问题
PayPal sandbox just recently restricted to TLS 1.2 connection. This makes our site stop working with PayPal sandbox although it stills work with the production PayPal. In the future the production PayPal will have the same restriction. We're using classic ASP and Microsoft WinHTTP.WinHTTPRequest.5.1 component for communication with PayPal. Here's the code below. objHttp.StatusText returns "Bad Request". We're on Windows Server 2008 R2. I tried to use MSXML2.ServerXMLHTTP.6.0 instead, but it only works on my Windows 8.1 development machine, not on our Windows Server 2008 R2. Although MSXML2.ServerXMLHTTP.6.0 is a superset of WinHTTP.WinHTTPRequest.5.1, but it is less reliable than WinHTTP.WinHTTPRequest.5.1. Our code fails a few times a day using MSXML2.ServerXMLHTTP.6.0 in the past, so I prefer using WinHTTP.WinHTTPRequest.5.1. I'm also not confident in this line of code: objHttp.Option(9) = &H0AA0 . A workaround that we're using is calling the WebAPI for sending message to PayPal; however, this causes an extra minor delay.
dim objHttp
Set objHttp = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
dim WinHttpRequestOption_EnableHttp1_1 : WinHttpRequestOption_EnableHttp1_1 = 17
objHttp.Option(WinHttpRequestOption_EnableHttp1_1) = False
dim WinHttpRequestOption_SslErrorIgnoreFlags : WinHttpRequestOption_SslErrorIgnoreFlags=4
objHttp.Option(WinHttpRequestOption_SslErrorIgnoreFlags) = &H3300
objHttp.setTimeouts 0, 120000, 120000, 120000
objHttp.Option(9) = &H0AA0 '2720
objHttp.open "post", "" & "https://api-3t.sandbox.paypal.com/2.0/" & "", False
strRequest = SetExpressCheckoutSOAP(returnURL, cancelURL)
objHttp.setRequestHeader "Content-Type", "text/xml; charset=utf-8"
objHttp.setRequestHeader "Content-Length", Len(strRequest)
objHttp.setRequestHeader "Host", "api-3t.sandbox.paypal.com"
Call objHttp.send(strRequest)
if objHttp.Status = 200 then
resp = objHttp.responseText
else
response.write objHttp.StatusText
end if
WebAPI invoke code:
dim webapiresp, webapidata
webapidata = "{""url"":""" & gv_APIEndpoint & """, ""message"":""" & nvpStrComplete & """,""soap"":0}"
webapiresp=InvokeWebAPI(strApiDomain, "POST", "comm/send", "", webapidata)
set reply=JSON.parse(webapiresp)
resp = reply.xml
Function InvokeWebAPI(strApiDomain, method, funcname, param, data)
dim HttpReq, apiURI, resp
set HttpReq=Server.CreateObject("MSXML2.ServerXMLHTTP")
'apiURI=strApiDomain & funcname & param
apiURI=strApiDomain & "api/" & funcname & param
HttpReq.open method, apiURI, false
HttpReq.setRequestHeader "Content-Type", "application/json; charset=UTF-8"
HttpReq.setRequestHeader "SOAPAction", apiURI
HttpReq.setRequestHeader "Authorization", "Basic " & Base64Encode("xxx:xxx")
if data <> "" then
HttpReq.send data
else
HttpReq.send
end if
resp = HttpReq.responseText
set HttpReq=Nothing
InvokeWebAPI = resp
End Function
回答1:
My application is written in ASP classic and I use WinHttp.WinHttpRequest.5.1in place of MSXML2.ServerXMLHTTP.6.0. to post to paypal sandbox url.
What works for me is telling the WinHttp.WinHttpRequest.5.1 objec to use TLS 1.2:
Set
httpRequest = Server.CreateObject("WinHttp.WinHttpRequest.5.1")
httpRequest.option (9) = 2720
All that on Windows Server 2012
回答2:
This option:
httpRequest.option (9) = 2720
Works only in Windows 2012 and newer
System library "winhttp.dll" of Windows 2008 R2 has only record for TLS 1.0 what equal to:
httpRequest.option (9) = 128
The other values will drop an exception.
But I found a solution which requires only changes in registry, without any additional changes in code. See details here: Classic ASP Outbound TLS 1.2
回答3:
I had the exact same issue, but rather than setting option(9) a.k.a WinHttpRequestOption_SecureProtocols I needed to add support for TLS 1.2 in WinHttp itself
See article below, where you can run "Easy Fix" or add registry keys manually
https://support.microsoft.com/en-gb/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in
回答4:
First you need to enable support for TLS 1.2 on the server (I prefer to use the free IISCrypto tool from Nartac Software)
Then you can change the default behaviour by the setting following registry key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800
If you are using 32 bit applications, you also need this key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800
来源:https://stackoverflow.com/questions/35089900/winhttp-winhttprequest-5-1-does-not-work-with-paypal-sandbox-after-tls-1-2