PayPal PayFlow Link does not Support SNI

Recently we moved our PowerPAC installation to a new server and disabled insecure protocols.  At the same time, we also enabled SNI on the IIS server as that is the standard installation we’ve been using across all our IIS deployments to ease setup and configuration of multiple web applications on the same server.

Server Name Indication (SNI) is nothing new, in fact it was first implemented over ten years ago.  So we were very surprised when we started getting reports from users that their redirected payments that used PayFlow Link from PayPal stopped working.  Users were being redirected the the PayPal page and were being asked to enter their credit card information, but when the clicked the Pay Now button the system would return them an error message and tell them that their transaction had been voided.

After much searching on the Internet and finally running a packet sniffer on the web server we came to the conclusion that the PayFlow Link client didn’t supporting SNI when it attempted to make a call the the postback URL that was specified in the Link configuration.  After disabling SNI on that server and moving back to “old” IP based SSL certificates, the transactions began processing properly again.  We’ve reached out to PayPal and asked them when they plan on supporting SNI.

We decided to post this in case there were others struggling with this issue as we couldn’t find any documentation on the Internet that mentioned that the postback client used in PayFlow Link does NOT support SNI.  If we hear back from PayPal that there is a configuration option, we’ll be sure to update this post.