Jump to content



Photo
- - - - -

SSL Implementation Help


  • Please log in to reply
414 replies to this topic

#1   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 17 April 2009 - 01:29

A thread dedicated to those with problems implementing SSL in their stores.

First stop: Read this:

How to install SSL on OSC: A Simple 1-2-3 Instruction, Simple, straighforward instructions

That thread contains the basics on modifying your /includes/configure.php file to enable SSL.

Common mistakes YOU can make that prevent SSL from working:

1. Forgetting to make the HTTPS_SERVER define with https in the URL.
Correct:

define('HTTPS_SERVER', 'https://yourdomain.com');
Incorrect:

define('HTTPS_SERVER', 'http://yourdomain.com');
If you can't see the difference - LOOK CLOSER!

2. Forgetting to enable SSL in the configure file.
This turns it ON:

define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure?
This turns it OFF:

define('ENABLE_SSL', 'false'); // secure webserver for checkout procedure?
3. Modifying the configure file on your local PC then NOT making sure the new one gets to the store website.
If you modify it locally and use FTP, Dreamweaver, Frontpage, or whatever, to transfer it to your site MAKE CERTAIN THE MODIFIED VERSION GETS TO YOUR SITE!!!
Sometimes file permissions can prevent a successful transfer to your website.

4. Not checking for and examining the contents of /includes/local/configure.php if it exists on your site.
This file isn't present on all installs, but if it is, ANYTHING IN IT OVERRRIDES ANYTHING IN THE "NORMAL" CONFIGURE FILE!!
Check for it, and if found examine it's contents.
It may not look like the normal configure file in one respect:

define('ENABLE_SSL', 1);
The define for ENABLE_SSL may have a 1 or a 0 instead of true or false. If so, remember that 1 = true, 0 = false.

OK.

So you've done all that and it still doesn't work. All your images are X!

This probably means osC isn't getting the cue from the server that SSL is active.

The code that tests to see if SSL is active is in /includes/application_top.php around like 41:

// set the type of request (secure or not)
  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
Unfortunately this doesn't work an all servers.

If you're on "1 and 1" Hosting, this usually works:

// set the type of request (secure or not)
  $request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';
If it's a Windowz server, try this:

// set the type of request (secure or not)
  $request_type = ($_SERVER['HTTPS'] == 'on') ? 'SSL' : 'NONSSL';
If neither of those are true for you try this:

// set the type of request (secure or not)
$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';
Always backup any file on your site before making any edits.

A file that doesn't work quite like you want it to is better than one that won't work at all.

And sometimes none of those settings work.

I've written a few programs to assist in debugging, and implementation of SSL and have made a contribution of them.

I will post a link to it and a brief explanation after it's uploaded.
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#2   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 17 April 2009 - 01:43

The contribution:

SSL Help

This contribution has 3 files:

cfgchk.php - Examines your catalog configure file(s) for possible errors that would prevent SSL from working.

myenv.php - A program that displays common server settings used in SSL (the original was not my work- see the credit in the file).

mybigenv.php - A more comprehensive program that displays server settings that might be used in SSL implementation.

There is no "install", just copy the files into your "catalog" folder and access them with your browser.

myenv.php and mybigenv.php both use a javascript popup window so if you have a popup blocker installed you may have to disable it temporarily.
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#3   floydax

floydax
  • Members
  • 19 posts
  • Real Name:floyd

Posted 17 April 2009 - 21:34

Thanks for the contribution /smile.gif' class='bbc_emoticon' alt=':)' />

Except for an SSL warning in IE at index.php, my SSL works, but when i ran the myenv.php i got the following:

NONSSL Variables

HTTP HOST: [xxxxx.net]

Server Port: [80]

SSL Status: [Undefined!]

Fowarded Server: [Undefined!]

Fowarded Host: [Undefined!]

Fowarded By: [Undefined!]

$_SERVER['HTTPS']: [Undefined!]


Is this normal?


Kind regards,
floyd.

#4   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 17 April 2009 - 22:02

Looks normal.

So what was in the SSL popup window?
/unsure.gif' class='bbc_emoticon' alt=':unsure:' />

The program produces a small popup window showing the same variables with SSL active (or it tries to anyway).
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#5   floydax

floydax
  • Members
  • 19 posts
  • Real Name:floyd

Posted 17 April 2009 - 23:51

Looks normal.

So what was in the SSL popup window?
/unsure.gif' class='bbc_emoticon' alt=':unsure:' />

The program produces a small popup window showing the same variables with SSL active (or it tries to anyway).


When i go the main page using https with IE I get a security warning saying that "This page contains both secure and nonsecure items".

I tracked down every component which had http hardcoded, but I still get this warning...

#6   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 17 April 2009 - 23:57

The warning means you have scripts or images loading from HTTP sources in your PHP or your stylesheet.

If you PM me your URL I could find it for you.
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#7   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 18 April 2009 - 17:48

When i go the main page using https with IE I get a security warning saying that "This page contains both secure and nonsecure items".

I tracked down every component which had http hardcoded, but I still get this warning...

That will cause SSL problems.
/ohmy.gif' class='bbc_emoticon' alt=':o' />

Try the same code but with a https URL.
/wink.gif' class='bbc_emoticon' alt=';)' />
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#8   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 19 April 2009 - 18:19

Then after installing SSL you get the dreaded "This page contains secure and nonsecure items" when viewing the site in IE!
/sad.gif' class='bbc_emoticon' alt=':(' />

I've added a file to the package named unsecure.php that you can use to help find the "nonsecure items".

I've tested it on about a dozen different sites/pages and it does an excellent job.

Out of all the posts I've helped find "nonsecure items", this program would probably have worked perfectly on about 98 to 99 percent of the sites.

It's not "bullet-proof", but few programs can make that claim.
/smile.gif' class='bbc_emoticon' alt=':)' />
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#9   bnoisette

bnoisette
  • Members
  • 2 posts
  • Real Name:Brent Noisette

Posted 20 April 2009 - 15:14

I tried all of the suggestions and I still can not get the SSL to work. I do not appear to have a local file so that is not the issue. The only thing I can think of is the SSL cert. is located in the wrong place. My SSL cert is located in under the home root directory. Should it be located in the public_html directory?

#10   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 20 April 2009 - 19:08

Ask your host.

That is dependant on the way the server is setup.

If you want me to take a peek and possibly make recommendations you'll have to post (or PM me) your URL.
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#11   floydax

floydax
  • Members
  • 19 posts
  • Real Name:floyd

Posted 21 April 2009 - 17:37

That will cause SSL problems.
/ohmy.gif' class='bbc_emoticon' alt=':o' />

Try the same code but with a https URL.
/wink.gif' class='bbc_emoticon' alt=';)' />


Thanks, it's working now /smile.gif' class='bbc_emoticon' alt=':)' />

#12   rochaesobrinho

rochaesobrinho
  • Members
  • 14 posts
  • Real Name:Paulo

Posted 24 April 2009 - 18:31

Hi Jim,

My SSL implementation was working fine till about one week ago when I had to change the secure address.
I use shared SSL and it seems that every time I access a page through the secure address it tries to load the images and the stylesheet file from the unsecure address and the anoying IE message keep being displayed.
I tried all your tips listed here, but nothing solved this problem :-(.
I would be very grateful if could take a look on my shop and give a reply.

My url is http://www.plixx.com.br/loja/

The secure url is https://plixxcbr.ace...eguro.net/loja/

Thank you in advance,

PS.: Your files cfgchk.php, mybigenv.php, myenv.php and unsecure.php are still on my shop. You can acess then through http://www.plixx.com...loja/cfgchk.php

#13   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 24 April 2009 - 19:59

Well you just uncovered a bug in the code.
/blush.gif' class='bbc_emoticon' alt=':blush:' />

It works on the site I manage flawlessly, but on yours some of the popup windows reload continuously...
/sad.gif' class='bbc_emoticon' alt=':(' />

That would be because the session between HTTP and HTTPS isn't getting shared.
/blink.gif' class='bbc_emoticon' alt=':blink:' />

I'll have to take a look at that.
/wacko.gif' class='bbc_emoticon' alt=':wacko:' />

When I get something together codewise would you be able to test it before I upload it as a new version of the contribution?
/unsure.gif' class='bbc_emoticon' alt=':unsure:' />

Anyway, using the code files I think I have a solution to your problem.

osC isn't recognizing the cue from the server that SSL is "on".

In your /includes/application_top.php find this code:

// set the type of request (secure or not)
  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
Change it to:

// set the type of request (secure or not)
//  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
// added nonstandard code 24-apr-09
  $request_type = ($_SERVER['HTTP_HOST'] == 'plixxcbr.acessoseguro.net') ? 'SSL' : 'NONSSL';
BACKUP THE FILE BEFORE MAKING ANY EDITS.

I'll be waiting to hear how things go while I work on a code change to the contribution to prevent continuous page reloads.
/wink.gif' class='bbc_emoticon' alt=';)' />
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#14   rochaesobrinho

rochaesobrinho
  • Members
  • 14 posts
  • Real Name:Paulo

Posted 24 April 2009 - 20:20

Hi Jim,

It is working now!

Thank you so much.

I will be pleased to test a new version of your code. Just let me know when it is ready. As I donĀ“t visit the forum very often you can send me an email if you want. rochaesobrinho@yahoo.com.br

#15   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 25 April 2009 - 17:58

New version uploaded.

Hopefully fixes the continous page reload of the popup.

I did some experimenting and believe it may be a result of incorrect cookie settings in the config file (I can't fix that).

Only time and a few more installs will tell.
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#16   rochaesobrinho

rochaesobrinho
  • Members
  • 14 posts
  • Real Name:Paulo

Posted 27 April 2009 - 12:32

Hi Jim,

I've uploaded the new version, but the page keeps reloading.

To check visit: www.plixx.com.br/loja/mybigenv.php

#17   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 27 April 2009 - 19:55

Like my last post said, it might be because of an incorrect cookie setting.

What do you have for this in the configure file:

define('HTTPS_COOKIE_DOMAIN', '');
/unsure.gif' class='bbc_emoticon' alt=':unsure:' />

It (still) works great on my site.

The reason it reloads is the session is lost.
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#18   Kysmiley

Kysmiley
  • Members
  • 105 posts
  • Real Name:Patrick McLaughlin

Posted 29 April 2009 - 11:27

Hey there Jim I have a quick question. I am going to embed MP3 songs into my product desc. this coding has a url for a flash player that auto runs so people can hear the songs. How do i set this up with my SSL if the URL is not relative?
Pat

#19   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 29 April 2009 - 21:00

None if the pages with the product description are SSL on osC so it won't matter.

The only ones that should be SSL are login, logout, any of the files dealing with account info or changes, and all the files thru the checkout process.
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#20   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 30 April 2009 - 03:17

Uploaded new package.

Changes:

All files display version in the browser.

myenv.php and mybigenv.php don't use session variables any longer (prevents continuous page reloads).

cfgchk.php displays the permissions of the config file(s) and also checks for and displays HTTPS_COOKIE_DOMAIN.

unsecure.php now has a "glib" mode (displays all source HTML ).
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >