal Gateway the...

field: 'Encrypt paypal form' is set to 'encrypted form'......(I am useing OpenSSL)

...with these settings the message above appears...

if I change the Field: 'Post all formst o https and return from gateways to https:'

to.....'Force https on CBSubs forms'

the result is even worse because as soon as I press the payment button (for paying with PayPal) the Firefox browser Interrupts and says that 'the Connection is not save' ???

so whats wrong here ? ...are there further Debugging possibilites?

In the meanwhile I made some further investigations why the payment process with credit card (by using a PayPal gateway) suddenly does not work anymore (there always appears a message on the screen that only encrypted payments will be accepted although I already use 'encrypted PayPal form' in the gateway settings):

I had several phone calls with the PayPal customer service. And they told me that PayPal has intensified the security measures. In detail PayPal expects that all the communication between the (merchands) website and PayPal has to be on the SHA-256 encryption level (of course only in case I check 'encrypted website' in my PayPal account...if I just use the 'not encrypted' way everything works fine) ...here I found a nofification from PayPal that explains the change it in detail:

www.paypal-techsupport.com/ci/fattach/get/487025/1429638687/redirect/1/filename/2015%20Merchant%20Security%20System%20Upgrade%20Guide%20(U.S.%20English).pdf

So from my point of view my website does not meet the expected (and stronger) encryption level of PayPal.....

As I saw in the documentation of CB Subs OpenSSL is needed for the encryption process ....at the moment I use OpenSSL 1.0.1 (which is installed in my server environment) ...is it possible that OpenSSL 1.0.1 does not meet the strong expectations of SHA-256 ? ...the hoster said that everything on 'his side' is ok ......

As a reminder: The encrypted payment process together with paypal worked excellent when I tested it 2 years ago ...and since then I didn't change any code....so this is the last possiblilty...

PLEASE help me....

regards