Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL Implementation Help


germ

Recommended Posts

Read the first post in this thread then check the config files on the server again.

 

What's on the server says:

 

define('HTTPS_SERVER', 'http://www.welshsuperstore.co.uk');

define('ENABLE_SSL', false);

 

Both of those lines are incorrect.

 

If you are changing the config file locally then FTP'ing it to the server sometimes file permissions on the server prevent it from being overwritten.

 

Personally I'm of the opinion that the SSL either isn't installed at all or isn't installed correctly.

 

When I try your URL with https all I get is the dreaded "Internet Explorer cannot display the webpage" message.

 

And one other thing you need to know.

 

Visit the link below:

 

How to Secure Your Site

 

Pay close attention to "SECURING THE ADMIN" - Yours is vulnerable.

 

It's easier to do a few security fixes now than to clean up a hacked store later.

 

And if you don't secure the admin your shop will be hacked.

 

It's just a question of when...

:o

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

  • Replies 414
  • Created
  • Last Reply

Either your config file is incorrect, or the store isn't recognizing the cue from the server that SSL is "on".

 

Download my contribution from this link:

 

SSL Help

 

Unzip it and upload the files into your store.

 

Then send me a PM or post again in this thread.

 

I'll access the files with my browser, and they will tell me just where the malfunction is.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Either your config file is incorrect, or the store isn't recognizing the cue from the server that SSL is "on".

 

Download my contribution from this link:

 

SSL Help

 

Unzip it and upload the files into your store.

 

Then send me a PM or post again in this thread.

 

I'll access the files with my browser, and they will tell me just where the malfunction is.

Hi Germ, thank you for your assistance, i have uploaded the files this afternoon whilst trying to crack this for myself unfortunately with my limited knowledge i have been unable to comprehend the results

Link to comment
Share on other sites

Hi Germ, thank you for your assistance, i have uploaded the files this afternoon whilst trying to crack this for myself unfortunately with my limited knowledge i have been unable to comprehend the results

You've fixed the admin problem.

:thumbsup:

 

The SSL problem is that the server doesn't know to use SSL.

 

This link works.

 

This link doesn't (same file just using a HTTPS URL).

 

Since neither use any PHP files from your osC store, the problem is with the SSL on the server, NOT YOUR OSC STORE.

 

Start a support ticket with your host would be my advice.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

You've fixed the admin problem.

:thumbsup:

 

The SSL problem is that the server doesn't know to use SSL.

 

This link works.

 

This link doesn't (same file just using a HTTPS URL).

 

Since neither use any PHP files from your osC store, the problem is with the SSL on the server, NOT YOUR OSC STORE.

 

Start a support ticket with your host would be my advice.

 

Thanks germ, I have raised a ticket as suggested and now have to wait 24 hours for them to configure something or other?....then fingers crossed :rolleyes:

Link to comment
Share on other sites

Firstly thanks for a great contibution for us all.

 

All files show a good result for me however I am not seeing images in admin.

 

For example when I add a new product and load the image.. I do not see it. It is in the catalog fine but not in the https admin side.

 

Would this be a admin/configure.php/ path incorrect..

 

admin file where it mentions images..

 

define('DIR_WS_CATALOG', '/shop/');
 define('DIR_FS_CATALOG', '/home/mixxmaxx/public_html/shop/');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
 define('DIR_WS_INCLUDES', 'includes/');

 

I am using a shared ssl... https://secure1.mysite.com

 

Thanks

 

oz

Link to comment
Share on other sites

I'm finally posting my question (situation) with only half the quantity of hair on my head as I did a week ago. Why? Because I've been pulling it out trying to figure out what the heck is going on with my SSL situation (shared SSL from A2 Hosting).

 

My site works fine on Firefox when I click onto the secure pages - account, cart, etc. - yet Explorer and Safari won't open them up.

 

I've poured through the posts on this forum and played with different settings on my configure.php and application_top.php files playing with settings based on different posts again and again, and nothing's changing the situation.

 

Anyone have any ideas as to what might be going on? I'll be *more than happy* to IM my URL.

 

Maybe the Super-Germ can help?

 

Naturally, I'm worried I've done something or overlooked something insanely simple. Raaaaaar.

 

Julie

Link to comment
Share on other sites

Well, I'm not any more "super" than anyone else around here, but if you want to PM your URL I'll take a peek.

:)

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I have a problem, Just Host installed my SSL to devilstoybox.co.uk and not www.devilstoybox.co.uk so when I checkout Im STILL getting an untrusted page coming up (you have no idea how sick i a of that page and talking to just host people)

It there any way it can be changed, because theyre telling me i have to buy another certificate.

Link to comment
Share on other sites

The SSL cert is issued to your domain name WITHOUT the "www.".

 

So in your /shop/includes/configure.php file use this:

 

  define('HTTPS_SERVER', 'https://devilstoybox.co.uk ');

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I'm finally posting my question (situation) with only half the quantity of hair on my head as I did a week ago. Why? Because I've been pulling it out trying to figure out what the heck is going on with my SSL situation (shared SSL from A2 Hosting).

 

My site works fine on Firefox when I click onto the secure pages - account, cart, etc. - yet Explorer and Safari won't open them up.

 

I've poured through the posts on this forum and played with different settings on my configure.php and application_top.php files playing with settings based on different posts again and again, and nothing's changing the situation.

 

Anyone have any ideas as to what might be going on? I'll be *more than happy* to IM my URL.

 

Maybe the Super-Germ can help?

 

Naturally, I'm worried I've done something or overlooked something insanely simple. Raaaaaar.

 

Julie

I've tested your site with 4 browsers on 2 computers. The results:

 

Computer #1

IE8 - Works fine

Firefox 3.6 - Works fine

 

Computer #2

IE7 - Works fine

Firefox 3.0 - Error!

 

Secure Connection Failed

 

An error occurred during a connection to YOUR_SSL_DOMAIN.com.

 

SSL peer was unable to negotiate an acceptable set of security parameters.

 

(Error code: ssl_error_handshake_failure_alert)

 

Not really sure where that leaves us....

:unsure:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I've tested your site with 4 browsers on 2 computers. The results:

 

Computer #1

IE8 - Works fine

Firefox 3.6 - Works fine

 

Computer #2

IE7 - Works fine

Firefox 3.0 - Error!

 

 

 

Not really sure where that leaves us....

:unsure:

 

That helps quite a bit actually because I can look at this truly as a browser "situation" versus something else, if that makes any sense. I REALLY appreciate your taking a look at the link. I'm handcuffed to a Mac right now and so really appreciate your testing it like you did. :thumbsup:

Link to comment
Share on other sites

  • 1 month later...

My SSL Check Results:

 

cfgchk.php

Warning: Call-time pass-by-reference has been deprecated in /html/catalog/cfgchk.php on line 25

Warning: Call-time pass-by-reference has been deprecated in /html/catalog/cfgchk.php on line 25

Warning: Call-time pass-by-reference has been deprecated in /html/catalog/cfgchk.php on line 25

Warning: Call-time pass-by-reference has been deprecated in /html/catalog/cfgchk.php on line 35

Warning: Call-time pass-by-reference has been deprecated in /html/catalog/cfgchk.php on line 35

Warning: Call-time pass-by-reference has been deprecated in /html/catalog/cfgchk.php on line 35

Version 1.2

 

File Permissions: 0444

 

Found HTTPS_SERVER:

 

define('HTTPS_SERVER', 'https://www.mydomain.com');

 

HTTPS URL passed check!

 

Found ENABLE_SSL.

 

define('ENABLE_SSL', true);

 

SSL enable passed check!

 

Found HTTPS_COOKIE_DOMAIN:

 

define('HTTPS_COOKIE_DOMAIN', 'www.mydomain.com');

 

HTTPS_COOKIE_DOMAIN line parsed!

 

 

 

Parsing application_top.php for SSL detection key...

 

Found SSL detection key:

 

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

Done!

 

 

myenv.php - main window

myenv.php Version 1.2

NONSSL Variables

HTTP HOST: []

Server Port: [80]

SSL Status: [undefined!]

Fowarded Server: [undefined!]

Fowarded Host: [undefined!]

Fowarded By: [undefined!]

$_SERVER['HTTPS']: [undefined!]

Load: 1

 

myenv.php - popup window

myenv.php Version 1.2

SSL Variables

HTTP HOST: []

Server Port: [443]

SSL Status: [on]

Fowarded Server: [undefined!]

Fowarded Host: [undefined!]

Fowarded By: [undefined!]

$_SERVER['HTTPS']: [on]

Load: 2

 

 

mybigenv.php & unsecure.php results, Please check your PM. I have sent it to you this way for security purpose.

Link to comment
Share on other sites

Precisely which pages are you haveing problems with?

:unsure:

 

All the pages I've tried have worked flawlessly.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hey Germ, I don't want any help whatsoever.

 

Just want to say thanks a million, I spent 3 hours tonight scratching my head wondering where the unsecure item was and it was the pixel from the quantcast tag. Invisible to the human eye but unsecure.php found it in about no seconds.

 

Awesome contribution to the community and thanks to people like you, people like the rest of us can run e-commerce stores.

 

Thanks again

 

Johnny

Link to comment
Share on other sites

  • 2 weeks later...

Hi Germ. I just wanted to add my thanks for all of the hard work and support that you have provided over the past 19 months.

My client has asked me to implement an SSL certificate on his site and I can truly say that without this forum, I would have been lost.

I spent all day yesterday reading through this forum and the How to install SSL on OSC: A Simple 1-2-3 Instruction (thanks Jason) and I now think that I am ready to install my certificate.

I now, finally, understand what causes the dreaded "This site contains unsecured blah blah" message and I spent a few hours yesterday changing code to make sure that this does not occur on my clients live site.

My certificate has been generated by my hosting company and I will be asking them to implement the certificate sometime today or tomorrow.

I have two quick questions.

My client site is a very busy site and I therefore want to ensure minimal disruption when implementing the certificate. I am probably being over cautious here but if there are any issues I need to be able to rectify these as soon as possible or at least revert back to a non secure site.

I have made the necessary changes to the includes/configure.php file and uploaded them to the live site although, seeing as I do not have the certificate installed yet, I have left ENABLE_SSL as false.

So my first question is this, if I have the certificate installed today and leave the ENABLE_SSL set to false, I am assuming that the certificate will just be ignored and the site will continue to function as normal in non-secure mode.

Then in theory, I can just change the ENABLE_SSL setting to true and hopefully all will work perfectly.

 

My second question relates to the admin/includes/configure.php file.

In your posts, you say that all http references should be set to https

If I make these changes but keep "ENABLE_SSL_CATALOG" and "ENABLE_SSL" set to false and upload them before the certificate is installed, will it cause problems.

My new admin/includes/configure.php file would look like this after I apply the changes.

define('HTTP_SERVER', 'https://www.mysite.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www. mysite.com');

define('HTTP_CATALOG_SERVER', 'https://www. mysite.com');

define('HTTPS_CATALOG_SERVER', 'https://www. mysite.com');

define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module

define('ENABLE_SSL', 'false'); // secure webserver for catalog module

 

Then when I want to switch on the certificate all I need to do is set the "ENABLE_SSL_CATALOG" and "ENABLE_SSL" to true at the same time as I set ENABLE_SSL in the includes/configure.php file to true.

 

I realise that I may be being over cautious but my client goes mad when there are disruptions to his site.

 

Once again thanks for all of your input on this matter and I am sure that it has helped many people like myself.

 

Regards

 

Tony

Link to comment
Share on other sites

I don't see anything wrong with readying the config file(s) now and switching it on when the SSL cert. is installed.

 

Three things can happen after you turn it on that may take a bit to iron out.

 

1. The store won't switch to SSL when it's supposed to. That usually means the SSL detection key osC uses isn't present on the server. The first post in this topic covers possible changes to be made to application_top.php to remedy the situation. If none of those work the files in my help contribution (link in second post in this topic) will provide the info needed.

 

2. You can get the infamous "secure and non-secure" items from IE. This is caused by loading scripts or images from HTTP sources on HTTPS pages. There is a small code snippet (posted earlier in this thread) that works great to fix this issue.

 

3. The cart contents get dumped after logging in. Normally caused by incorrect cookie settings in the config file. This is usually fixed quickly if it happens.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Thanks Germ. Having read all of your posts on this subject, I am, hopefully aware of the issue that may exist when I switch but at least I am aware of what these are and therefore I can hopefully resolve them quickly.

I will let you know how I get on.

 

Regards

Tony

Link to comment
Share on other sites

Hi Germ. hopefully a very quick question for you regarding the admin/includes/configure.php settings.

I do not want the admin area to be https but obviously the shop will be so are the following setting correct for this.

define('HTTP_SERVER', 'http://www.mydomain.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.mydomain.com');

define('HTTP_CATALOG_SERVER', 'http://www.mydomain.com');

define('HTTPS_CATALOG_SERVER', 'https://www.mydomain.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('ENABLE_SSL', 'true'); // secure webserver for catalog module

Thanks

Tony

Link to comment
Share on other sites

Looks correct to me.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I looked at the stylesheet and I see nothing that would cause a problem.

 

Image links in the stylesheet won't cause a problem, UNLESS they are hard coded with a http: link

 

 

I have a hard coded image on my stylesheet.

#columnRight .infoBoxContainer:nth-of-type(2) .infoBoxContents
{
/*background-color: pink;*/ /*for testing*/
background-image:url('http://www.xxxxxx.com/catalog/images/xxxxxx_threadNEEDLE.png'); background-repeat: no-repeat; background-position: 30px 30px; 
}

How should I rewrite it to change this issue?

Web Developer, Firebug, and Notepad++ are powerful free tools for web design.

Link to comment
Share on other sites

Assuming the store is in the /catalog folder:

 

#columnRight .infoBoxContainer:nth-of-type(2) .infoBoxContents
{
/*background-color: pink;*/ /*for testing*/
background-image:url('images/xxxxxx_threadNEEDLE.png'); background-repeat: no-repeat; background-position: 30px 30px; 
}

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Assuming the store is in the /catalog folder:

 

#columnRight .infoBoxContainer:nth-of-type(2) .infoBoxContents
{
/*background-color: pink;*/ /*for testing*/
background-image:url('images/xxxxxx_threadNEEDLE.png'); background-repeat: no-repeat; background-position: 30px 30px; 
}

thought it, should have tried it...so simple

Web Developer, Firebug, and Notepad++ are powerful free tools for web design.

Link to comment
Share on other sites

  • 2 weeks later...

I'm using a pretty old osCOmmerce installation (very customized, which is reason for not upgrading). My application_top.php is $Id: application_top.php,v 1.258 2003/01/17 14:08:12 hpdl Exp $

 

Issue with this is that there is NO:

 

// set the type of request (secure or not)

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

or anything similar.

 

Recently changed to different ISP (1and1) and now SSL connection is not working properly (Firefox displays mixed content warning). I ran your mybigenv.php script. Sure enough 1and 1 is not reporting any HTTPS environment variable. This causes the login.php for example to load images via http instead of https.

 

It is reporting a _SERVER["HTTP_X_FORWARDED_HOST"] that could be used to identify SSL pages, but in absence of the $request_type = in my application top, where would I define this?

 

thanks

Volker

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...