piątek, 13 listopada 2009

Google Checkout over stunnel

Recently run HTTPS connection to website over stunnel + haproxy (not really important atm why such exotic idea). More important that hole operation goes smooth, quick and easy. Everything work until today when I read email from one of developers in over company.
He got problem with Google Checkout:

We encountered an error trying to access your server at https://some.website.at.web/GoogleCheckout/response --
the error we got is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

First I check connection with browser but everything looks ok as it should be. Start digg but google didn't help me alot. So I check Google Checkout documentation and find such thing:

There are also a number of measures you can take to keep your
communications with Google Checkout secure:

* Never share your Merchant Key with anyone.

* Sign your shopping cart XML using HMAC SHA1 and your Merchant Key.
Signing your shopping cart authenticates the cart you send and
verifies that your cart hasn't been tampered with during transmission.

* Send order processing commands over a secure HTTPS connection.
When sending order processing commands to Google, use an HTTPS connection
secured by 128-bit SSL v3 or TLS connection (SSL v2 is not allowed).
Use your Merchant ID and Merchant Key as the username and password for
HTTP Basic Authentication.

* Verify the authenticity of the server certificate presented to you.

* Specify an HTTPS callback URL secured by SSL v3 or TLS using a valid
certificate from a major Certifying Authority to receive Google notifications.
Only accept messages authenticated by HTTP Basic Authentication, using
your Merchant ID and Merchant Key as the username and password.
Take a look at our list of accepted SSL certificates.

* Validate messages sent to your callback URL before processing them.


Looks still ok - SSL v3 or TLS . I recheck and SSL v3 is working. But Google Checkout doesn't like it.


Change (/etc/stunnel/stunnel.conf)

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3


; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all

Because "SSLv3 or TLS" mean "SSLv3 and TLS" for google.

Brak komentarzy: