Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Another SSL Question (or two)


brazillia

Recommended Posts

Hi all,

 

Sorry to flog an already flogged horse but I've read through hundreds of posts, tried all the suggestions and still have issues.

 

The first problem is that the admin panel says that I am not protected by a secure connection even though I have the padlock showing in the browser. I took a look through the index.php file in the catalog/admin folder and found the code that determines whether you are protected or not (on or around line 179).

 

I changed:

 

if (getenv('HTTPS') == 'on') {

$size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

 

to:

 

if (getenv('HTTPS') == '') {

$size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

 

By removing the "on" in the first line above, the admin panel now says that I am protected by an unknown SSL contection (which seems to be the best you can get).

 

Have I actually fixed my problem or have I just forced it into telling me what I want? And/or does it matter?

 

Second, when I am testing the catalog and making a purchase, when I get to the secure pages at checkout all my padlocks in the browser are split in two (they show correctly in the admin panel). When I click on the padlock it tells me that the page is encrypted and signed by Equifax, but if I were a customer I would not be sure/convinced.

 

I've tried so many things now that I am not sure what's what anymore. If some kind soul could look at my admin/includes/configure.php file below and let me know if I've got it all squared away I would appreciate it. (looking at it below I see that the DIR_WS_ADMIN and DIR_WS_CATALOG are supposed to be absolute and they were not

 

Thanks

Steve

 

define('HTTP_SERVER', 'https://ssl.perfora.net/traditionalstudies.org'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'https://ssl.perfora.net/traditionalstudies.org');

define('HTTPS_CATALOG_SERVER', 'https://ssl.perfora.net/traditionalstudies.org');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '../catalog/'); // where the pages are located on the server (I removed most of the path for posting)

define('DIR_WS_ADMIN', '/catalog/admin/'); // absolute path required

define('DIR_FS_ADMIN', '../catalog/admin/'); // absolute pate required (I removed most of the path for posting)

define('DIR_WS_CATALOG', '/catalog/'); // absolute path required

define('DIR_FS_CATALOG', '../catalog/'); // absolute path required (I removed most of the path for posting)

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

Link to comment
Share on other sites

Hi all,

 

Sorry to flog an already flogged horse but I've read through hundreds of posts, tried all the suggestions and still have issues.

 

The first problem is that the admin panel says that I am not protected by a secure connection even though I have the padlock showing in the browser. I took a look through the index.php file in the catalog/admin folder and found the code that determines whether you are protected or not (on or around line 179).

 

I changed:

 

if (getenv('HTTPS') == 'on') {

? ? $size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

? ?

to:

 

if (getenv('HTTPS') == '') {

? ? $size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

 

By removing the "on" in the first line above, the admin panel now says that I am protected by an unknown SSL contection (which seems to be the best you can get).

 

Have I actually fixed my problem or have I just forced it into telling me what I want? And/or does it matter?

 

Second, when I am testing the catalog and making a purchase, when I get to the secure pages at checkout all my padlocks in the browser are split in two (they show correctly in the admin panel). When I click on the padlock it tells me that the page is encrypted and signed by Equifax, but if I were a customer I would not be sure/convinced.

 

I've tried so many things now that I am not sure what's what anymore. If some kind soul could look at my admin/includes/configure.php file below and let me know if I've got it all squared away I would appreciate it. (looking at it below I see that the DIR_WS_ADMIN and DIR_WS_CATALOG are supposed to be absolute and they were not

 

Thanks

Steve

 

? define('HTTP_SERVER', 'https://ssl.perfora.net/traditionalstudies.org'); // eg, http://localhost - should not be empty for productive servers

? define('HTTP_CATALOG_SERVER', 'https://ssl.perfora.net/traditionalstudies.org');

? define('HTTPS_CATALOG_SERVER', 'https://ssl.perfora.net/traditionalstudies.org');

? define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

? define('DIR_FS_DOCUMENT_ROOT', '../catalog/'); // where the pages are located on the server (I removed most of the path for posting)

? define('DIR_WS_ADMIN', '/catalog/admin/'); // absolute path required

? define('DIR_FS_ADMIN', '../catalog/admin/'); // absolute pate required (I removed most of the path for posting)

? define('DIR_WS_CATALOG', '/catalog/'); // absolute path required

? define('DIR_FS_CATALOG', '../catalog/'); // absolute path required (I removed most of the path for posting)

? define('DIR_WS_IMAGES', 'images/');

? define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

? define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

? define('DIR_WS_INCLUDES', 'includes/');

? define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

? define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

? define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

? define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

? define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

? define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

? define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

? define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

? define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

? define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

 

Hi

 

You ask

 

Have I actually fixed my problem or have I just forced it into telling me what I want? And/or does it matter?

 

I don't think you have fixed it by removing ON and I don't think it matters anyway.

 

SSL does NOT protect your site or admin (you do that with directory protection and .htaccess etc - SSL is an encryption technology to protect the transmission of data from browser to server and vice versa. So having admin under SSL protection is not an issue unl;ess you want to protect your product and other info uploads to your server :D

 

Your admin configure.php file looks strange in some of the path settings to me - for instance

 

Ensure your https: paths have the name of your cert as it was issued

Your 'HTTP_CATALOG_SERVER' above has an https path defined ???

Your 'DIR_FS_DOCUMENT_ROOT' is not correct

 

You may also have problems (going on the above) with your catalog/includes configure.php

 

 

- I am posting one on my live files for you to compare - BTW there is no need to remove the full paths as no one can do anything to them if you have chmod'ed your configure.php files

 

Here it is

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.simplyeasier.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://www.simplyeasier.com');

define('HTTPS_CATALOG_SERVER', 'https://simplyeasier.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '/home/simply/public_html'); // where the pages are located on the server

define('DIR_WS_ADMIN', '/catalog/jomoadmin/'); // absolute path required

define('DIR_FS_ADMIN', '/catalog/jomoadmin/'); // absolute pate required

define('DIR_WS_CATALOG', '/catalog/'); // absolute path required

define('DIR_FS_CATALOG', '/home/simply/public_html/catalog/'); // absolute path required

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

hth

 

Charles

A kite flies highest AGAINST the wind !

 

"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, a lover in one hand, martini in the other, body thoroughly used up, totally worn out and screaming ~ WOO HOO!! What a ride!"

Link to comment
Share on other sites

Hi

 

You ask

 

Have I actually fixed my problem or have I just forced it into telling me what I want? And/or does it matter?

 

I don't think you have fixed it by removing ON and I don't think it matters anyway.

 

I didn't think so on either count, but I wanted a second opinion.

 

I've got the admin file directory protected but I needed SSL to look up credit card numbers safely. I should probably change the folder name just to be sure.

 

Your admin configure.php file looks strange in some of the path settings to me - for instance

 

Ensure your https: paths have the name of your cert as it was issued

Your 'HTTP_CATALOG_SERVER' above has an https path defined ???

Your 'DIR_FS_DOCUMENT_ROOT' is not correct.

 

I had to change the http_catalog_server to get all the other admin pages encrypted, which seemed to be described in a lot of other threads. I changed the dir_fs_document_root and nothing bad seemed to happen. Thanks.

 

Any idea on the second problem?

 

Cheers

Steve

Link to comment
Share on other sites

I didn't think so on either count, but I wanted a second opinion.

 

I've got the admin file directory protected but I needed SSL to look up credit card numbers safely. I should probably change the folder name just to be sure.

I had to change the http_catalog_server to get all the other admin pages encrypted, which seemed to be described in a lot of other threads. I changed the dir_fs_document_root and nothing bad seemed to happen. Thanks.

 

Any idea on the second problem?

 

Cheers

Steve

 

 

Post

your catalog/includes configure.php

and / or

a link to the catalog so forum can review the padlock thing and any alerts \ warnings

 

so forum can review and give you advice

 

Charles

A kite flies highest AGAINST the wind !

 

"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, a lover in one hand, martini in the other, body thoroughly used up, totally worn out and screaming ~ WOO HOO!! What a ride!"

Link to comment
Share on other sites

Post

your catalog/includes configure.php

and / or

a link to the catalog so forum can review the padlock thing and any alerts \ warnings

 

so forum can review and give you advice

 

Charles

 

Here is the catalog/includes/configure.php file

 

define('HTTP_SERVER', 'http://www.traditionalstudies.org'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://ssl.perfora.net/traditionalstudies.org'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.traditionalstudies.org');

define('HTTPS_COOKIE_DOMAIN', 'ssl.perfora.net/traditionalstudies.org');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

If I change the http_server to https://ssl.perfora.net/traditionalstudies.org the entire store is covered by ssl correctly, but this will slow down the store.

 

The store is very much in test mode so it doesn't look good but can be seen at Association for Traditional Studies

 

I've gone through just about every line in the configure file and made changes to see what happens but I still can't get it to work properly. I even cut and pasted the ssl info from my host (1and1.com) to make sure I didn't type it incorrectly.

 

Cheers,

 

Steve

Link to comment
Share on other sites

Here is the catalog/includes/configure.php file

 

  define('HTTP_SERVER', 'http://www.traditionalstudies.org'); // eg, http://localhost - should not be empty for productive servers

  define('HTTPS_SERVER', 'https://ssl.perfora.net/traditionalstudies.org'); // eg, https://localhost - should not be empty for productive servers

  define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure?

  define('HTTP_COOKIE_DOMAIN', 'www.traditionalstudies.org');

  define('HTTPS_COOKIE_DOMAIN', 'ssl.perfora.net/traditionalstudies.org');

  define('HTTP_COOKIE_PATH', '/catalog/');

  define('HTTPS_COOKIE_PATH', '/catalog/');

  define('DIR_WS_HTTP_CATALOG', '/catalog/');

  define('DIR_WS_HTTPS_CATALOG', '/catalog/');

  define('DIR_WS_IMAGES', 'images/');

  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

  define('DIR_WS_INCLUDES', 'includes/');

  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

If I change the http_server to https://ssl.perfora.net/traditionalstudies.org the entire store is covered by ssl correctly, but this will slow down the store.

 

The store is very much in test mode so it doesn't look good but can be seen at Association for Traditional Studies

 

I've gone through just about every line in the configure file and made changes to see what happens but I still can't get it to work properly. I even cut and pasted the ssl info from my host (1and1.com) to make sure I didn't type it incorrectly.

 

Cheers,

 

Steve

 

Remove the quotes around true in your define('ENABLE_SSL', 'true'); (for some reason they only seem to be needed in the admin configure.php

 

I looked at the site and logged into account set up - the address bar shows https: as it should but no padlock in the status bar. Maybe you need to talk to the technical guys at your cert issuing company because your configure above (apart from the true bit) looks OK.

 

Charles

A kite flies highest AGAINST the wind !

 

"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, a lover in one hand, martini in the other, body thoroughly used up, totally worn out and screaming ~ WOO HOO!! What a ride!"

Link to comment
Share on other sites

Hi, Well first of all https cookie domain has to be a domain and not a domain plus file pathway. Secondly it's not your domain, so I suggest you try leaving this blank:

 

define('HTTPS_COOKIE_DOMAIN', 'ssl.perfora.net/traditionalstudies.org');

 

If that doesn't work then use:

 

define('HTTPS_COOKIE_DOMAIN', 'ssl.perfora.net');

 

and then adjust https cookie path to:

 

'traditionalstudies.org/catalog/'

 

might work, can't promise anything. With 1and1 I think you also have to edit this:

 

if (getenv('HTTPS') == 'on') {

 

to this:

 

if (getenv('HTTPS') == '1') {

 

Vger

Link to comment
Share on other sites

With 1and1 I think you also have to edit this:

 

if (getenv('HTTPS') == 'on') {

 

to this:

 

if (getenv('HTTPS') == '1') {

 

Vger

 

Thanks for the help there Charles and Vger. I took care of the changes to the configure file and hopefully I am all set there.

 

I found the above code in catalog/includes/application_top.php and changed it to "1" but that didn't do anything. Then I went and left it blank and lo and behold the pages were encryted.

 

Of course, I now have an issue with the PWA contribution not being secure but I will find a thread over there and post (unless of course someone knows of anything here).

 

Thanks for taking the time to look at this for me. If, of course, I have done something really stupid by leaving the code above blank, please let me know.

 

Steve

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...