First, please understand that I'm not an expert (at all) in networking or reading packet captures.
I'm troubleshooting an issue between a Web server and PayPal IPN. The issue appears to have started around the time PayPal stopped supporting SSL 3.0.
The web server is IIS6 so it ONLY supports TLS 1.0. All versions of SSL are disabled.
What I'm comparing are two wireshark traces of PayPal connecting to a "special URL" on the web server (to perform the IPN postback after the paypal transaction processes)
- One trace is of the PayPal simulator
connecting to this special URL on the web server (PayPal's simulator reports this as successful)
- The other is a live paypal transaction
(the step where PayPal IPN connects to the special URL to post back the transaction). PayPal reports it fails to connect to this URL in some way (I haven't been able to get more details, their canned notification says things like check firewall, etc. but this clearly isn't that anything is blocking PayPal)
In looking at the traces, there are some differences I'm not quite clear on. On the 'simulator' trace (the one PayPal reports as successful), the connection appears to be attempted only
using TLS 1.0.
On the trace of a live PayPal transaction, the packet details are showing both TLS 1.2 and TLS 1.0 (the IIS6 server doesn't support TLS 1.2 but it does support TLS 1.0)
My first question is: On the live transaction, is it that PayPal attempted TLS 1.2 first, and then since TLS 1.2 is not available it then attempted TLS 1.0?
(based on the order in the "Secure Sockets Layer" section, is this correct way of reading this (TLS 1.2 then TLS 1.0). My understanding of SSL/TLS in general is that it would try the higher first and if not supported try older versions but I'm not sure if that's what the packet shows.
Or is it stating which TLS versions it supports and the next step is the web application or server to select a version?
(and if so, is it the web SERVER or the web APPLICATION that makes that choice?)
Any idea what to make of these two traces, I would have expected a simulator to work the same as the live version but it seems to be clearly connecting in a different way and I'm not quite understanding it.
Any guidance would be much appreciated.
Mostly trying to determine if the issue is with the web application, the web server (IIS6), the server (Windows Server 2003)