Check if SSL is available when enabling in configuration

[roland-d]

Pull Request for Issue #9583 .

Summary of Changes

If you are forcing SSL on your site either the Entire site or Administrator part but there is no SSL certificate present you will no longer be able to access the site. You will need to FTP into your site and change the configuration file manually to be able to get in. To prevent this nuisance, this PR will add a check to see if an SSL connection is possible to the site. If not possible, SSL will not be enabled.

Testing Instructions

Testing on a non-SSL enabled site

1. Open a Joomla site that has no SSL enabled

2. Go to the System -> Global Configuration -> Server

3. Set the option Force SSL to Entire Site

4. Save the configuration

5. You are now locked out of the site

6. Manually edit the configuration.php file and set the force_ssl back to 0

   public $force_ssl = '0';

7. Apply the patch

8. Go to the System -> Global Configuration -> Server

9. Set the option Force SSL to Entire Site

10. Save the configuration

11. You will not be locked out and the SSL option remains stored as 0

Testing on a SSL enabled site

1. Open a Joomla site that has no SSL enabled
2. Go to the System -> Global Configuration -> Server
3. Set the option Force SSL to Entire Site
4. Save the configuration
5. SSL will be used everywhere on the site
6. Go to the System -> Global Configuration -> Server
7. Set the option Force SSL to None
8. Save the configuration
9. Apply the patch
10. Go to the System -> Global Configuration -> Server
11. Set the option Force SSL to Entire Site
12. Save the configuration
13. SSL will be used everywhere on the site

There are actually no differences for SSL enabled site, just testing things keep working as they are now.

[JoshJourney]

Thanks, the PR works. :-)

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.}

[JoshJourney]

I have tested this item ✅ successfully on a4f1749

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.}

[zero-24]

@roland-d maybe we should send a error message that we cant enable that?

[roland-d]

@zero-24 I am not sure if we should do that. You could even take it further, not even give the option to change if there is no SSL.

[brianteeman]

If we have an option present and when you set that option nothing changes then there should be a message explaining why

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.}

[roland-d]

@brianteeman Fair enough. Can you suggest a sentence to use? I can add it to this PR.

[brianteeman]

If I understand the PR correctly then how about

HTTPS has not been enabled as it is not available on this server

On 25 March 2016 at 09:39, RolandD notifications@github.com wrote:

@brianteeman https://github.com/brianteeman Fair enough. Can you
suggest a sentence to use? I can add it to this PR.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#9584 (comment)

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

[joomla-cms-bot]

This PR has received new commits.

CC: @JoshuaLewis

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.}

[roland-d]

Sounds like a good text to me, I have updated the PR and this will now show the following upon saving:

[brianteeman]

Thank you

On 25 March 2016 at 09:48, RolandD notifications@github.com wrote:

Sounds like a good text to me, I have updated the PR and this will now
show the following upon saving:

[image: image]
https://cloud.githubusercontent.com/assets/359377/14042099/0bd22100-f277-11e5-80e1-85d8dbd1823f.png

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#9584 (comment)

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

[brianteeman]

I have tested this item ✅ successfully on d6d79c5

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.}

[andrepereiradasilva]

I have tested this item 🔴 unsuccessfully on d6d79c5

My server is https capable and the notice appears.

I think this happens because you are only checking ssl:// transport.

I have no SSL, just TLS. Also i have an invalid cert because it's a test server but should use https too.

See http://php.net/manual/en/transports.inet.php

Wouldn't it be better to test an https connection (json to be faster like the URL used in keepalive for instance)?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.}

[roland-d]

@andrepereiradasilva I don't have access to an TLS setup so didn't test it nor thought about it :)

We could also check the tls:// transport if ssl:// fails.

As for the certificate, we are not checking if it is valid or not, just if it is there.

Wouldn't it be better to test an https connection

I did that at first but got mixed results. I don't think there is anything wrong using the transport check if we add the tls:// options, is there?

[andrepereiradasilva]

sure, then check tls too.

ssl is deprecated and is being removed.
So the order should be the opposite, first check tls and then ssl

See https://tools.ietf.org/html/rfc7568

[roland-d]

Yes, you are correct, I read that already just didn't express it that way :)

Would it be possible to test it against your test server?

[andrepereiradasilva]

of course, make the changes and i will test

[joomla-cms-bot]

This PR has received new commits.

CC: @andrepereiradasilva, @brianteeman, @JoshuaLewis

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.}

[roland-d]

@andrepereiradasilva I made the changes, since I can't test them I have been guessing ;)

[andrepereiradasilva]

I have tested this item ✅ successfully on f804bbe

I just did the "Testing on a SSL enabled site" part on a TLS only HTTPS server.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.}

[andrepereiradasilva]

@roland-d just tested the "Testing on a non-SSL enabled site" part with nginx.

I disabled the HTTPS in my host and it doesn't work. It fallbacks to the default nginx host SSL server_name _; so it saves the config and then redirects to HTTPS, since in the default server that URI doens't exist got a HTTP not found or forbidden error.

And, even if i remove the default host, it doesn't work: it saves the config and then redirects to HTTPS, since HTTPS doens't exist i got a HTTP 500 error.

[andrepereiradasilva]

I have tested this item 🔴 unsuccessfully on f804bbe

tested unsuccessfully (see comments above)

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.}

[roland-d]

@andrepereiradasilva

And, even if i remove the default host, it doesn't work:

Well we would need to check what feedback is received in this case. Would it be possible to get access to this site so I can test and debug it?

[roland-d]

You are correct, if you know how to install/remove a certificate, you are no longer a beginner.

To sort of fix the removal of a certificate we would need to check on every page load if the certificate exists, this I think is overkill. It would be best to document what to do if you get such an error.

[JoshJourney]

I assumed the same was true with the PR (in terms of checking each time). I agree that we would not want to use more system resources than what is needed. So does this PR make it so that it only checks for the certificate when changing the Joomla configuration?

[roland-d]

This PR only checks when saving the global configuration and if the setting has changed and the setting is not set to Don't use.

[JoshJourney]

Excellent, that's exactly what we want then. :-) I'm currently battling the flu, so pardon me being a little thick on this subject. The head ache is not helping either. Anyways, should be RTC soon.

[roland-d]

No worries, get well soon. I have set it to RTC :)

[zero-24]

@roland-d the @joomla-cms-bot is not happy :p

[andrepereiradasilva]

@roland-d i have just one question: has this been tested in sites without internet access? (e.g. intranets)

[roland-d]

@andrepereiradasilva I didn't test it on an intranet but I wonder if it makes a difference. The code is calling the site you are on, so it should be reachable already. Or am I mistaken here?

@zero-24 I will check, didn't get a message though :/

[andrepereiradasilva]

The code is calling the site you are on, so it should be reachable already. Or am I mistaken here?

Is the server cannot connect to the internet, will it fetch the https page?

[zero-24]

@roland-d you need to set the issue RTC on Jissues to make @joomla-cms-bot happy :)

[sailor16]

I have tested this item 🔴 unsuccessfully on 16a8f91

Hi,

Using J3.6.2, started from a "Force HTTPS": "Administrator Only" setup.

• Detection result was wrong.
• Worse: It downgraded the settings value to "None".

DETAILS:

Prelude/Side Note: In J 3.5.1 (before upgrading from 3.5.1 -> 3.6.0 -> 3.6.2) the preview link in the top right corner of the backend did link to the https website when called from the https backend (even on "Force SSL: None") = it kept me on the same security level (expected behaviour).
After upgrading to 3.6.2 the link refers to the http-link always, no matter what the "Force HTTPS" setting does state (unexpected behaviour !!).

Tried to "Force HTTPS: Entire Site". - BUT setting this switch resulted in

1. an false "Warning
   HTTPS has not been enabled as it is not available on this server."
   (I am even calling the backend through https - what is the "test" like to be positive here?).
2. Joomla CHANGING my setting from "Administrator Only" to "None", thus decreasing security level (!bad!), and every try to reset it through the backend does fail.

So, what do you need to correct this behaviour? How do you check that there is "no SSL certificate present"

• Using a self-signed certificate (openSSL), PKCS Test #1 SHA-256 with RSA-Encryption
• working in a development environment with HTTP_AUTH (maybe relevant?)

PS: No idea if this will fix the non-https link yet. In the end I do not expect a change by this.

Thanks ahead,
sailor

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.}

[zero-24]

please open a new issue. This is closed / merged into 3.6.0

[sailor16]

Reviewing the current implementation in administrator/components/com_config/model/application.php line 121 ff.
Yes, the routine does ignore existing http-authentication parameters (which could be taken from the existing session).
@roland-d: Would you please review the commit and adjust respectively? Please let me know if I can be of any help.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.}

[andrepereiradasilva]

@sailor16 you can make a Pull Request for that, or else open an issue (this PR is already merged).

[sailor16]

I opened https://issues.joomla.org/tracker/joomla-cms/11735.
Is it possible to close this issue for comments if this is not the right way to follow up?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.}

[rdeutz]

@sailor16 we don't look conversations, sometimes there is something to say :-)