germ Posted April 17, 2009 Share Posted April 17, 2009 A thread dedicated to those with problems implementing SSL in their stores. First stop: Read this: How to install SSL on OSC: A Simple 1-2-3 Instruction, Simple, straighforward instructions That thread contains the basics on modifying your /includes/configure.php file to enable SSL. Common mistakes YOU can make that prevent SSL from working: 1. Forgetting to make the HTTPS_SERVER define with https in the URL. Correct: define('HTTPS_SERVER', 'https://yourdomain.com'); Incorrect: define('HTTPS_SERVER', 'http://yourdomain.com'); If you can't see the difference - LOOK CLOSER! 2. Forgetting to enable SSL in the configure file. This turns it ON: define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure? This turns it OFF: define('ENABLE_SSL', 'false'); // secure webserver for checkout procedure? 3. Modifying the configure file on your local PC then NOT making sure the new one gets to the store website. If you modify it locally and use FTP, Dreamweaver, Frontpage, or whatever, to transfer it to your site MAKE CERTAIN THE MODIFIED VERSION GETS TO YOUR SITE!!! Sometimes file permissions can prevent a successful transfer to your website. 4. Not checking for and examining the contents of /includes/local/configure.php if it exists on your site. This file isn't present on all installs, but if it is, ANYTHING IN IT OVERRRIDES ANYTHING IN THE "NORMAL" CONFIGURE FILE!! Check for it, and if found examine it's contents. It may not look like the normal configure file in one respect: define('ENABLE_SSL', 1); The define for ENABLE_SSL may have a 1 or a 0 instead of true or false. If so, remember that 1 = true, 0 = false. OK. So you've done all that and it still doesn't work. All your images are X! This probably means osC isn't getting the cue from the server that SSL is active. The code that tests to see if SSL is active is in /includes/application_top.php around like 41: // set the type of request (secure or not) $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; Unfortunately this doesn't work an all servers. If you're on "1 and 1" Hosting, this usually works: // set the type of request (secure or not) $request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL'; If it's a Windowz server, try this: // set the type of request (secure or not) $request_type = ($_SERVER['HTTPS'] == 'on') ? 'SSL' : 'NONSSL'; If neither of those are true for you try this: // set the type of request (secure or not) $request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL'; Always backup any file on your site before making any edits. A file that doesn't work quite like you want it to is better than one that won't work at all. And sometimes none of those settings work. I've written a few programs to assist in debugging, and implementation of SSL and have made a contribution of them. I will post a link to it and a brief explanation after it's uploaded. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
germ Posted April 17, 2009 Author Share Posted April 17, 2009 The contribution: SSL Help This contribution has 3 files: cfgchk.php - Examines your catalog configure file(s) for possible errors that would prevent SSL from working. myenv.php - A program that displays common server settings used in SSL (the original was not my work- see the credit in the file). mybigenv.php - A more comprehensive program that displays server settings that might be used in SSL implementation. There is no "install", just copy the files into your "catalog" folder and access them with your browser. myenv.php and mybigenv.php both use a javascript popup window so if you have a popup blocker installed you may have to disable it temporarily. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
floydax Posted April 17, 2009 Share Posted April 17, 2009 Thanks for the contribution :) Except for an SSL warning in IE at index.php, my SSL works, but when i ran the myenv.php i got the following: NONSSL Variables HTTP HOST: [xxxxx.net] Server Port: [80] SSL Status: [undefined!] Fowarded Server: [undefined!] Fowarded Host: [undefined!] Fowarded By: [undefined!] $_SERVER['HTTPS']: [undefined!] Is this normal? Kind regards, floyd. Link to comment Share on other sites More sharing options...
germ Posted April 17, 2009 Author Share Posted April 17, 2009 Looks normal. So what was in the SSL popup window? :unsure: The program produces a small popup window showing the same variables with SSL active (or it tries to anyway). If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
floydax Posted April 17, 2009 Share Posted April 17, 2009 Looks normal. So what was in the SSL popup window? :unsure: The program produces a small popup window showing the same variables with SSL active (or it tries to anyway). When i go the main page using https with IE I get a security warning saying that "This page contains both secure and nonsecure items". I tracked down every component which had http hardcoded, but I still get this warning... Link to comment Share on other sites More sharing options...
germ Posted April 17, 2009 Author Share Posted April 17, 2009 The warning means you have scripts or images loading from HTTP sources in your PHP or your stylesheet. If you PM me your URL I could find it for you. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
germ Posted April 18, 2009 Author Share Posted April 18, 2009 When i go the main page using https with IE I get a security warning saying that "This page contains both secure and nonsecure items". I tracked down every component which had http hardcoded, but I still get this warning... <div id="flash_carousel_container"> <div id="flash_carousel"> <a href="http://www.adobe.com/go/getflashplayer"> [b]<img src="[color="#FF0000"]http:[/color]//www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" />[/b] </a> </div> </div> That will cause SSL problems. :o Try the same code but with a https URL. ;) If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
germ Posted April 19, 2009 Author Share Posted April 19, 2009 Then after installing SSL you get the dreaded "This page contains secure and nonsecure items" when viewing the site in IE! :( I've added a file to the package named unsecure.php that you can use to help find the "nonsecure items". I've tested it on about a dozen different sites/pages and it does an excellent job. Out of all the posts I've helped find "nonsecure items", this program would probably have worked perfectly on about 98 to 99 percent of the sites. It's not "bullet-proof", but few programs can make that claim. :) If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Guest Posted April 20, 2009 Share Posted April 20, 2009 I tried all of the suggestions and I still can not get the SSL to work. I do not appear to have a local file so that is not the issue. The only thing I can think of is the SSL cert. is located in the wrong place. My SSL cert is located in under the home root directory. Should it be located in the public_html directory? Link to comment Share on other sites More sharing options...
germ Posted April 20, 2009 Author Share Posted April 20, 2009 Ask your host. That is dependant on the way the server is setup. If you want me to take a peek and possibly make recommendations you'll have to post (or PM me) your URL. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
floydax Posted April 21, 2009 Share Posted April 21, 2009 <div id="flash_carousel_container"> <div id="flash_carousel"> <a href="http://www.adobe.com/go/getflashplayer"> [b]<img src="[color="#FF0000"]http:[/color]//www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" />[/b] </a> </div> </div> That will cause SSL problems. :o Try the same code but with a https URL. ;) Thanks, it's working now :) Link to comment Share on other sites More sharing options...
rochaesobrinho Posted April 24, 2009 Share Posted April 24, 2009 Hi Jim, My SSL implementation was working fine till about one week ago when I had to change the secure address. I use shared SSL and it seems that every time I access a page through the secure address it tries to load the images and the stylesheet file from the unsecure address and the anoying IE message keep being displayed. I tried all your tips listed here, but nothing solved this problem :-(. I would be very grateful if could take a look on my shop and give a reply. My url is http://www.plixx.com.br/loja/ The secure url is https://plixxcbr.acessoseguro.net/loja/ Thank you in advance, PS.: Your files cfgchk.php, mybigenv.php, myenv.php and unsecure.php are still on my shop. You can acess then through http://www.plixx.com.br/loja/cfgchk.php Link to comment Share on other sites More sharing options...
germ Posted April 24, 2009 Author Share Posted April 24, 2009 Well you just uncovered a bug in the code. :blush: It works on the site I manage flawlessly, but on yours some of the popup windows reload continuously... :( That would be because the session between HTTP and HTTPS isn't getting shared. :blink: I'll have to take a look at that. :wacko: When I get something together codewise would you be able to test it before I upload it as a new version of the contribution? :unsure: Anyway, using the code files I think I have a solution to your problem. osC isn't recognizing the cue from the server that SSL is "on". In your /includes/application_top.php find this code: // set the type of request (secure or not) $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; Change it to: // set the type of request (secure or not) // $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; // added nonstandard code 24-apr-09 $request_type = ($_SERVER['HTTP_HOST'] == 'plixxcbr.acessoseguro.net') ? 'SSL' : 'NONSSL'; BACKUP THE FILE BEFORE MAKING ANY EDITS. I'll be waiting to hear how things go while I work on a code change to the contribution to prevent continuous page reloads. ;) If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
rochaesobrinho Posted April 24, 2009 Share Posted April 24, 2009 Hi Jim, It is working now! Thank you so much. I will be pleased to test a new version of your code. Just let me know when it is ready. As I don´t visit the forum very often you can send me an email if you want. [email protected] Link to comment Share on other sites More sharing options...
germ Posted April 25, 2009 Author Share Posted April 25, 2009 New version uploaded. Hopefully fixes the continous page reload of the popup. I did some experimenting and believe it may be a result of incorrect cookie settings in the config file (I can't fix that). Only time and a few more installs will tell. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
rochaesobrinho Posted April 27, 2009 Share Posted April 27, 2009 Hi Jim, I've uploaded the new version, but the page keeps reloading. To check visit: www.plixx.com.br/loja/mybigenv.php Link to comment Share on other sites More sharing options...
germ Posted April 27, 2009 Author Share Posted April 27, 2009 Like my last post said, it might be because of an incorrect cookie setting. What do you have for this in the configure file: define('HTTPS_COOKIE_DOMAIN', ''); :unsure: It (still) works great on my site. The reason it reloads is the session is lost. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Guest Posted April 29, 2009 Share Posted April 29, 2009 Hey there Jim I have a quick question. I am going to embed MP3 songs into my product desc. this coding has a url for a flash player that auto runs so people can hear the songs. How do i set this up with my SSL if the URL is not relative? Pat Link to comment Share on other sites More sharing options...
germ Posted April 29, 2009 Author Share Posted April 29, 2009 None if the pages with the product description are SSL on osC so it won't matter. The only ones that should be SSL are login, logout, any of the files dealing with account info or changes, and all the files thru the checkout process. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
germ Posted April 30, 2009 Author Share Posted April 30, 2009 Uploaded new package. Changes: All files display version in the browser. myenv.php and mybigenv.php don't use session variables any longer (prevents continuous page reloads). cfgchk.php displays the permissions of the config file(s) and also checks for and displays HTTPS_COOKIE_DOMAIN. unsecure.php now has a "glib" mode (displays all source HTML ). If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
golfman2006 Posted April 30, 2009 Share Posted April 30, 2009 When I run cfgchk.php I get this: Found HTTPS_COOKIE_DOMAIN: define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com'); HTTPS_COOKIE_DOMAIN line parsed! Just wanted to find out if this was an error or not as the other two lines for SSL and HTTPS Server give the message of "passed check" and this says "line parsed". Please advise? Link to comment Share on other sites More sharing options...
germ Posted April 30, 2009 Author Share Posted April 30, 2009 I color coded the lines. GREEN is GOOD RED is BAD That line is GREEN (Hoping you're not colorblind) It's just an informative message. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
kbking Posted May 1, 2009 Share Posted May 1, 2009 Hi Clever tools you've created! Thanks! :) I'm not sure why the file unsecure.php produces this message: unsecure.php Version 1.1 Site not specified! I might have misconfigured something or missed some instruction... I don't know. I simply point my browser to the unsecure.php. Would you mind shed some light, thank you! Link to comment Share on other sites More sharing options...
germ Posted May 1, 2009 Author Share Posted May 1, 2009 From the "read me" file included in the contrib: unsecure.php - A program to help find "unsecure" items on SSL Pages. To test a page access the file with your browser like this: http://www.yourdomain.com/unsecure.php?site=https://site.com Or: http://www.yourdomain.com/unsecure.php?site=https://site.com/page.php If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
kbking Posted May 1, 2009 Share Posted May 1, 2009 Thank you! Sorry to have bothered you, should have noticed that. I get "Unable to open..." etc, and I see that a hyphen in my shared ssl domain name is missing. It might be any of the security contributions that I'm using that are causing it? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.