I'm working on my first web site that requires SSL, it's hosted on a PCI Compliant server, SSL is setup correctly (or so I've been told).
I was hoping that I could just change a particular link in my code to go to a page, such as https://mydomain.com/login.php, but alas, it doesn't work. It doesn't even say that a SSL cert is present.
After some reading I'm thinking I must use curl to correctly work with HTTPS correct? If this is the case, are there any good 'still valid' tutorials on this topic?
Also, my hosting company said I was using php modules(I'm assuming he's referring to functions) that aren't compatible with their systems, they must work with 5.3.x...well I went through an entire page of code they claimed wasn't compatible, and every single function was in the php 5.3.x supported functions list (http://php.net/quickref.php).
Any insight into what they mean here? This stuff shouldn't seem like rocket science, but I'm coming up short on figuring it out correctly, and implementing http with SSL.
Thanks!
I've never heard of this. If mydomain.com/login.php is working but https://mydomain.com/login.php is not then it is not setup. Also you might want to see if https://www.mydomain.com/login.php works. It depends on what was setup as the fully qualified domain name in the certificate and key.
Usually servers have a default self signed certificate and it will give you a warning in browsers when trying to go to https. Is that what you are getting?? Or a different error?
Hope this gives you some direction...If it isn't setup you can go to the CA for directions on install directions.
Related
I have installed the SSL certificate via Cpanel to my WP website. But right after installing it the UI of the website got disturbed.
Without SSL
With SSL
Update 1
I have looked into it and found out that CSS/JS is not properly loaded. So I changed HTTP to HTTPS in my files where I was using it. But still, the issue is the same. Moreover, I am getting the below errors in my console.
Any help would be highly appreciated
Its due to references of css/images/javascript etc that are not using the SSL (https) but use HTTP instead. I recommend to install Really Simple SSL plugin for the quickest solution. Another solution is to go and fix every incorrect reference but this can be a lot of work and may in some cases need advanced knowledge (editing database entries etc.)
Check with your hosting company to properly configure HTTPS Redirects. The hosting company may ask you to install an HTTPS redirect plugin on your website. If that's work out then good if not, then go to PHPmyAdmin of your cPanel and Export your database. Open the database in Notepad++ and replace all http with https . Save the file. Delete old database tables. Import the file you saved with changes. Be aware, it might break your site, so be sure to take a backup of your database before attempting it. If things don't work out, revert the changes and take the help of a developer to fix it for you.
I am doing a CAS integration with a project that I am doing with my university. The final integration should be made with symfony2, however first I need to make the example code working.
I finally get working the example_simple.php example with phpCAS 1.3.2 , however the directive:
phpCAS::setNoCasServerValidation();
is the enabled one. I think I should use instead:
phpCAS::setCasServerCACert($cas_server_ca_cert_path);
However when I enable this second one (and disable the other) then the authorization does not work anymore. Here is the relevant output line error of the log:
could not open URL 'https://cas_server.fi/cas/serviceValidate?service=http%3A%2F%2Flocalhost%2Fphpcas2%2Fdocs%2Fexamples%2Fexample_simple.php&ticket=ST-115606-M1Omd1cHWzbLbmxa1nYV-cas' to validate (CURL error #60: SSL certificate problem: unable to get local issuer certificate) [Client.php:2763]
The cas server provided me two .crt files:
MYCASRootCA.crt
MYCASLinuxSUBCA.crt
And they are suppose to be installed in my system (Ubuntu 13.10). They are in different places, such a /etc/ssl/certs/MYCASLinuxSUBCA.pem but also:
/usr/share/ca-certificates/lut/MYCASRootCA.crt
/usr/share/ca-certificates/lut/MYCASLinuxSUBCA.crt
So assuming that the variable $cas_server_ca_cert_path has to have one of these .crt files or .pem dirs (such a /usr/share/ca-certificates/lut/MYCASLinuxSUBCA.crt) I cannot make it work. What I am doing it wrong? My client-server (no the cas server) is in my localhost. Is it a problem? Should I avoid use setCasServerCACert command? Why is it happening?
I've also tried to use the curl-ca-bundle.crt certificate provided by my XAMP instalation (Xampp 1.8.3).
I am a little bit lost with certificates as you can see.
I read about problems with phpCAS and recent Ubuntu versions in https://github.com/Jasig/phpCAS/issues?state=open. However I cannot make this working with the master code, even without certification (by default).
Any ideas would be appreciated...
I have found the solution asking in the github library: https://github.com/Jasig/phpCAS/issues/119
The reason is that the curl binary used by PHP in my xampp installation is different from the system's curl binary. The system one has access to /etc/ssl/certs/ certificates, but the xampp curl does not have (unless you don't indicate it, of course). By default, it searches in a special certificate-bundle-file.
Finally I have found the real certificate for my cas-server and I am using it, however maybe you want to use other proposed solution at the end of the discussion thread if you are having a similar problem.
I have a program written in PHP, and I'd like to make sure that login pages etc. are all served over SSL. Is there any good start to finish tutorial for doing so?
Also, does this affect my code in any way, or is it just a matter of getting a SSL cert, and setting up a server correctly?
If your html code contains absolute urls ("http://my-domain.com/...") to:
stylesheets
images
javascripts
Browsers will complain "This page contains both secure and non-secure items".
Use relative urls if you can, or link to "https://my-domain.com/..." urls.
Use free certificates
You don't have to spend money to get valid SSL certificate:
Let’s Encrypt
Let’s Encrypt is a free, automated, and open Certificate Authority.
It depends on the hosting how easy this is to setup, it could be just a checkbox.
The process is well documented on https://letsencrypt.org/
StartSSL
For more traditional certificates, you can get a "StartSSL™ Free" from StartCom.
The site also contains information on installing the certificate.
Firstly a word of warning. if you are considering using SSL its because you have something to protect. Therefore take the time to understand what you are doing every step of the way. Security (not just SSL) is a minefield even for the experienced.
I don't know of any tutorials, but there are plenty of gotcha's you have to be aware of.
Rolling your own ssl cert for testing purposes is free, but you will need to install it on your server.
Most of the time your code does not need to be any different for an ssl page or non ssl as the code itself is ssl agnostic, but as Bob says you must be careful of things like images.
Also redirects can cause popups to warn the user of redirections.
To test if the code is being called from a browser using SSL check for the SSL flag $_SERVER['HTTPS'] this should be a non empty value if SSL is being used.
$ssl_is_on = $_SERVER['HTTPS'] ? true:false;
Personally I prefer to keep my SSL code in a separate folder altogether and use apache to direct all SSL connections to that folder. that way I can be confident a script that should be protected by SSL is not called from a non SSL connection.
If you are logging them in under SSL and then redirecting them to non SSL pages you may need to account for domains and cookies
for example I always use a different domain for ssl normally https;//secure.blah.com and then redirect them to the non secure domain http;//www.blah.com so your cookie domain will need to be blah.com the default is the full domain name which means cookies for secure.blah.com won't be sent to www.blah.com and therefore your users will never be logged in.
Don't use this technique if you use a shared domain name otherwise you could have a problem with cookie information being leaked.
DC
It should not affect your code. Add modrewrite rules to your Apache config. Yes, just obtain an SSL cert (you'll need to pay to have it signed by Verisign or another certificate authority).
I seem to be having a problem running AMFPHP under SSL in our development environment.
I created a self-signed cert under CentOS and got everything working, but whenever I go to the page in Firefox I get warned that the certificate is self-certified and therefore cannot be accepted.
This then seems to affect the AMFPHP calls from flash saying that the certificate was not accepted on the call... Does anyone know a way round this? Is it a setting we can edit locally? Is there something in the AMFPHP config that will ignore this? Or is this happening at a lower level?
Many thanks for any help :)
You can add the certificate as a trusted source but that will only help you on your browser and won't improve the overal experience. Unless it will be fine your you to inform your users to do this (as it is a one off action).
You should also make sure you are using the SecureAMFEndPoint in stead of the regular AMFEndPoint on the ActionScript side.
I know this kind of thing cannot be adequately answered without a link to the live example. Unfortunately, I can't set one up right now as it's a back-end login and creating a safe public login would be too much to do at this point. Sorry. I'm hoping for ideas and input from people who may have experienced something similar in the past.
I am setting up a CMS for a client with a DSL connection in Spain.
The CMS is hosted on a straightforward standard, LAMP based, shared hosting package in a network center in Germany.
It comes with a .com domain.
When my client tries to log in to the CMS using Internet Explorer 7, everything works fine.
When she tries to log in using Firefox, she gets to the login form, submits it - and then the connection times out.
When she logs in using Firefox but using "domain.com" instead of "www.domain.com", everything works fine.
This happens on all computers that are hooked up to that line. One Windows XP, one Windows Vista.
The front-end part of the site, as well as a second, older CMS, work fine in all browsers.
I do not have access to the raw access logs.
I have not been able to reproduce this behaviour on any other connection.
Debugging ideas are welcome. Remote diagnosis is extremely difficult as the line is too slow to set up a proper remote connection.
If you are limited by how you can troubleshoot this, have the client install Fiddler - Web debugging proxy and then run the trace, and send you the logs, Fiddler will analyze the traffic (be it proxy or DNS timeout, etc)
Take a look if you have not used it before:
http://www.fiddler2.com/Fiddler2/version.asp
Check that Firefox and IE are using the same proxy settings.
DNS issues? can you put here your A records to check is everything is ok?