New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check if SSL is available when enabling in configuration #9584
Conversation
Thanks, the PR works. :-) This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584. |
I have tested this item ✅ successfully on a4f1749 This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584. |
@roland-d maybe we should send a error message that we cant enable that? |
@zero-24 I am not sure if we should do that. You could even take it further, not even give the option to change if there is no SSL. |
If we have an option present and when you set that option nothing changes then there should be a message explaining why This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584. |
@brianteeman Fair enough. Can you suggest a sentence to use? I can add it to this PR. |
If I understand the PR correctly then how about HTTPS has not been enabled as it is not available on this server On 25 March 2016 at 09:39, RolandD notifications@github.com wrote:
Brian Teeman |
This PR has received new commits. CC: @JoshuaLewis This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584. |
Thank you On 25 March 2016 at 09:48, RolandD notifications@github.com wrote:
Brian Teeman |
I have tested this item ✅ successfully on d6d79c5 This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584. |
I have tested this item 🔴 unsuccessfully on d6d79c5 I think this happens because you are only checking ssl:// transport. I have no SSL, just TLS. Also i have an invalid cert because it's a test server but should use https too. See http://php.net/manual/en/transports.inet.php Wouldn't it be better to test an https connection (json to be faster like the URL used in keepalive for instance)? This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584. |
@andrepereiradasilva I don't have access to an TLS setup so didn't test it nor thought about it :) We could also check the tls:// transport if ssl:// fails. As for the certificate, we are not checking if it is valid or not, just if it is there.
I did that at first but got mixed results. I don't think there is anything wrong using the transport check if we add the tls:// options, is there? |
sure, then check tls too. ssl is deprecated and is being removed. |
Yes, you are correct, I read that already just didn't express it that way :) Would it be possible to test it against your test server? |
of course, make the changes and i will test |
This PR has received new commits. CC: @andrepereiradasilva, @brianteeman, @JoshuaLewis This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584. |
@andrepereiradasilva I made the changes, since I can't test them I have been guessing ;) |
I have tested this item ✅ successfully on f804bbe This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584. |
@roland-d just tested the "Testing on a non-SSL enabled site" part with nginx. I disabled the HTTPS in my host and it doesn't work. It fallbacks to the default nginx host SSL And, even if i remove the default host, it doesn't work: it saves the config and then redirects to HTTPS, since HTTPS doens't exist i got a HTTP 500 error. |
I have tested this item 🔴 unsuccessfully on f804bbe This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584. |
Well we would need to check what feedback is received in this case. Would it be possible to get access to this site so I can test and debug it? |
You are correct, if you know how to install/remove a certificate, you are no longer a beginner. To sort of fix the removal of a certificate we would need to check on every page load if the certificate exists, this I think is overkill. It would be best to document what to do if you get such an error. |
I assumed the same was true with the PR (in terms of checking each time). I agree that we would not want to use more system resources than what is needed. So does this PR make it so that it only checks for the certificate when changing the Joomla configuration? |
This PR only checks when saving the global configuration and if the setting has changed and the setting is not set to Don't use. |
Excellent, that's exactly what we want then. :-) I'm currently battling the flu, so pardon me being a little thick on this subject. The head ache is not helping either. Anyways, should be RTC soon. |
No worries, get well soon. I have set it to RTC :) |
@roland-d the @joomla-cms-bot is not happy :p |
@roland-d i have just one question: has this been tested in sites without internet access? (e.g. intranets) |
@andrepereiradasilva I didn't test it on an intranet but I wonder if it makes a difference. The code is calling the site you are on, so it should be reachable already. Or am I mistaken here? @zero-24 I will check, didn't get a message though :/ |
Is the server cannot connect to the internet, will it fetch the https page? |
@roland-d you need to set the issue RTC on Jissues to make @joomla-cms-bot happy :) |
I have tested this item 🔴 unsuccessfully on 16a8f91 Using J3.6.2, started from a "Force HTTPS": "Administrator Only" setup.
DETAILS: Prelude/Side Note: In J 3.5.1 (before upgrading from 3.5.1 -> 3.6.0 -> 3.6.2) the preview link in the top right corner of the backend did link to the https website when called from the https backend (even on "Force SSL: None") = it kept me on the same security level (expected behaviour). Tried to "Force HTTPS: Entire Site". - BUT setting this switch resulted in
So, what do you need to correct this behaviour? How do you check that there is "no SSL certificate present"
PS: No idea if this will fix the non-https link yet. In the end I do not expect a change by this. Thanks ahead, This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584. |
please open a new issue. This is closed / merged into 3.6.0 |
Reviewing the current implementation in administrator/components/com_config/model/application.php line 121 ff. This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584. |
@sailor16 you can make a Pull Request for that, or else open an issue (this PR is already merged). |
I opened https://issues.joomla.org/tracker/joomla-cms/11735. This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584. |
@sailor16 we don't look conversations, sometimes there is something to say :-) |
Pull Request for Issue #9583 .
Summary of Changes
If you are forcing SSL on your site either the Entire site or Administrator part but there is no SSL certificate present you will no longer be able to access the site. You will need to FTP into your site and change the configuration file manually to be able to get in. To prevent this nuisance, this PR will add a check to see if an SSL connection is possible to the site. If not possible, SSL will not be enabled.
Testing Instructions
Testing on a non-SSL enabled site
Open a Joomla site that has no SSL enabled
Go to the System -> Global Configuration -> Server
Set the option Force SSL to Entire Site
Save the configuration
You are now locked out of the site
Manually edit the configuration.php file and set the force_ssl back to 0
Apply the patch
Go to the System -> Global Configuration -> Server
Set the option Force SSL to Entire Site
Save the configuration
You will not be locked out and the SSL option remains stored as 0
Testing on a SSL enabled site
There are actually no differences for SSL enabled site, just testing things keep working as they are now.