Jump to content

Archived

This topic is now archived and is closed to further replies.

detsouvalas

SSL related!

Recommended Posts

Hi!

 

I compiled a document about SSL and osCommerce, but I think that it needs to be reviewed/commented by the community and eventually to be completed/corrected/adapted! I have pasted it in this message!

 

I compiled a small tutorial about SSL and added some osC specific instructions. I also want to compile a doc with FAQ from the forum, I will post it as soon as it is ready ... hoppefully in the day!!

 

 

*******************************************************

Installing SSL to be used with osCommerce 2.2 MS2

 

Introduction

To secure your pages, you need an SSL Certificate. You can buy such a certificate and install it or, for a cheaper start, you ask your hosting company if they can provide you with an Shared SSL server and a certificate.

Then you have to configure osCommerce to use the secure server.

.

Great! But what?s SSL?

SSL stands for Secure Sockets Layer. The SSL protocol is the Web standard for encrypting communications between users and SSL enabled sites. Data sent via an SSL connection is protected by encryption, a mechanism that prevents eavesdropping and tampering with any transmitted data. SSL provides businesses and consumers with the confidence that private data sent to a Web site, such as personal details and credit card numbers, are kept confidential. Web server certificates (also known as secure server certificates or SSL certificates) are required to initialize an SSL session. SSL certificates can be used on webservers for Internet security and mailservers such as imap, pop3 and smtp for mail collection / sending security.

 

What?s happening on the client?s side when viewing an SSL protected page?

Users know when they have an SSL session with a website when their browser displays the little gold padlock and the address bar begins with a https rather than http. When connecting to a Web server over SSL, the user's browser decides whether or not to trust the website's SSL certificate based on which Certification Authority has issued the actual SSL certificate. To determine this, the browser looks at its list of trusted issuing authorities - represented by a collection of Trusted Root CA certificates added into the browser by the browser vendor (such as Microsoft and Netscape). You can access these by opening Internet Explorer, then go to Tools, select Internet Options, select the Content tab, click Certificates, select the Trusted Root Certification Authorities tab. You will then see a dialog box presenting a list of all Certification Authorities who own their own Trusted CA roots (you can examine the root certificate by double clicking it).

 

What do I need to enroll for an SSL Certificate for my web server?

You need a web server that is capable of running SSL and access to the SSL configuration functions of your web server. You may need to speak to your hosting company if you cannot readily identify where these functions are. You also need a Certificate Signing Request (CSR). A CSR is a block of encoded data that is generated by your web server and contains the necessary details about your domain and organization.

 

How do I install my certificate?

Please refer to your hosting company and to the Certification Authority providing the SSL Certificate.

 

I have my SSL certificate installed for my web server and I know where my secure server is located. I want to use it with osCommerce 2.2 ms2. Any ideas?

If you are doing a fresh install of osCommerce 2.2 ms2 it is easy, just fill in the required information about your secure server and activate the use of SSL during install.

If you already have an osCommerce Shop installed and want to add SSL, you need to edit both configuration files and declare that you want to use an SSL. See the following sections for details!

Keep in mind that osCommerce 2.2 ms2 has two configuration files, one for the administration page (located in directory /catalog/admin/includes) and one for the front store (located in directory/folder /catalog/includes).

 

Manually configuring the front store for SSL

Open with a simple text editor the file named configure.php and located in directory /catalog/includes. Find the following statements

 

define('HTTPS_SERVER', '');

define('ENABLE_SSL', false);

define('HTTPS_COOKIE_DOMAIN', '');

define('HTTPS_COOKIE_PATH', '');

 

and change them to look like

 

define('HTTPS_SERVER', 'secure-server.yourdomain.ext');

define('ENABLE_SSL', true);

define('HTTPS_COOKIE_DOMAIN', ''secure-server.yourdomain.ext'');

define('HTTPS_COOKIE_PATH', 'catalog/');

 

where secure-server.yourdomain.ext the location of your secure server, as instructed by your hosting company.

 

Manually configuring the administration page for SSL

Open with a simple text editor the file named configure.php and located in directory /catalog/admin/includes. Find the following statements

 

define('HTTPS_CATALOG_SERVER', '');

define('ENABLE_SSL_CATALOG', 'false');

 

and change them to look like

 

define('HTTPS_CATALOG_SERVER', 'secure-server.yourdomain.ext');

define('ENABLE_SSL_CATALOG', 'true');

 

where secure-server.yourdomain.ext the location of your secure server, as instructed by your hosting company, and for most cases the same as for the front store.

 

Wow, that was easy! And now I have an SSL protected osCommerce site, right?

Well, ideally yes, you should have a fully functional SSL protected osCommerce site. But you may experience some concerns, depending on your hosting company (and thus moostly not related to osCommerce and its configuration!). and that?s the difficult part, because there are many different configurations, almost as many as hosting companies! For more specific help, please search the osCommerce Forum!

*******************************************************


Antonios

 

olympicslogo_en.gif

Share this post


Link to post
Share on other sites

There are a couple of errors in this. First, HTTPS_SERVER values need to have the protocol (https://) in them as well. Thus, two of the lines should look more like

define('HTTPS_SERVER', 'https://secure-domain-name.tld');

To secure the admin side, you need to change the HTTP_SERVER value, e.g.

define('HTTP_SERVER', 'https://secure-domain-name.tld');

Also, it is worth noting that due to how tep_redirect works, the HTTPS_SERVER and HTTP_SERVER values should map to the same place in the site, for example

define('HTTP_SERVER', 'http://www.domain.tld');
define('HTTPS_SERVER', 'https://shared.ssldomain.tld/~domain');
define('HTTP_COOKIE_DOMAIN', 'www.domain.tld');
define('HTTP_COOKIE_PATH', '/catalog/');
define('HTTPS_COOKIE_DOMAIN', 'shared.ssldomain.tld');
define('HTTPS_COOKIE_PATH', '/~domain/catalog/');
define('DIR_WS_HTTP_CATALOG', '/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/catalog/');

otherwise, the checkout_success.php continue link won't work.

 

Hth,

Matt


Always back up before making changes.

Share this post


Link to post
Share on other sites
There are a couple of errors in this...

 

 

I've tried everything you guys posted here, but with no luck!? How did you guys do that? I've been working at this for two days now and nothing seems to work for me...whew!

 

Ok..I'm having problems with my "shared SSL Certificate"...with ALL SORTS of problems...I'll give you a quick and dirty rundown. It works, but not the right way, etc.

 

My hosting company has my certificate listed as "https://ssl.shareddomain.net/mydomain.com"

 

This is what I want to do: I don't want my catalog and/or items or ANYTHING secured until either someone logs into their account, or when they check out and buy something. I just don't want my whole website secure...only when needed. When logged in or in the shopping cart, ready to buy, etc. It slows it down way too much if it is throughout the whole site, etc.

 

Here is my complete problem:

 

1. I can surf my shop throughout the catalog, but when logging in it comes up with this error loginerror.JPG

 

2. It DOES switch to ssl when logging in, but I don't want this ERROR to come up..it freaks people out and they might leave...it even freaks me out! Besides, when loggin in it goes to unsesure (http:) mode. Why?

 

3. Also, I received this "Warning: I am able to write to the configuration file..." error AGAIN, after I just got done getting rid of it when setting up OSC...configerroragain.JPG

 

Again, I got rid of this error when setting up OSC, but it came back when I recently installed my "Shared SSL Certificate"....

 

Can ANYONE tell me how to do this SSL thing step by step if anything? I did find SOME clues within the forum here, but nothing is REALLY CLEAR or CONCISE??!! I've been messing with this but still having very little or no luck at all!!! :(

 

Ok, I have two configure.php files (we know that right -because we all do?)

So here's my rundown and file setup for each one...can anyone tell me what I?m doing wrong here?

 

I'm going to list both of my configure.php files...so please scroll down to look at both of these...so here we go...

 

1. My 1st configure.php file layout directory is at (...catalog/includes/configure.php):

 

define('HTTP_SERVER', 'http://www.mydomain.com'); //

define('HTTPS_SERVER', 'https://ssl.shareddomain.net/mydomain.com'); //

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.mydomain.com');

define('HTTPS_COOKIE_DOMAIN', 'ssl.shareddomain.net');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/mydomain.com/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/*****/htdocs/mydomain.com/catalog/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

// define our database connection

define('DB_SERVER', 'mydatabaseserver'); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', '*****');

define('DB_SERVER_PASSWORD', '*****');

define('DB_DATABASE', '*****');

define('USE_PCONNECT', 'false'); // use persistent connections?

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

___________________________________END

 

2. My 2nd configure.php file layout directory is at (...catalog/admin/includes/configure.php):

 

 

define('HTTP_SERVER', 'http://www.mydomain.com'); //

define('HTTP_CATALOG_SERVER', 'http://www.mydomain.com');

define('HTTPS_CATALOG_SERVER', 'https://ssl.shareddomain.net/mydomain.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '/*****/htdocs/mydomain/catalog/'); //

define('DIR_WS_ADMIN', '/catalog/admin/'); // ('DIR_FS_ADMIN', '/*****/htdocs/mydomain/catalog/admin/'); // absolute path required

define('DIR_WS_CATALOG', '/catalog/'); // absolute path required

define('DIR_FS_CATALOG', '/*****/htdocs/mydomain/catalog/'); // absolute path required

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

// define our database connection

define('DB_SERVER', 'mydatabaseserver'); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', '*****');

define('DB_SERVER_PASSWORD', '*****');

define('DB_DATABASE', '*****');

define('USE_PCONNECT', 'false'); // use persistent connections?

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

_________________________END

 

:-"

So, can anyone copy and past "in colors" what I need to change in all of this mess?

 

Thanks a Bunch to Everyone and Anyone that can HELP....


"Beer is proof that God loves us and wants us to be happy." - Benjamin Franklin

Share this post


Link to post
Share on other sites

Anyone Have any Thoughts?

 

Why can I not get rid of the Security Warning when logging into my Website?

 

It goes from NonSSL to SSL, but pops up with a "your going from secure to non secure" type of warning box!

 

What the heck? :(

 

Gotta be a solution to this somewhere in this Whole Forum? :o

 

Please respond...ANYONE...even if you just want to say Hello :P


"Beer is proof that God loves us and wants us to be happy." - Benjamin Franklin

Share this post


Link to post
Share on other sites

Keg

okay...

In catalog/includes/configure.php

Okay, a few things look funny. Try these settings:

 

define('HTTPS_COOKIE_DOMAIN', 'https://ssl.shareddomain.net/mydomain.com');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_FS_CATALOG', 'catalog/');

 

Post back on how you get on with these changes

 

Your configure.php file in Admin doesn't directly affect your cart (front-end)


|

Symptoms of Cyanide ... vomiting, convulsions, deep breathing, shortness of breath, anxiety & loss of consciousness

|

Share this post


Link to post
Share on other sites

Hi Cyanide

 

THANKS...I will try that, but one quick question first?

 

I moved everything to my ROOT directory since I posted that post...so how should those command lines read that you posted? I no longer have my catalog directory...so should they read more like this or something else?

 

define('HTTPS_COOKIE_DOMAIN', 'https://ssl.shareddomain.net/mydomain.com');

define('HTTPS_COOKIE_PATH', '//');

define('DIR_FS_CATALOG', '/');

 

LOL...I really don't think that would be the case, but anything is possible. THey would probably be just empty right? I don't know, come on by and set me straight!

 

P.S. THANKS A LOT for getting back to this thread...now I'm no longer a skeptic of this forum anyomore...there is life here after all...LOL


"Beer is proof that God loves us and wants us to be happy." - Benjamin Franklin

Share this post


Link to post
Share on other sites
the cooke domains should not contain https:// or http://  and the cookie path should be a single /

Thanks mibble. Yeah, actually that was one I wasn't 100% sure about... although, I have https on mine and no issues.

 

keg

no problem, glad to help. :thumbsup:

good idea to put your cart in the root.

Basically, all you have to do is remove all references of catalog/

 

P.S. THANKS A LOT for getting back to this thread...now I'm no longer a skeptic of this forum anyomore...there is life here after all...LOL

hehe... well, you caught me at a good time. I haven't been around as much lately. You could say, I'm a little dis-heartened by this forum too.


|

Symptoms of Cyanide ... vomiting, convulsions, deep breathing, shortness of breath, anxiety & loss of consciousness

|

Share this post


Link to post
Share on other sites

ps.

in future, you might want to post in the Support or Installation and Configuration Forums. You may get a speedier response


|

Symptoms of Cyanide ... vomiting, convulsions, deep breathing, shortness of breath, anxiety & loss of consciousness

|

Share this post


Link to post
Share on other sites

I'll get back to you guys ASAP with the results in a day or two, or sooner...soon as I tackle it..right now I'm working on my site graphics, etc. THHHHHANNNKKS SOOOO MUCH...I hope this helps me or anyone else out too.


"Beer is proof that God loves us and wants us to be happy." - Benjamin Franklin

Share this post


Link to post
Share on other sites

Guys I'm still having problems, after a month of toying with it off and on, I'm sincerely thinking about not even using a SSL certificate...this is absolutely Rediculous! Actually...it's disgusting :x

 

Here's My problem Again in a Nutshell (when using my shared ssl certificate):

 

1. Window pops up when logging into account, window says it's going from a secure to non-secure page....what's that all about??!! I wouldn't buy smack from a store that said that razz ma'tazz !!!

 

2. My lock does not show up unless I secure EVERYTHING...I don't want to secure everything, just the vital info that needs to be secured.

 

3. Followed Every instruction know to man, but still can't get the above to work and cannot even get the admin side secured...

 

I almost give up... :'(

 

Anyone Anywhere Have ANY suggestions? >_<

 

P.S. Short Reminder...my certificate is a shared SSL, but that should not have anything to do with anything as far as I know...this is my shared ssl

 

https://ssl.perfora.net/mydomain.com

 

Anyone Anywhere and Everywhere....have any detailed suggestions on what to do and get the above 3 sickening problems to finally get resolved after almost two months of wasted time :wacko: ...I'm going crazy here


"Beer is proof that God loves us and wants us to be happy." - Benjamin Franklin

Share this post


Link to post
Share on other sites

keg, post your configure.php file in a new thread under general support, without the database info.

 

post your complete 'alias' from your host for accessing ssl.

 

then we can get somewhere from there.


John Oligario

 

Knowledge Base Contributions

Share this post


Link to post
Share on other sites

Just out of curiosity, why wouldn't you purchase your own SSL? THey're only about $50 per year now, and it would be alot less headache.

 

Those shared SSLs can be a pain in the arse.


-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Share this post


Link to post
Share on other sites
Just out of curiosity, why wouldn't you purchase your own SSL? THey're only about $50 per year now, and it would be alot less headache.

 

Those shared SSLs can be a pain in the arse.

 

I know...but

 

$50/year = $4.17/month + everything else people want for hosting, email, oxygen, coffee, water, etc nowadays/month or year...starts adding up, yeah doesn't sound like much, but a dollar here and a dollar there...pretty soon you get all dollared out, that $4.17/mth ends up costing you $40 to $60/mth after hosting and everything else kicks in... :blink:

 

Yeah...I'm starting to think about it though. But you can't beat FREE, free is free. Although you get what you pay for sometimes....I should know better. Not only that I'm not paying for hosting, so I was trying to go the absolute free route, not to mention I'm close to broke...lol :(

 

Actually you can get them (SSL certificates) cheaper than $50 bucks...check out the SSL certs here...www.InetJunky.com

 

Now that's cheap!!!...and I'm just this close to getting one...

 

I guess you can say I'm a bit frugal too :-"

 

until I start makin' some "pocket change" from my new store...then I'll start spendin'

 

Besides...If I was rich I wouldn't even be on this OSC message board...I would have just PAID someone to do it for me...so If I'm gonna save on implementing OSC, then I might as well save all the way :thumbsup: ...actually If I was rich I wouldn't even know what oscommerce was, or how to implement it, along with html and php, etc...heck if I was rich I would have everybody doing everything for me...that would be nice for once :lol:

 

For now though, and before I get filthy rich, there has got to be a solution to this Shared SSL silliness <_<

 

I see plenty of posts for it but now REAL solutions...


"Beer is proof that God loves us and wants us to be happy." - Benjamin Franklin

Share this post


Link to post
Share on other sites
post your configure.php file in a new thread under general support, without the database info.

 

post your complete 'alias' from your host for accessing ssl.

 

then we can get somewhere from there.

 

You're right Mibble, Cyanide, everyone else, and to all the original guys who originally started this Thread (please forgive me (sorry) for I was new at the time when I posted this thread here so I'm changing or giving you the new link below)...this thread was originally meant for documentation (which didn't help me), maybe I'll re-write it after this is resolved :lol:

 

So to everyone or anyone reading this particular sentence...I agree with Mibble, Cyanide, and all of the other "Helpful OSC gurus" that are kind enough for this support...and so this thread has moved to...

 

New Thread Titled "SSL Problem: Secure to Non-Secure Warning, No Lock" under Installation and Configuration.

 

 

Or to reply "more specifically" to Mibble's Suggestion Quoted above, here is the link below, I posted my configure.php and database info at the same thread, and here is the link to go directly to it:

 

http://forums.oscommerce.com/index.php?sho...ndpost&p=474251


"Beer is proof that God loves us and wants us to be happy." - Benjamin Franklin

Share this post


Link to post
Share on other sites

I miss one thing here,

 

In my standard OSC MS2 I found that most tep_href_link() have either no 3rd parameter ('SSL' or 'NOSSL') which makes it NONSSL, or have a 3rd parameter defined 'NONSSL'.

In this case define('ENABLE_SSL', true); or define('ENABLE_SSL_CATALOG', 'true'); is not enough, you have to change all the tep_href_link() functions inside the scripts you want to function over SSL.

Then we have the non ssl form function called: tep_draw_form() which makes a box popup to warn you that you are leaving a encripted session when the rest of the script is SSL.

I replaced them with a slightly changed one called: tep_draw_form_ssl.

 

////
// Output a form
 function tep_draw_form_ssl($name, $action, $parameters = '', $method = 'post', $params = '') {
   $form = '<form name="' . tep_output_string($name) . '" action="';
   if (tep_not_null($parameters)) {
     $form .= tep_href_link($action, $parameters, 'SSL');
   } else {
     $form .= tep_href_link($action, '', 'SSL');
   }
   $form .= '" method="' . tep_output_string($method) . '"';
   if (tep_not_null($params)) {
     $form .= ' ' . $params;
   }
   $form .= '>';

   return $form;
 }

 

Place this piece of code in both /catalog/includes/functions/html_output.php and /catalog/admin/includes/functions/html_output.php

Share this post


Link to post
Share on other sites

Hi guys,

 

I'm probably posting this message in the wrong place, but you guys seem to be discussing something similar to my question so here goes:

 

I have an OS Commerce site running on a server with no SSL, and have taken a secure server in addition, with a different domain after being told I could use the shared SSL functionality of the new server for several checkouts.

 

My understanding is that I can switch to the SSL server for checkout, buit would need to set up a domain specific directory to hold the checkout pages on the secure server.

 

eg.

 

Domain and main OS commerce site are www.site.com

 

Secure server is https://secure.hosts.co.uk/~securename.co.uk with a directoy something like this https://secure.hosts.co.uk/~twssecure.co.uk/site/

 

Can I work it like this, if so what files do I need to place on the secure server in the domain specific directory and how do I configure the configure.php files?

 

Please just tell me if I'm barking up the wrong tree and I will move the domain to the SSL server, although my initial plan is to use the SSL server as a checkout phase for various Commerce sites.

 

Thanks in advance

 

Steve

Share this post


Link to post
Share on other sites

Is there a way to fix it so if the user leaves the checkout/store section that they go back to http:// instead of staying on https://

Share this post


Link to post
Share on other sites

i see this topic got well of track, but was just wondering if you nice guys who started the ssl doc had perhaps done a tweaked version, following through from all the helpful comments?

 

i have to admit this whole osc forum is too big and too messy sometimes to find a required solution just from search, and found the beginnings of this proposed document from a beginners point of view very helpful.

 

i suggest a whole section dedicated to security in the official osc docs - if i knew more myself i'd write the damn thing but i'm just a newb on my final furlong of getting a store online... whimper whimper

Share this post


Link to post
Share on other sites

×