?
Referenced as Pull Request for: # 9588
avatar fevangelou
fevangelou
14 Mar 2016

Under Global Configuration > (tab) Server, there is an option to enforce (redirect) requests to HTTPS.

However this option is wrongly named "Force SSL" (and I'm assuming there are more references to the word SSL elsewhere in Joomla).

The word "SSL" describes a specific outdated "secure transport" protocol coming from the 90s. Take a look at this for example: http://disablessl3.com/

The right protocol name is TLS: https://en.wikipedia.org/wiki/Transport_Layer_Security (and yes the word "SSL" as referenced in this article is used by convention, when it shouldn't).

I suggest, for the sake of sanity for all references of SSL to be changed to "HTTPS", "TLS" or perhaps a more generic (and future proof) "Secure Protocol".

avatar fevangelou fevangelou - open - 14 Mar 2016
avatar brianteeman brianteeman - change - 14 Mar 2016
Labels Added: ?
avatar andrepereiradasilva
andrepereiradasilva - comment - 14 Mar 2016

I agree with this! SSL is a deprecated protocol and the protocol used nowadays is named "TLS" not "SSL". We can use "Force TLS" or "Force HTTPS" or "Force Secure Connection", any of this options is better than "Force SSL"

IMHO a problem also exists in the mail server config. Made a PR sometime ago for the mail server part. See #8520

avatar andrepereiradasilva
andrepereiradasilva - comment - 14 Mar 2016

Found the word SSL in some text strings:

/language/en-GB/en-GB.mod_login.ini
MOD_LOGIN_FIELD_USESECURE_DESC="Submit encrypted login data (requires SSL). Do not enable this option if Joomla is not accessible using the https:// protocol prefix."

/administrator/language/en-GB/en-GB.mod_login.ini
MOD_LOGIN_FIELD_USESECURE_DESC="Submit encrypted login data (requires SSL). Do not enable this option if Joomla is not accessible using the https:// protocol prefix."

/administrator/language/en-GB/en-GB.com_menus.ini
COM_MENUS_ITEM_FIELD_SECURE_DESC="Selects whether or not this link should use SSL and the Secure Site URL."

/administrator/language/en-GB/en-GB.com_config.ini
COM_CONFIG_FIELD_FORCE_SSL_DESC="Force site access to always occur under SSL (https) for selected areas. You will not be able to access selected areas under non-ssl. Note, you must have SSL enabled on your server to utilise this option."

/administrator/language/en-GB/en-GB.com_config.ini
COM_CONFIG_FIELD_FORCE_SSL_LABEL="Force SSL"

/administrator/language/en-GB/en-GB.com_config.ini
COM_CONFIG_FIELD_VALUE_SSL="SSL"

And the word TLS in other cases:

/language/en-GB/en-GB.ini
PHPMAILER_TLS="Could not start TLS"

/administrator/language/en-GB/en-GB.ini
PHPMAILER_TLS="Could not start TLS"

/administrator/language/en-GB/en-GB.plg_authentication_ldap.ini
PLG_LDAP_FIELD_NEGOCIATE_DESC="Negotiate TLS encryption with the LDAP server. This requires all traffic to and from the LDAP server to be encrypted."

/administrator/language/en-GB/en-GB.plg_authentication_ldap.ini
PLG_LDAP_FIELD_NEGOCIATE_LABEL="Negotiate TLS"

/administrator/language/en-GB/en-GB.com_config.ini
COM_CONFIG_FIELD_VALUE_TLS="TLS"

The COM_CONFIG_FIELD_VALUE_SSL and COM_CONFIG_FIELD_VALUE_TLS are related to mail server configuration as described in #8520.

avatar andrepereiradasilva
andrepereiradasilva - comment - 14 Mar 2016

And some references:

avatar fititnt
fititnt - comment - 15 Mar 2016

:+1:

"HTTPS" in my opinion

avatar alexonbalangue
alexonbalangue - comment - 16 Mar 2016

Ah yes great question, finaly needed change that SSL by HTTPS (simply understand for all)

you know maybe why (poddle, logjam, etc.), so!


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9416.

avatar andrepereiradasilva
andrepereiradasilva - comment - 16 Mar 2016

I see all agree. So, can anyone make a PR for this change?

avatar alexonbalangue
alexonbalangue - comment - 16 Mar 2016
avatar andrepereiradasilva
andrepereiradasilva - comment - 16 Mar 2016

@alexonbalangue you made a fork of joomla repository, and made the changes in your fork. You also need to make a PR to joomla repository staging branch.
See https://docs.joomla.org/Using_the_Github_UI_to_Make_Pull_Requests

Also:
1. Please don't change the mail server configuration language variables. There is a PR for that already (see #8520)
2. Note, you must have TLS1.2+ enabled on your server to utilise this option, no you don't. You can use the https with SSLv2, SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2 (and the future TLS 1.3 when it comes out), you shouldn't use it with SSL, but you can.
3. And, of course, use correct english in all language variables changed.

avatar andrepereiradasilva
andrepereiradasilva - comment - 25 Mar 2016

PR made #9588

Please test.

@brianteeman this can be closed now that we have a PR.

avatar brianteeman brianteeman - change - 25 Mar 2016
Status New Closed
Closed_Date 0000-00-00 00:00:00 2016-03-25 14:55:01
Closed_By brianteeman
avatar brianteeman brianteeman - close - 25 Mar 2016

Add a Comment

Login with GitHub to post a comment