Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL Problems - Can't Make Sense of It - HELP!


Guest

Recommended Posts

I've read through the SSL Implementation Help thread and ensured that I have followed everything, but I still receive mixed content errors and image display problems. I'm using OSC 2.3.1 with Linux hosting.

 

In application_top.php, when using:

 

$request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL'; 

 

...I receive mixed content errors, but all content displays fine when I click the button to allow.

 

When using:

 

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

...I don't receive the usual message, but most content displays apart from some images. Mixed content is still an issue, though, as the certificate information still references this problem.

 

Also, when using:

 

$request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

 

...the generated HTML displays:

 

<base href="http://www.jewellersdoncaster.co.uk/" />

 

wheras using:

 

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

...generates:

 

<base href="https://www.jewellersdoncaster.co.uk/" />

 

I have checked for any stray absolute paths to http sources, but there aren't any, so I'm not sure why the mixed content issues are arising. Also, I really don't know which $request_type to use because of the mixed results. I am using CSS3PIE, but there are no http references where this is concerned.

 

I have downloaded the SSL Help contribution and tested my site with the various tools, and all results are positive, even the unsecure content test. Where am I going wrong? Anyone able to help can view an example secure page at: https://www.jewellersdoncaster.co.uk/login.php

 

The $request_type currently in use is:

 

$request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL'; 

 

HELP!!!

Link to comment
Share on other sites

It is not uncommon for different brands of server software to implement these things a bit differently. For example, getenv('HTTPS') might return either '1' or 'on'. The variable may be HTTP_HTTPS instead of HTTPS. You may have to use $_SERVER['HTTPS'] or some other form. Frankly, osC needs to be updated to try all of these until it gets a solid hit on whether this page is under SSL or not. However, once you have the correct form established, there's only one or two places to change it, and until your server changes, you won't have to touch it again.

Link to comment
Share on other sites

After a brief perusal of PHP documentation, you have all these things to look for until you get a 'hit':

  • getenv('HTTPS'): if not false, look for '1' or 'on'
  • getenv('HTTP_HTTPS'): if not false, look for '1' or 'on'
  • $_SERVER['HTTPS']: if defined and non-empty and not 'off' (IIS uses 'off' instead of empty)
  • $_SERVER['HTTP_HTTPS']: if defined and non-empty and not 'off' (IIS uses 'off' instead of empty)
  • $_SERVER['SERVER_PORT']: by default, == '443' for SSL, == '80' for non-SSL, but this can change with server setup

The good news is that once you've gone through and found which one your server uses, it shouldn't change for a long time, if ever (unless you change servers). You can hard code the proper test in includes/application_top.php and includes/functions/general.php. You might even be able to add global $request_type; in general.php's tep_redirect() and replace the getenv() call there with $request_type == 'SSL', but I haven't actually tried it. That would reduce the places to change when your server changes to just one.

Link to comment
Share on other sites

Your includes/application_top.php is incorrect.

 

 

It contains this code:

 

 $request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

 

It needs to be:

 

 $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

Get that right and we can work out any other "kinks".

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Thanks for the responses, chaps. Jim, I have changed the $request_type to 'on' and the content displays without prompting to allow unsecure content. However, there are still two issues to iron out.

 

1. The certificate information states there is unsecure content present ("Your connection to www.jewellersdoncaster.co.uk is encrypted using 256-bit encryption. However, this page includes other resources which are not secure")

2. Some images have not loaded (Search button, PayPal logo, RapidSSL logo and category menu backgrounds)

Link to comment
Share on other sites

Make testSSL.php with the following content, and try running it under both http: and https:

<?php
// test various ways of determining if a page is invoked under SSL

//  getenv('HTTPS'): if not false, look for '1' or 'on'
echo "(hoping to see '1' or 'on') getenv('HTTPS') returns ";
if (getenv('HTTPS')) {
 echo "'" . getenv('HTTPS') . "'<br>\n";
} else {
 echo "nothing<br>\n";
}
//  getenv('HTTP_HTTPS'): if not false, look for '1' or 'on'
echo "(hoping to see '1' or 'on') getenv('HTTP_HTTPS') returns ";
if (getenv('HTTP_HTTPS')) {
 echo "'" . getenv('HTTP_HTTPS') . "'<br>\n";
} else {
 echo "nothing<br>\n";
}
//  $_SERVER['HTTPS']: if defined and non-empty and not 'off' (IIS uses 'off' instead of empty)
echo "(hoping to see something other than 'off') \$_SERVER['HTTPS'] returns ";
if (isset($_SERVER['HTTPS'])) {
 echo "'" . $_SERVER['HTTPS'] . "'<br>\n";
} else {
 echo "nothing<br>\n";
}
//  $_SERVER['HTTP_HTTPS']: if defined and non-empty and not 'off' (IIS uses 'off' instead of empty)
echo "(hoping to see something other than 'off') \$_SERVER['HTTP_HTTPS'] returns ";
if (isset($_SERVER['HTTP_HTTPS'])) {
 echo "'" . $_SERVER['HTTP_HTTPS'] . "'<br>\n";
} else {
 echo "nothing<br>\n";
}
//  $_SERVER['SERVER_PORT']: by default, == '443' for SSL, == '80' for non-SSL, but this can change with server setup
echo "(hoping to see '443') \$_SERVER['SERVER_PORT'] returns ";
if (isset($_SERVER['SERVER_PORT'])) {
 echo "'" . $_SERVER['SERVER_PORT'] . "'<br>\n";
} else {
 echo "nothing<br>\n";
}

?>

 

It will tell you what tests you can use for SSL. Erase or rename the file when you're done, so hackers can't use it to explore (and perhaps, exploit) your system.

Link to comment
Share on other sites

Make testSSL.php with the following content, and try running it under both http: and https:

<?php
// test various ways of determining if a page is invoked under SSL

//  getenv('HTTPS'): if not false, look for '1' or 'on'
echo "(hoping to see '1' or 'on') getenv('HTTPS') returns ";
if (getenv('HTTPS')) {
 echo "'" . getenv('HTTPS') . "'<br>\n";
} else {
 echo "nothing<br>\n";
}
//  getenv('HTTP_HTTPS'): if not false, look for '1' or 'on'
echo "(hoping to see '1' or 'on') getenv('HTTP_HTTPS') returns ";
if (getenv('HTTP_HTTPS')) {
 echo "'" . getenv('HTTP_HTTPS') . "'<br>\n";
} else {
 echo "nothing<br>\n";
}
//  $_SERVER['HTTPS']: if defined and non-empty and not 'off' (IIS uses 'off' instead of empty)
echo "(hoping to see something other than 'off') \$_SERVER['HTTPS'] returns ";
if (isset($_SERVER['HTTPS'])) {
 echo "'" . $_SERVER['HTTPS'] . "'<br>\n";
} else {
 echo "nothing<br>\n";
}
//  $_SERVER['HTTP_HTTPS']: if defined and non-empty and not 'off' (IIS uses 'off' instead of empty)
echo "(hoping to see something other than 'off') \$_SERVER['HTTP_HTTPS'] returns ";
if (isset($_SERVER['HTTP_HTTPS'])) {
 echo "'" . $_SERVER['HTTP_HTTPS'] . "'<br>\n";
} else {
 echo "nothing<br>\n";
}
//  $_SERVER['SERVER_PORT']: by default, == '443' for SSL, == '80' for non-SSL, but this can change with server setup
echo "(hoping to see '443') \$_SERVER['SERVER_PORT'] returns ";
if (isset($_SERVER['SERVER_PORT'])) {
 echo "'" . $_SERVER['SERVER_PORT'] . "'<br>\n";
} else {
 echo "nothing<br>\n";
}

?>

 

It will tell you what tests you can use for SSL. Erase or rename the file when you're done, so hackers can't use it to explore (and perhaps, exploit) your system.

 

Using https:

 

(hoping to see '1' or 'on') getenv('HTTPS') returns 'on'

(hoping to see '1' or 'on') getenv('HTTP_HTTPS') returns nothing

(hoping to see something other than 'off') $_SERVER['HTTPS'] returns 'on'

(hoping to see something other than 'off') $_SERVER['HTTP_HTTPS'] returns nothing

(hoping to see '443') $_SERVER['SERVER_PORT'] returns '443'

Link to comment
Share on other sites

1. The certificate information states there is unsecure content present ("Your connection to www.jewellersdoncaster.co.uk is encrypted using 256-bit encryption. However, this page includes other resources which are not secure")

2. Some images have not loaded (Search button, PayPal logo, RapidSSL logo and category menu backgrounds)

 

It sounds like you still have some page content (embedded content) still being invoked under http:. View your page source in the browser and see what items are still http:. I wouldn't be surprised if everything you listed in #2 is still http:. What exactly did you do for

the content displays without prompting to allow unsecure content.

? It sounds like it didn't work. Remember that any browser settings you make to permit a mix of secure and unsecure content will apply only to your own browser, not anyone else's!

Link to comment
Share on other sites

(hoping to see '1' or 'on') getenv('HTTPS') returns 'on'

(hoping to see '1' or 'on') getenv('HTTP_HTTPS') returns nothing

(hoping to see something other than 'off') $_SERVER['HTTPS'] returns 'on'

(hoping to see something other than 'off') $_SERVER['HTTP_HTTPS'] returns nothing

(hoping to see '443') $_SERVER['SERVER_PORT'] returns '443'

 

You can use getenv('HTTPS') == 'on' or $_SERVER['HTTPS'] == 'on' or $_SERVER['SERVER_PORT'] == '443'. From a previous post, it sounds like you already implemented the first choice. That's fine.

 

Don't forget that there are at least two routines (application_top.php and general.php) that use this test. Make sure you keep them in sync.

Link to comment
Share on other sites

It sounds like you still have some page content (embedded content) still being invoked under http:. View your page source in the browser and see what items are still http:

 

I've checked through the source quite a few times, but the only http references are on anchor tag hrefs. Any images are displayed using a relative path, eg. "images/picture.gif".

 

Don't forget that there are at least two routines (application_top.php and general.php) that use this test. Make sure you keep them in sync.

 

I have a general.js in includes, but no general.php.

Link to comment
Share on other sites

I don't get any "unsecure content" but some images won't display on the SSL pages.

 

Although if I copy/paste the image URL into the browser address bar and access the image directly (with a HTTPS URL) it displays.

 

It's been my experience that this behavior is usually caused by "Hotlink Protection" in your web hosts cPanel (or the settings therein).

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I don't get any "unsecure content" but some images won't display on the SSL pages.

 

Although if I copy/paste the image URL into the browser address bar and access the image directly (with a HTTPS URL) it displays.

 

It's been my experience that this behavior is usually caused by "Hotlink Protection" in your web hosts cPanel (or the settings therein).

 

Bingo! Thanks, Jim - it was indeed Hotlink Protection. I had added this functionality in .htaccess while applying a security-related contribution. Thanks for your swift help, Jim (and Phil).

Link to comment
Share on other sites

I have a general.js in includes, but no general.php.

 

Per my first post, you should have an includes/functions/general.php. It uses getenv('HTTPS') in the tep_redirect() call, so you may not have yet encountered a failure there. Anyway, check if it's == '1' or == 'on'.

 

I haven't tried it, but I suspect that $request_type == 'SSL' (with global $request_type) should have been used here, so that all the SSL testing (and any code changes needed) is in one place (application_top.php).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...