485 replies to this topic

[captneil]

The "s" is for "secure".  http:// addresses are not secure.
https:// addresses are secure.
-Neil

harryedwards, on Nov 20 2006, 03:09 PM, said:

The difference appears to be in the additional "s" in the http. Your solution calls for the extra "s." Why is that?

[captfc]

Hi Jason,
First off, thanks for the great tutorial! I found it extremely helpful and I have it bookmarked for future use.

I have a quick question for you or any other knowledgeable vet OS Commerce people.

I just installed an SSL certificate on my client's server.

This is what I put on the catalog/includes file
  define('HTTP_SERVER', 'http://lymphedivas.com'); // eg, http://localhost - should not be empty for productive servers
  define('HTTPS_SERVER', 'https://lymphedivas.com/catalog/'); // eg, https://localhost - should not be empty for productive servers
  define('ENABLE_SSL', true); // secure webserver for checkout procedure?
  define('HTTP_COOKIE_DOMAIN', '.lymphedivas.com');
  define('HTTPS_COOKIE_DOMAIN', '.lymphedivas.com');

I realized that the bolded part was necessary after it repeatedly would look for pages like www.lymphedivas.comlogin.php (note lack of slash or catalog/, should read lymphedivas.com/catalog/login.php). I had to add the "/catalog/" for it to find any pages in that folder.

The cart works well on every page and checkout until I go to login, then if you go to login here:
https://lymphedivas.com/catalog/login.php

it will then spit out
https://lymphedivas.com/catalog//catalog/index.php?osCsid=d369e343c6f131a2da71291af49f56df

Notice the bolded area. In this one instance it adds the "/catalog/"

Any idea of how to tame that? I need it to go to https://lymphedivas.com/catalog/index.php?osCsid=d369e343c6f131a2da71291af49f56df

Thanks in advance!

Please let me know if I need to add more info.

[captfc]

captfc, on Nov 23 2006, 10:47 PM, said:

Hi Jason,
First off, thanks for the great tutorial! I found it extremely helpful and I have it bookmarked for future use.

I have a quick question for you or any other knowledgeable vet OS Commerce people.

I just installed an SSL certificate on my client's server.

This is what I put on the catalog/includes file
  define('HTTP_SERVER', 'http://lymphedivas.com'); // eg, http://localhost - should not be empty for productive servers
  define('HTTPS_SERVER', 'https://lymphedivas.com/catalog/'); // eg, https://localhost - should not be empty for productive servers
  define('ENABLE_SSL', true); // secure webserver for checkout procedure?
  define('HTTP_COOKIE_DOMAIN', '.lymphedivas.com');
  define('HTTPS_COOKIE_DOMAIN', '.lymphedivas.com');

I realized that the bolded part was necessary after it repeatedly would look for pages like www.lymphedivas.comlogin.php (note lack of slash or catalog/, should read lymphedivas.com/catalog/login.php). I had to add the "/catalog/" for it to find any pages in that folder.

The cart works well on every page and checkout until I go to login, then if you go to login here:
https://lymphedivas.com/catalog/login.php

it will then spit out
https://lymphedivas.com/catalog//catalog/index.php?osCsid=d369e343c6f131a2da71291af49f56df

Notice the bolded area. In this one instance it adds the "/catalog/"

Any idea of how to tame that? I need it to go to https://lymphedivas.com/catalog/index.php?osCsid=d369e343c6f131a2da71291af49f56df

Thanks in advance!

Please let me know if I need to add more info.

Fixed. Had the wrong extension in the separate config file.

Once again. Thanks a million for the help!

[jandl]

I have a dedicated SSL cert. My hosting company creates 2 directories for me, public_html and public_ssl. HTTP requests are directed to public_html directory and HTTPS requests are directed public_ssl directory. Do I need to install osc in both directories in order for it to switch back and forth?

Thanks in advance.

[jpweber]

Kevin:  it appears that your certificate is issued for www .... so you might want to put your site's configure/includes files all in www.lymphedivas.com, not http://lymphedivas.com.  You could run into some issues with some browsers.

Secondly, on your index page -- I'm not sure if it's catalog/index.php, or catalog/includes/languages/english/index.php ... anyway, somewhere, somehow, you have an http:// link there.  Add an "s" after the http:// ... so it looks like https:// ..... do this for every http:// link, or else you'll get the ol' Bill Gates "do you wish to display nonsecure items?" box every time.

Just add that 's' in your index.php file, wherever the http:// links is.

Good luck.

[jpweber]

Jan ....

You should use your public_html directory.

[jandl]

Thanks for the reply.

That's what I did. But when I go to the checkout page, or any page that requires security, the 'https://www.mydomain.com/pagename.php' URL is fetched, and I get a 'not found' error, 'cause pagename.php is not found under public_ssl directory. Do I need to move all the secure pages to public_ssl?

jpweber, on Nov 28 2006, 02:10 PM, said:

Jan ....

You should use your public_html directory.

[jhande]

jpweber, on Oct 31 2006, 04:47 PM, said:

Special note to shared SSL users, in particular bluehost users.  Now I don't really recommend Shared SSL, although it's worked for many.  I'd prefer the real thing.  Anyway, with bluehost, your config files would look like this (note: "username" refers to the username given to you by Bluehost):

So search the web, or call your host -- but if you're going through Bluehost, you already know now.  Good luck!

Thank you Jason for the great tutorial on SSL.

But I must ask you, I am using Bluehost for my server. Do I "have" to use a Shared SSL or can I get the real thing?

I would like to follow your instructions and be as secure as possible.

TIA,

[jpweber]

jhande, on Nov 30 2006, 06:10 PM, said:

Thank you Jason for the great tutorial on SSL.

But I must ask you, I am using Bluehost for my server. Do I "have" to use a Shared SSL or can I get the real thing?

I would like to follow your instructions and be as secure as possible.

TIA,

Jean -- your secure pages (checkout, login, create account, etc.) should remain where they are.

Tia, you can use the bluehost shared SSL -- but you don't have to, no.  But the bluehost shared SSL should be secure.  If you want your URL's to be like .... https://www.yourdomain.com instead of https://secure.bluehost.com/~username/, etc., when a customer goes to a secured page like login, create account, or checkout, then yes, go with some type of RapidSSL or QuickSSL or something like that.  I'm not supposed to recommend particular brands openly in these forums, 'cause that's considered "soliciting" or whatever.  Regardless, shared with Bluehost will still be secure, and if it's cheap (or costs nothing), and you're on a budget, there's nothing wrong with it.

[jhande]

jpweber, on Nov 30 2006, 05:18 PM, said:

Jim, you can use the bluehost shared SSL -- but you don't have to, no.  But the bluehost shared SSL should be secure.  If you want your URL's to be like .... https://www.yourdomain.com instead of https://secure.bluehost.com/~username/, etc., when a customer goes to a secured page like login, create account, or checkout, then yes, go with some type of RapidSSL or QuickSSL or something like that.  I'm not supposed to recommend particular brands openly in these forums, 'cause that's considered "soliciting" or whatever.  Regardless, shared with Bluehost will still be secure, and if it's cheap (or costs nothing), and you're on a budget, there's nothing wrong with it.

I think I have it now Jason, I should have mentioned I am a newbie at all this.  
So when a customer goes to my site - http://handeshobbies.com/catalog/ and they head to a page that needs to be secure, instead of the URL address bar showing - https://secure.bluehost.com/~username/ it will stay as http://handeshobbies.com/catalog/whateverpage if I use a NON-Shared SSL. Did I follow along correctly?

I appreciate the help,
Jim

[jpweber]

Yes ... with shared ssl, when a customer goes to login, it will look like https://secure.bluehost.com/~handeshobbies/catalog/login.php ...

With an independently-boughten SSL, like RapidSSL or QuickSSL (among others), when a customer goes to login, it will look like https://handeshobbies.com/catalog/login.php, or https://www.handeshobbies.com/catalog/login.php ...

[jhande]

Thank you very much for helping me out Jason.

I truely appreciate it!



Jim

[HallMarc]

jpweber, on Nov 14 2006, 12:50 PM, said:

Furthermore, let's take a look at your catalog/admin/index.php.  You will have coding in there that looks like this:
if (getenv('HTTPS') == 'on') {
$size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');
$contents[] = array('params' => 'class="infoBox"',
'text' => tep_image(DIR_WS_ICONS . 'locked.gif', ICON_LOCKED, '', '', 'align="right"') . sprintf(BOX_CONNECTION_PROTECTED, $size));
} else {
$contents[] = array('params' => 'class="infoBox"',
'text' => tep_image(DIR_WS_ICONS . 'unlocked.gif', ICON_UNLOCKED, '', '', 'align="right"') . BOX_CONNECTION_UNPROTECTED);
}

......... As to the wording of the message, I've yet to use a server which actually returns anything for (getenv('SSL_CIPHER_ALGKEYSIZE') so the message will be the one that BOX_CONNECTION_UNKNOWN points to in your language file.

I have finally conquered this little beast; well at last as far as any Linux boxes running Apache & PHP 4.4.4

Apache environment not making the ModSSL environment variables available to virtual accounts, probably to cut down on the overhead. The solution is to add the following line to the catalog/admin/.htaccess file:

SSLOptions +CompatEnvVars

This now opens all of these variables to use

SSL_KEYSIZE <--this is the one we need!
HTTPS_SECRETKEYSIZE
SSL_EXPORT
SSL_PROTOCOL_VERSION
SSL_SECRETKEYSIZE
SSL_SERVER_C
SSL_SERVER_CERT_START
SSL_SERVER_CERT_END
SSL_SERVER_CERT_SERIAL
SSL_SERVER_CERTIFICATE
SSL_SERVER_CN
SSL_SERVER_DN
SSL_SERVER_IC
SSL_SERVER_ICN
SSL_SERVER_IDN
SSL_SERVER_IO
SSL_SERVER_IOU
SSL_SERVER_ISP
SSL_SERVER_L
SSL_SERVER_O
SSL_SERVER_OU
SSL_SERVER_SIGNATURE_ALGORITHM
SSL_SERVER_SP
SSL_SSLEAY_VERSION

Now open your catalog/admin/index.php and...

find near line 180 this code:

	$size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

and replace with this:

	$size = (($_SERVER['SSL_KEYSIZE']) ? $_SERVER['SSL_KEYSIZE'] . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

Now, when you view the index page in your admin section it will read:
You are protected by a 128-bit secure SSL connection. or whatever your SSL strength is.

[ollyno1uk2]

Hi there

I now have an SSL certificate however reading these instructions I fear I may have some bits missing from my config file. Can someone take a look?

  define('HTTP_SERVER', 'http://www.jbosolutions.co.uk'); // eg, http://localhost - should not be empty for productive servers
  define('HTTPS_SERVER', ''); // eg, https://localhost - should not be empty for productive servers
  define('ENABLE_SSL', false); // secure webserver for checkout procedure?
  define('HTTP_COOKIE_DOMAIN', 'www.jbosolutions.co.uk');
  define('HTTPS_COOKIE_DOMAIN', '');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '');

Is this correct? and if so should I just fill in my site address where it is not present?

Thanks a lot

[jpweber]

define('HTTP_SERVER', 'http://www.jbosolutions.co.uk'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://www.jbosolutions.co.uk'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', '.jbosolutions.co.uk');
define('HTTPS_COOKIE_DOMAIN', '/');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');

[ollyno1uk2]

jpweber, on Dec 4 2006, 02:13 PM, said:

define('HTTP_SERVER', 'http://www.jbosolutions.co.uk'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://www.jbosolutions.co.uk'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', '.jbosolutions.co.uk');
define('HTTPS_COOKIE_DOMAIN', '/');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');

Thanks very much for getting back so quickly.

I will begin to implement the changes

[ollyno1uk2]

Ok

I have carried out the changes in the first configure.php

define('HTTPS_SERVER', 'https://www.jbosolutions.co.uk'); // eg, https://localhost - should not be empty for productive servers
  define('ENABLE_SSL', true); // secure webserver for checkout procedure?
  define('HTTP_COOKIE_DOMAIN', '.jbosolutions.co.uk');
  define('HTTPS_COOKIE_DOMAIN', '/');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '');

should I have anything in the https_cookie_path?

now I come to admin and I find this:

define('HTTP_SERVER', 'http://www.jbosolutions.co.uk'); // eg, http://localhost - should not be empty for productive servers
  define('HTTP_CATALOG_SERVER', 'http://www.jbosolutions.co.uk');
  define('HTTPS_CATALOG_SERVER', '');
  define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module

is the SSL I need to set to true the catalog one or am i missing something?

Thanks for your help

Edited by ollyno1uk2, 05 December 2006 - 11:44 AM.

[jpweber]

If in fact you have purchased SSL, and your host installed it, then yes, set it to 'true' and define the servers and paths as mentioned i my post above.

[ollyno1uk2]

jpweber, on Dec 5 2006, 01:10 PM, said:

If in fact you have purchased SSL, and your host installed it, then yes, set it to 'true' and define the servers and paths as mentioned i my post above.

Yes my host did install it, as long asI am not missing anything I will just add in the paths. It was the https_cookie path but i will leave that as it is.

Thanks for your help.

[ollyno1uk2]

I seem to be running into difficulty installing my ssl.

When I follow what is listed and click on 'my'account' on my main page it goes to

https://www.jbosolutions.co.ukaccount.php/?...c94764f43f3d072

even if I add the / in the place it should be it goes to page cannot be displayed.


Where have I gone wrong?

thanks