Stripe WebHooks don’t work with TLS

Update 2013-09-10: Stripe are aware of the problem and upgrading some systems to fix it. I’ll update again when it is fixed.

This is just here in case someone else googles for it…

I recently tried to increase the security of my server, which I use Stripe on for payments. I followed the recommendations on my earlier blog post about Nginx and Perfect Forward Secrecy, along with some additions recommended by SSLLabs. One of those was to set the ssl_protocols to TLSv1 TLSv2 TLSv3 only, effectively turning off SSL. TLSv1 came out in 1999, so everything should support it (IE6 doesn’t, but who cares?).

Only problem: turning off SSLv3 broke Stripe webhooks. They do not support TLS.

I’ve tweeted at them, so hopefully they’ll see that and address this issue, either by fixing it or by documenting it. In the meantime you can just re-enable SSLv3 in the ssl_protocols line.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s