Jump to content



* * * * * 8 votes

The SSL In OsCommerce Guide For The Innocent


  • Please log in to reply
402 replies to this topic

#1   Simplyeasier

Simplyeasier
  • Members
  • 966 posts
  • Real Name:Charles Kangethe
  • Location:Suffolk, England

Posted 16 May 2005 - 11:14 AM

What is (or Isn't) SSL ?

SSL stands for Secure Sockets Layer. This is technology derived in part from the military that encrypts data transfers across the internet. There are several flavours of SSL but the most prevalent one today is 128 bit encryption, but watch out 256 bit encryption is on it's way !

For an e-trader, SSL encryption protects your customers transaction details as they are passed back and forth between their browser and your server \ domain. The data encryption happens at one end using a key and is deciphered at the other end using an equivalent key. The permutations for how data can be encrypted are astronomical making it virtually theft and interference proof during transit.

SSL DOES NOT PROTECT your server from attacks, nor your admin or catalog from malicious hacks. In order to protect your server and files you need to use facilities such as firewalls, virus checkers, Apache and IIS user and password protection for directories and files.

Why Do I Need SSL ?

You need SSL if you are selling to the public for two very good reasons.

1) Your customers expect it - As surfers become more sophisticated they look at your site and want to make sure their details will be safe should they order products. SSL seals are part - but a big part - in that re-assurance process. If the choice between two sites comes down to which offers transaction security - do you want to be the site that misses out ?

2) Even if you have unsophisticated customers who do not look for SSL encryption before they buy - if the data they send you is intercepted and misused - you could land up being in heavy lawsuits for amongst many other things negligence. This is a small possibility - but do you want to take the risk ?

How Does SSL Work With OsCommerce ?

The workings of SSL with osCommerce are quite straightforward.
Once your SSL is installed - see sections below, you set the configuration paths for https:// in catalog/includes/configure.php and admin/includes/configure.php, enable SSL and the code takes care of the rest.

If you look through the code you will see example after example of statements that refer to SSL where osC is making a decision based on request type as to whether to display the secured or non secured pages.

In short neither you nor your customers has to type in https:// into the address line to get to secure pages. osCommerce will identify from the configuration if SSL is installed and direct browsers to the correct page depending on what the browser is doing on your site.

How Do I Get SSL ?

1) Surf and find a Certificate issuer you feel happy with where you buy your SSL cerificate for a period of time 1 year, 2 year etc etc)

Things to look out for are

a) They own or have a trusted root in most browsers.

All browsers come pre-installed with so called Trusted roots.

These prevent Joe Shmoe and his cousin Joe Bloggs from issuing worthless certificates that cannot do the encrypting to unsuspecting buyers.

To see trusted roots if you use IE go to Internet Options under tools and select the content tab where you will see in the middle section all the trusted root certs installed on IE and their issuers.

b ) If they don't have a trusted root in most browsers make sure they have a cert known as a chaining cert that links whatever they sell to you with a trusted root.

What is the difference -

Trusted root sellers are EXPENSIVE and very well recognised brands.

Chaining certs are affordable - They are still 128 bit encryption hence no less secure - but the brands are less well known.

2) Get your host to raise a CSR (Certificate Signing request) - To do this the host will need certain information from you, especially if they are not also your registrar. Such info will be your domains registered admistrator. This info will be required by the SSL issuer. Along with the CSR they also generate a key that will be used to encrypt and decipher data transmissions from your server \ domain. -

Things to look out for are

Your certificate will encrypt data in a very precise way - if the cert is issued to www.yourdomain.com it will NOT encrypt transfers between yourdomain.com and browsers and vice versa.

So make sure you instruct your host to get the CSR raised with the correct AND full name of the domain you want to be encrypted.

I normally use the domain name without the www. qualifier because servers for a number of reasons can strip the www. off, but I have yet to see a server add it on without a deliberate redirect.

3) Send the CSR to your cert issuer who will vet the details and write to the administrator noted when the CSR was raised.

4) Assuming you are the administrator of your domain - you will have to acknowledge the mail from the issuer and OK the SSL.

5) The issuer will raise a SSL cert and send it to you. If you are using a chaining issuer they will also send a chain certificate.

6) Send these to your host who will install as follows :
a) The SSL cert will be installed in a directory on your server along with the chaining certificate if applicable.
b ) They will also instal the key they generated in step 2 above.
c) They will then add certain statements known as directives to your Apache configure files. These tell Apache that the site has SSL encryption certification.

Making SSL Work With The Catalog and Admin

In order to make SSL work with osCommerce you need to set the correct configuration paths in

a) catalog/includes/configure.php

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
  define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost - should not be empty for productive servers
  define('HTTPS_SERVER', 'https://yourdomain.com'); // eg, https://localhost - should not be empty for productive servers
  define('ENABLE_SSL', true); // secure webserver for checkout procedure?
  define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');
  define('HTTPS_COOKIE_DOMAIN', 'yourdomain.com');
  define('HTTP_COOKIE_PATH', '/catalog/');
  define('HTTPS_COOKIE_PATH', '/catalog/');
  define('DIR_WS_HTTP_CATALOG', '/catalog/');
  define('DIR_WS_HTTPS_CATALOG', '/catalog/');

b ) admin/includes/configure.php

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
  define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost - should not be empty for productive servers
  define('HTTP_CATALOG_SERVER', 'http://www.yourdomain.com');
  define('HTTPS_CATALOG_SERVER', 'https://yourdomain.com');
  define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

* Note the assumptions above - The certificate was issued WITHOUT the www. qualifier and this shop is installed in Catalog directory ONE level below root.

In normal working - these changes above will result in a small padlock being shown in the bottom right of your browser status bar when you navigate to a secure page AND your address line will show the https:// URL instead of http://

Trouble Shooting

1) Security Alert

The alert box says info you exchange with this site cannot be viewed or changed by others. However there is a problem with the sites security certificate.

The box has 3 levels of alert

a) The certificate is from a trusted certifying authority - Green tick for good or Red cross for bad will show
b ) The security certificate date is valid - Green tick for good or Red cross for bad will show
c) The name on the security certificate is invalid or does not match the name of the site - Green tick for good or Red cross for bad will show

If the problem is a) then you need to take account of How Do I Get SSL point 1 above !
If the problem is B ) you need to extend the certificates validity - refer to the issuer.
If the problem is c) Your certificate has probably been issued with or without the www. and you have used the other spellng in your configure files. Make sure the cert name as issued is used in the configure.php files. (See How Do I Get SSL point 2 above)

2) This page has both secure and insecure items

This alert appears if the secured page the browser is trying to show has objects or references that point to non secured domains.

So for instance if you had a graphical image of credit cards as processed by your gateway and say you were hotlinking to the images with a piece of code such as <img src="http://mycreditcardprocessor.com.....> That image is not on your encrypted domain hence the alert would show.

Often this problem will appear from one or more of three sources

a) Where you are hotlinking images for your products from the wholesalers server
b ) objects in your footer
c) objects in your boxes in the columns

3) Page 404 (unavailable)

If you set your site up and during instal you choose SSL security WITHOUT having done the stuff in here you may get 404's when you try to access secured pages.

Wrapping Up

1) Self issued certificates

Some people have dedicated servers and even on some shared server you can raise a self issued SSL certification. This does  everything as above except the certificate root does not exist in browsers. Therefore your site may be secure (although I do not profess to know if self certificates offer 128 bit encryption), BUT your site visitors will ALWAYS get the alert in Trouble Shooting point 1.

Even though the alert says the site is safe, this is perhaps worse than not having a certificate as it alerts people to the fact that there is a problem with the certificate - and people do not like problems !!!

2) Shared SSL certificates

Talk to your host for the path you need to apply in your configure.php paths

Charles

Edited by Simplyeasier, 16 May 2005 - 11:16 AM.

A kite flies highest AGAINST the wind !

"Life should NOT be a journey to the grave with the  intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, a lover in one hand, martini in the other,  body thoroughly used up, totally worn out and screaming ~ WOO HOO!!   What a  ride!"

#2   gazb

gazb
  • Members
  • 46 posts
  • Real Name:Gaz

Posted 17 May 2005 - 04:26 PM

Thanks Charles - that's very useful!

#3   ohduh!

ohduh!
  • Members
  • 85 posts
  • Real Name:Cindy

Posted 18 May 2005 - 05:25 AM

This page has both secure and insecure items

Ok, if the problem is say, the footers, how does one go about fixing it?

#4   Simplyeasier

Simplyeasier
  • Members
  • 966 posts
  • Real Name:Charles Kangethe
  • Location:Suffolk, England

Posted 18 May 2005 - 07:10 AM

ohduh!, on May 18 2005, 06:25 AM, said:

This page has both secure and insecure items

Ok, if the problem is say, the footers, how does one go about fixing it?

<{POST_SNAPBACK}>



If the problem is an image you are hotlinking  :)  you need to ask the owner if you can have access to the image - place it in your own images directory under the encrypted domain and then change the path in your footer so that it now references the image in your domain.

If you have for instance a visitor counter that goes back to the counter owners server to process info - you may be able to construct an if else statement around the counter using php such that if the $request_type is SSL then do not go to the counter owners site.

I am not a PHP coder, but in one of my stores I have google ads and in order to show these the script has to go back to google - not on my domain - therefore problem

So I use the following construct to prevent google ads from showing iF the browser is on a secure page

<?php
if ($request_type != 'SSL') {
.....
.....
.....
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
.....
.....
}
?>

Charles
A kite flies highest AGAINST the wind !

"Life should NOT be a journey to the grave with the  intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, a lover in one hand, martini in the other,  body thoroughly used up, totally worn out and screaming ~ WOO HOO!!   What a  ride!"

#5   Mighty Mike

Mighty Mike
  • Members
  • 343 posts
  • Real Name:Mike
  • Location:always lost

Posted 18 May 2005 - 01:49 PM

Thanks Charles

Very informative thread and have put it on "track"
I am sure this will help me out when i come to installing SSL.

Am looking at going with thawte, anybody else use them, good or bad?

Cheers

Mike

#6   fbernall

fbernall
  • Members
  • 3 posts
  • Real Name:Fernando Bernall

Posted 18 May 2005 - 04:28 PM

I too have learned a great deal as I'm in the process of tackling this issue on my shop.

Thanks.

fernando

#7   Simplyeasier

Simplyeasier
  • Members
  • 966 posts
  • Real Name:Charles Kangethe
  • Location:Suffolk, England

Posted 18 May 2005 - 04:54 PM

Mighty Mike, on May 18 2005, 02:49 PM, said:

Thanks Charles

Very informative thread and have put it on "track"
I am sure this will help me out when i come to installing SSL.

Am looking at going with thawte, anybody else use them, good or bad?

Cheers

Mike

<{POST_SNAPBACK}>


Hi Mike

Your named issuer is a heavyweight in the SSL world. But their technology is not necessarily  better \ stronger \ more effective than a chaining cert issuer - as long as they also use 128 bit encryption.

Charles
A kite flies highest AGAINST the wind !

"Life should NOT be a journey to the grave with the  intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, a lover in one hand, martini in the other,  body thoroughly used up, totally worn out and screaming ~ WOO HOO!!   What a  ride!"

#8   Vger

Vger
  • Members
  • 16,978 posts
  • Real Name:R Anthony
  • Gender:Not Telling

Posted 18 May 2005 - 11:17 PM

Yes Charles, it is a good thread and thanks for posting it.

Personally I would not advise anyone to go with a chained ssl cert.  I know they are cheap but the providers themselves say they are only suitable for low-usage sites with no more than 3-4 users in the https areas on the site at any one time.  I think most web owners will aspire to having more users than that.  With full ssl's costing only $39 a year it's not worth going down the chained ssl root.

Two things to point out - some hosts will not allow you to install ssl with them, and on a shared server you will need to also have a dedicated ip address to run a full ssl cert.

Vger

Edited by Vger, 18 May 2005 - 11:18 PM.


#9   siol

siol
  • Members
  • 14 posts
  • Real Name:Mark

Posted 19 May 2005 - 10:08 AM

Simplyeasier, on May 18 2005, 09:10 AM, said:

If you have for instance a visitor counter that goes back to the counter owners server to process info - you may be able to construct an if else statement around the counter using php such that if the $request_type is SSL then do not go to the counter owners site.
</script>

Does this apply to regular (non-image) links too?
For example, when you're checking out you still see the product categories
and links on the left (catalog). Links seem to point to non-SSL page.


Someone recommended I move my entire site to SSl, but I'm afraid it will
increase the load too much and make it slow.

#10   Simplyeasier

Simplyeasier
  • Members
  • 966 posts
  • Real Name:Charles Kangethe
  • Location:Suffolk, England

Posted 19 May 2005 - 12:32 PM

siol, on May 19 2005, 11:08 AM, said:

Does this apply to regular (non-image) links too?
For example, when you're checking out you still see the product categories
and links on the left (catalog). Links seem to point to non-SSL page.
Someone recommended I move my entire site to SSl, but I'm afraid it will
increase the load too much and make it slow.

<{POST_SNAPBACK}>



As long as the links are on www.yourdomain.com this should not be a problem.

The problems arise when you have anything that looks like <a href="http://www.notmydomain.com...> or <img src="http://www.notmydomain.com...>

Charles
A kite flies highest AGAINST the wind !

"Life should NOT be a journey to the grave with the  intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, a lover in one hand, martini in the other,  body thoroughly used up, totally worn out and screaming ~ WOO HOO!!   What a  ride!"

#11   Fourbit

Fourbit
  • Members
  • 96 posts
  • Real Name:Paul
  • Location:Montanan

Posted 19 May 2005 - 03:21 PM

Simplyeasier, on May 19 2005, 05:32 AM, said:

As long as the links are on www.yourdomain.com this should not be a problem.

The problems arise when you have anything that looks like <a href="http://www.notmydomain.com...> or <img src="http://www.notmydomain.com...>

Charles

<{POST_SNAPBACK}>


Excellent thread Charles.

If I'm not mistaken. Aren't the <a href="http://www.notmy domain.com...> tags fine? You are not accessing anything else with that code. You are just setting up a link. Now, if you had a ...src="http://www.notmydomain.com/images/someimage...."> in that tag or in a css file that the tag uses, then that would cause a problem.

Another problem I came across that I haven't seen much is the <link > tag. Watch what is put in there. It will cause the same problem.

Again, very helpful thread.
Paul

#12   pppao

pppao
  • Members
  • 5 posts
  • Real Name:ly

Posted 20 May 2005 - 06:16 AM

that's very useful!

#13   frank1002us

frank1002us
  • Members
  • 107 posts
  • Real Name:frank atighehchi

Posted 21 May 2005 - 07:48 PM

hi all
i am in  us and was wondering which one is better to go with
comodo
geotrust
thawte

#14   Mibble

Mibble
  • Members
  • 13,404 posts
  • Real Name:JAO
  • Location:MA (US): 42n22, 71w04, Massachusetts

Posted 21 May 2005 - 08:49 PM

all three work well, the instant certificate works, but does not validate to your merchant account that you are who you say you are.  you have to go with the next step up to have the validation.
John Oligario

Knowledge Base   Contributions

#15   Reesy

Reesy
  • Members
  • 375 posts
  • Real Name:James

Posted 22 May 2005 - 06:06 AM

Fourbit, on May 19 2005, 03:21 PM, said:

Excellent thread Charles.

If I'm not mistaken. Aren't the <a href="http://www.notmy domain.com...> tags fine? You are not accessing anything else with that code. You are just setting up a link. Now, if you had a ...src="http://www.notmydomain.com/images/someimage...."> in that tag or in a css file that the tag uses, then that would cause a problem.

Another problem I came across that I haven't seen much is the <link > tag. Watch what is put in there. It will cause the same problem.

Again, very helpful thread.
Paul

<{POST_SNAPBACK}>


The problem of getting a security message is because of the http bit in the URL. As soon as you go to a secure page this will change to https and any images that are linked as http://www.somethingorother.com will cause the security message to be displayed.
As Charles says if you remove the http bit and just link to www.somethingorother.com it will be fine.

#16   mrfield

mrfield
  • Members
  • 17 posts
  • Real Name:George Hoarafas

Posted 26 May 2005 - 10:40 AM

Hi .I have istalled my oscommerce in diferent directory .is www.greekfurniture.gr/e-shopgr .I have allready have buy my ssl and is intalled .What i have to do to make it work with oscommerce? i have try the direction with the configure.php , and admin cofigure.php , but i got the message that the page dos not exsists .do i have to edit somthing or add on my https folder?im asking becose if i try to go in https://greekfurniture.gr im taking the message :This is the placeholder for domain greekfurniture.gr. If you see this page after uploading site content you probably have not replaced the index.html file.This page has been automatically generated by eunet.com.gr server.
who can help me with the right steps to do it?please help. :'(

Edited by mrfield, 26 May 2005 - 10:43 AM.


#17   jtr24

jtr24
  • Members
  • 30 posts
  • Real Name:Justin Robinson
  • Location:USA

Posted 12 June 2005 - 12:51 AM

I changed all of that but it says "The page cannot be displayed": the refresh page. Please help any suggestions?

#18   jtr24

jtr24
  • Members
  • 30 posts
  • Real Name:Justin Robinson
  • Location:USA

Posted 13 June 2005 - 02:05 AM

catalog/includes/configure.php

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
  define('HTTP_SERVER', 'http://ezpregnancytest.com'); // eg, http://localhost - should not be empty for productive servers
  define('HTTPS_SERVER', 'https://www.ezpregnancytest.com'); // eg, https://localhost - should not be empty for productive servers
  define('ENABLE_SSL', true); // secure webserver for checkout procedure?
  define('HTTP_COOKIE_DOMAIN', 'ezpregnancytest.com');
  define('HTTPS_COOKIE_DOMAIN', 'ezpregnancytest.com');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/');
  define('DIR_WS_HTTP_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_WS_IMAGES', 'images/');

does anybody see anything wrong with my code? I might have installed my SSL Cert wrong (im a newb)  :(  anybody know how to do it in Cpanel?

#19   Simplyeasier

Simplyeasier
  • Members
  • 966 posts
  • Real Name:Charles Kangethe
  • Location:Suffolk, England

Posted 13 June 2005 - 04:27 PM

jtr24, on Jun 13 2005, 03:05 AM, said:

catalog/includes/configure.php

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
  define('HTTP_SERVER', 'http://ezpregnancytest.com'); // eg, http://localhost - should not be empty for productive servers
  define('HTTPS_SERVER', 'https://www.ezpregnancytest.com'); // eg, https://localhost - should not be empty for productive servers
  define('ENABLE_SSL', true); // secure webserver for checkout procedure?
  define('HTTP_COOKIE_DOMAIN', 'ezpregnancytest.com');
  define('HTTPS_COOKIE_DOMAIN', 'ezpregnancytest.com');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/');
  define('DIR_WS_HTTP_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');
  define('DIR_WS_IMAGES', 'images/');

does anybody see anything wrong with my code? I might have installed my SSL Cert wrong (im a newb)  :(  anybody know how to do it in Cpanel?

<{POST_SNAPBACK}>


did you install the cert yourself on the server ?

Your config looks wrong at first glance - the http server should have www. as a prefix and the https server path should be in the full name as issued on your cert which may or may not include the www.

also make sure your cookie domains are configured with the correct names as in my original post and in relation to your issued cert name

Charles

Edited by Simplyeasier, 13 June 2005 - 04:28 PM.

A kite flies highest AGAINST the wind !

"Life should NOT be a journey to the grave with the  intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, a lover in one hand, martini in the other,  body thoroughly used up, totally worn out and screaming ~ WOO HOO!!   What a  ride!"

#20   BlackSheep

BlackSheep
  • Members
  • 90 posts
  • Real Name:Jason Church

Posted 13 June 2005 - 05:04 PM

Thank you, very informative post.