7

We're using Paypal SDK here:
https://github.com/paypal/PayPal-NET-SDK

To help handle our webhooks. We've started receiving the exceptions:

PayPal.PayPalException: Unable to verify the certificate(s) found at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec
   at PayPal.CertificateManager.GetCertificatesFromUrl(String certUrl)
   at PayPal.Api.WebhookEvent.ValidateReceivedEvent(APIContext apiContext, NameValueCollection requestHeaders, String requestBody, String webhookId)

If we inspect the certificate file at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec we get the file:

-----BEGIN CERTIFICATE-----
MIIHdzCCBl+gAwIBAgIQBHtmc7f0ru/ozCsjsr2YyjANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE5MDMyNzAwMDAwMFoXDTIxMDYwMjEy
MDAwMFowgfUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
EwczMDE0MjY3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFBheVBhbCwgSW5jLjEYMBYGA1UECxMP
UGFydG5lciBTdXBwb3J0MSwwKgYDVQQDEyNtZXNzYWdldmVyaWZpY2F0aW9uY2Vy
dHMucGF5cGFsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMKo
k6Zr7AuPwsMwaTfBmv/ECGHU1/hjZ9VAdOBuolrKGql+TZ3NfZsu62Me8sdPuCjJ
R/8KUCJ/FtyFs/gVreg63zDqZLsHLBAR+6OcJR3yOJX1W4Y0ABdMA0i+iZFh/iUx
HHq6CZCnPlS2lvzJaS2UrzJ+mkPhCn1u2NRzys8FSKj/rn9ZLnT7CfgVvzabzobW
GvpHdXk+I3UieKyLkxZxlqJGWKN5KVTbPLU10F7H8RdO0f7deqt3tXT7eHIeEmBQ
6FZUIb3kt6qe4jTugXMqeS4JUiH9mhJTX1bC3PRl2TsnyjqgzKZZNfBXs/3IDHST
RElxn0603HnsWiyxn/ECAwEAAaOCA4AwggN8MB8GA1UdIwQYMBaAFD3TUKXWoK3u
80pgCmXTIdT4+NYPMB0GA1UdDgQWBBSkuNmXUDoHVayujFb0oeloO61qIDAuBgNV
HREEJzAlgiNtZXNzYWdldmVyaWZpY2F0aW9uY2VydHMucGF5cGFsLmNvbTAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1Ud
HwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWV2LXNl
cnZlci1nMi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEy
LWV2LXNlcnZlci1nMi5jcmwwSwYDVR0gBEQwQjA3BglghkgBhv1sAgEwKjAoBggr
BgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAHBgVngQwBATCB
iAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydFNIQTJFeHRlbmRlZFZhbGlkYXRpb25TZXJ2ZXJDQS5jcnQwDAYDVR0T
AQH/BAIwADCCAXwGCisGAQQB1nkCBAIEggFsBIIBaAFmAHYAu9nfvB+KcbWTlCOX
qpJ7RzhXlQqrUugakJZkNo4e0YUAAAFpvJhEdQAABAMARzBFAiEAprZz2cWH2zV4
lymEVimmwQUTp6QpeVL6ruCjqr45cp8CIHE2SD079OeyVyXzbN6lcCPAQscdF+to
3rLMebtmZ10dAHUAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFp
vJhE0QAABAMARjBEAiAboeCw/qNGNi/bQahj4LxufXCoLVDS7p60HpWwCzvo/gIg
C1MRFVPAjxQ8ZW1445+gO/YXt/mxRr1P2ZTGDaI2RKMAdQCHdb/nWXz4jEOZX73z
bv9WjUdWNv9KtWDBtOr/XqCDDwAAAWm8mEabAAAEAwBGMEQCIHGAUX3fYxOY0Kmf
5cE5rFdoBWkugpku5tdQdaHl3XkUAiBn0TtWXdCi2XC8AX9HsfmkUhNRxt0a4Qrc
aRHA2pEBsDANBgkqhkiG9w0BAQsFAAOCAQEAKstIrA+/RYCmv1tiaRwsnyfMeFa/
9axfNcqy/Ip3h4K9uk2R3h2QpOMm19a5+cdYssBXRULMes2Y7+7iCMSlEKug5lq7
1P3DpVZeqg4kkWvirE39Mrr894z9tuthVuDEkOZ99p8vJhoPWXqURCZNaBGTg7qI
xJh1zxoihRW8XYoP/ToX/wFolQcBU19PF25Sb2zx3aio7Nu6aNEAKWI/zavsDJWk
G5HgJsgsqRA2wJSIonhUL+g/Xpmiz0wrDWcj9py2tO6COUBkYwOPVW7DHm3yU7q7
pa7sNAPF/Rb0oxQMQ1lFwEBEIWaIlgRs34zNteZS3JZudGYjLiBvRGDoNA==
-----END CERTIFICATE-----

If we inspect the X509Chain of this certificate, it's invalid with the error:
FalseChain error: Revoked The certificate is revoked.

We're using Windows Server 2012 R2 Datacenter, is there any way to stop this exception from a server config point of view in any way at all?

womble
  • 96,255
  • 29
  • 175
  • 230
Tom Gullen
  • 385
  • 4
  • 8
  • 24
  • Could you copy/paste this certificate in a .crt file, double click on it in Windows Explorer on your server and advise what certificate from a chain has been revoked. I have tested your certificate on my kept up-to-date Windows 10, and it found no problems. Also I tested the CRL list of a CA issued this certificate, and your certificate is not in that list – Sergey Nudnov Apr 05 '19 at 12:07
  • ups, my mistake, checked wrong CRL. Yes the certificate is indeed revoked just recently: ‎Tuesday, ‎April ‎2, ‎2019 4:03:37 PM. PayPal should take care on that – Sergey Nudnov Apr 05 '19 at 12:18

2 Answers2

9

This is not an error. The certificate has been revoked by the certificate authority (digicert in this case).

You can test yourself at: https://decoder.link/ocsp

Somewhere in your SDK this certificate is used. Or it's presented to you by paypal. So either update your SDK or tell paypal to replace that certificate.

You could disable access to http://ocsp.digicert.com in your firewall to prevent the check of the CRL (certificate revocation list). But this is not a good idea.

unNamed
  • 545
  • 2
  • 11
  • Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue. – Tom Gullen Apr 05 '19 at 13:19
  • 2
    Disabling access to `http://ocsp.digicert.com` won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning `False`. When I imported certificate into the Trusted People store - verification was passed and returned `True` even with unblocked digicert.com names I listed above – Sergey Nudnov Apr 05 '19 at 13:30
5

As a temporary solution, you could add this certificate to the Trusted People store on your server.

To do so:

  • copy/paste certificate into a .crt file;
  • double click on it from Windows Explorer;
  • select Install Certificate;
  • Store Location: Local Machine;
  • Place all certificates in the following store;
  • Browse and select Trusted People store

No need to block anything on the Firewall.

Attention!

Doing so presents a security risk for your communications! Please apply your due diligence there

Sergey Nudnov
  • 863
  • 6
  • 12
  • Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released. – Tom Gullen Apr 05 '19 at 13:53
  • 2
    Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant. – Voo Apr 05 '19 at 14:11
  • @Voo, thank you. Added a disclaimer to answer – Sergey Nudnov Apr 05 '19 at 14:27
  • @Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system. – Voo Apr 07 '19 at 16:59
  • Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems – Sergey Nudnov Apr 07 '19 at 17:16
  • Yeah I know it's pointless trying to change the "just make it work, who cares if it's secure" attitude of most people here or in general, but it's always disappointing again.. posting an additional answer won't help since all the people who won't know better will see the simple four step guide for getting rid of the error and just do that. (Also DNS hijacking attacks are common-place these days) – Voo Apr 08 '19 at 07:11
  • @Voo you might think I have a "make it work, who cares if it's secure attitude" but the reality is 1) Payments have been failing for days, creating a backlog of manual work, losing us business and harming our reputation 2) Migrating to the pre release version of the SDK doesn't guarantee to fix this and requires several days of work to implement 3) This is the official Paypal SDK so I expect a patch soon. I understand if the SSL is compromised it can create a MITM attack vector on our payments API but there are other layers of protection in place so I feel the attack vector is narrow. – Tom Gullen Apr 08 '19 at 09:08