403 replies to this topic

[germ]

A thread dedicated to those with problems implementing SSL in their stores.

First stop: Read this:

How to install SSL on OSC: A Simple 1-2-3 Instruction, Simple, straighforward instructions

That thread contains the basics on modifying your /includes/configure.php file to enable SSL.

Common mistakes YOU can make that prevent SSL from working:

1. Forgetting to make the HTTPS_SERVER define with https in the URL.
   Correct:

  define('HTTPS_SERVER', 'https://yourdomain.com');

   Incorrect:

  define('HTTPS_SERVER', 'http://yourdomain.com');

   If you can't see the difference - LOOK CLOSER!

2. Forgetting to enable SSL in the configure file.
   This turns it ON:

  define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure?

   This turns it OFF:

  define('ENABLE_SSL', 'false'); // secure webserver for checkout procedure?

3. Modifying the configure file on your local PC then NOT making sure the new one gets to the store website.
   If you modify it locally and use FTP, Dreamweaver, Frontpage, or whatever, to transfer it to your site MAKE CERTAIN THE MODIFIED VERSION GETS TO YOUR SITE!!!
   Sometimes file permissions can prevent a successful transfer to your website.

4. Not checking for and examining the contents of /includes/local/configure.php if it exists on your site.
   This file isn't present on all installs, but if it is, ANYTHING IN IT OVERRRIDES ANYTHING IN THE "NORMAL" CONFIGURE FILE!!
   Check for it, and if found examine it's contents.
   It may not look like the normal configure file in one respect:

  define('ENABLE_SSL', 1);

   The define for ENABLE_SSL may have a 1 or a 0 instead of true or false. If so, remember that 1 = true, 0 = false.

OK.

So you've done all that and it still doesn't work. All your images are X!

This probably means osC isn't getting the cue from the server that SSL is active.

The code that tests to see if SSL is active is in /includes/application_top.php around like 41:

// set the type of request (secure or not)
  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

Unfortunately this doesn't work an all servers.

If you're on "1 and 1" Hosting, this usually works:

// set the type of request (secure or not)
  $request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

If it's a Windowz server, try this:

// set the type of request (secure or not)
  $request_type = ($_SERVER['HTTPS'] == 'on') ? 'SSL' : 'NONSSL';

If neither of those are true for you try this:

// set the type of request (secure or not)
$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

Always backup any file on your site before making any edits.

A file that doesn't work quite like you want it to is better than one that won't work at all.

And sometimes none of those settings work.

I've written a few programs to assist in debugging, and implementation of SSL and have made a contribution of them.

I will post a link to it and a brief explanation after it's uploaded.

[germ]

The contribution:

SSL Help

This contribution has 3 files:

cfgchk.php - Examines your catalog configure file(s) for possible errors that would prevent SSL from working.

myenv.php - A program that displays common server settings used in SSL (the original was not my work- see the credit in the file).

mybigenv.php - A more comprehensive program that displays server settings that might be used in SSL implementation.

There is no "install", just copy the files into your "catalog" folder and access them with your browser.

myenv.php and mybigenv.php both use a javascript popup window so if you have a popup blocker installed you may have to disable it temporarily.

[floydax]

Thanks for the contribution

Except for an SSL warning in IE at index.php, my SSL works, but when i ran the myenv.php i got the following:

Quote

NONSSL Variables

HTTP HOST: [xxxxx.net]

Server Port: [80]

SSL Status: [Undefined!]

Fowarded Server: [Undefined!]

Fowarded Host: [Undefined!]

Fowarded By: [Undefined!]

$_SERVER['HTTPS']: [Undefined!]

Is this normal?


Kind regards,
floyd.

[germ]

Looks normal.

So what was in the SSL popup window?


The program produces a small popup window showing the same variables with SSL active (or it tries to anyway).

[floydax]

germ, on Apr 17 2009, 11:02 PM, said:

Looks normal.

So what was in the SSL popup window?


The program produces a small popup window showing the same variables with SSL active (or it tries to anyway).

When i go the main page using https with IE I get a security warning saying that "This page contains both secure and nonsecure items".

I tracked down every component which had http hardcoded, but I still get this warning...

[germ]

The warning means you have scripts or images loading from HTTP sources in your PHP or your stylesheet.

If you PM me your URL I could find it for you.

[germ]

floydax, on Apr 17 2009, 06:51 PM, said:

When i go the main page using https with IE I get a security warning saying that "This page contains both secure and nonsecure items".

I tracked down every component which had http hardcoded, but I still get this warning...

<div id="flash_carousel_container">		
	<div id="flash_carousel">
		<a href="http://www.adobe.com/go/getflashplayer">

			[b]<img src="[color="#FF0000"]http:[/color]//www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" />[/b]
		</a>
	</div>
</div>

That will cause SSL problems.


Try the same code but with a https URL.

[germ]

Then after installing SSL you get the dreaded "This page contains secure and nonsecure items" when viewing the site in IE!


I've added a file to the package named unsecure.php that you can use to help find the "nonsecure items".

I've tested it on about a dozen different sites/pages and it does an excellent job.

Out of all the posts I've helped find "nonsecure items", this program would probably have worked perfectly on about 98 to 99 percent of the sites.

It's not "bullet-proof", but few programs can make that claim.

[bnoisette]

I tried all of the suggestions and I still can not get the SSL to work.  I do not appear to have a local file so that is not the issue.  The only thing I can think of is the SSL cert. is located in the wrong place.  My SSL cert is located in under the home root directory.  Should it be located in the public_html directory?

[germ]

Ask your host.

That is dependant on the way the server is setup.

If you want me to take a peek and possibly make recommendations you'll have to post (or PM me) your URL.

[floydax]

germ, on Apr 18 2009, 06:48 PM, said:

<div id="flash_carousel_container">		
	<div id="flash_carousel">
		<a href="http://www.adobe.com/go/getflashplayer">

			[b]<img src="[color="#FF0000"]http:[/color]//www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" />[/b]
		</a>
	</div>
</div>

That will cause SSL problems.


Try the same code but with a https URL.

Thanks, it's working now

[rochaesobrinho]

Hi Jim,

My SSL implementation was working fine till about one week ago when I had to change the secure address.
I use shared SSL and it seems that every time I access a page through the secure address it tries to load the images and the stylesheet file from the unsecure address and the anoying IE message keep being displayed.
I tried all your tips listed here, but nothing solved this problem :-(.
I would be very grateful if could take a look on my shop and give a reply.

My url is http://www.plixx.com.br/loja/

The secure url is https://plixxcbr.acessoseguro.net/loja/

Thank you in advance,

PS.: Your files cfgchk.php, mybigenv.php, myenv.php and unsecure.php are still on my shop. You can acess then through http://www.plixx.com.br/loja/cfgchk.php

[germ]

Well you just uncovered a bug in the code.


It works on the site I manage flawlessly, but on yours some of the popup windows reload continuously...


That would be because the session between HTTP and HTTPS isn't getting shared.


I'll have to take a look at that.


When I get something together codewise would you be able to test it before I upload it as a new version of the contribution?


Anyway, using the code files I think I have a solution to your problem.

osC isn't recognizing the cue from the server that SSL is "on".

In your /includes/application_top.php find this code:

// set the type of request (secure or not)
  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

Change it to:

// set the type of request (secure or not)
//  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
// added nonstandard code 24-apr-09
  $request_type = ($_SERVER['HTTP_HOST'] == 'plixxcbr.acessoseguro.net') ? 'SSL' : 'NONSSL';

BACKUP THE FILE BEFORE MAKING ANY EDITS.

I'll be waiting to hear how things go while I work on a code change to the contribution to prevent continuous page reloads.

[rochaesobrinho]

Hi Jim,

It is working now!

Thank you so much.

I will be pleased to test a new version of your code. Just let me know when it is ready. As I don´t visit the forum very often you can send me an email if you want. rochaesobrinho@yahoo.com.br

[germ]

New version uploaded.

Hopefully fixes the continous page reload of the popup.

I did some experimenting and believe it may be a result of incorrect cookie settings in the config file (I can't fix that).

Only time and a few more installs will tell.

[rochaesobrinho]

Hi Jim,

I've uploaded the new version, but the page keeps reloading.

To check visit: www.plixx.com.br/loja/mybigenv.php

[germ]

Like my last post said, it might be because of an incorrect cookie setting.

What do you have for this in the configure file:

  define('HTTPS_COOKIE_DOMAIN', '');

It (still) works great on my site.

The reason it reloads is the session is lost.

[Kysmiley]

Hey there Jim I have a quick question. I am going to embed MP3 songs into my product desc. this coding has a url for a flash player that auto runs so people can hear the songs. How do i set this up with my SSL if the URL is not relative?
Pat

[germ]

None if the pages with the product description are SSL on osC so it won't matter.

The only ones that should be SSL are login, logout, any of the files dealing with account info or changes, and all the files thru the checkout process.

[germ]

Uploaded new package.

Changes:

All files display version in the browser.

myenv.php and mybigenv.php don't use session variables any longer (prevents continuous page reloads).

cfgchk.php displays the permissions of the config file(s) and also checks for and displays HTTPS_COOKIE_DOMAIN.

unsecure.php now has a "glib" mode (displays all source HTML ).