? ? Pending

User tests: Successful: Unsuccessful:

avatar roland-d
roland-d
25 Mar 2016

Pull Request for Issue #9583 .

Summary of Changes

If you are forcing SSL on your site either the Entire site or Administrator part but there is no SSL certificate present you will no longer be able to access the site. You will need to FTP into your site and change the configuration file manually to be able to get in. To prevent this nuisance, this PR will add a check to see if an SSL connection is possible to the site. If not possible, SSL will not be enabled.

Testing Instructions

Testing on a non-SSL enabled site
  1. Open a Joomla site that has no SSL enabled
  2. Go to the System -> Global Configuration -> Server
  3. Set the option Force SSL to Entire Site
  4. Save the configuration
  5. You are now locked out of the site
  6. Manually edit the configuration.php file and set the force_ssl back to 0

    public $force_ssl = '0';
  7. Apply the patch

  8. Go to the System -> Global Configuration -> Server
  9. Set the option Force SSL to Entire Site
  10. Save the configuration
  11. You will not be locked out and the SSL option remains stored as 0
Testing on a SSL enabled site
  1. Open a Joomla site that has no SSL enabled
  2. Go to the System -> Global Configuration -> Server
  3. Set the option Force SSL to Entire Site
  4. Save the configuration
  5. SSL will be used everywhere on the site
  6. Go to the System -> Global Configuration -> Server
  7. Set the option Force SSL to None
  8. Save the configuration
  9. Apply the patch
  10. Go to the System -> Global Configuration -> Server
  11. Set the option Force SSL to Entire Site
  12. Save the configuration
  13. SSL will be used everywhere on the site

There are actually no differences for SSL enabled site, just testing things keep working as they are now.

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
3.00

avatar roland-d roland-d - open - 25 Mar 2016
avatar roland-d roland-d - change - 25 Mar 2016
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 25 Mar 2016
Labels Added: ?
avatar JoshuaLewis
JoshuaLewis - comment - 25 Mar 2016

Thanks, the PR works. :-)


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar JoshuaLewis JoshuaLewis - test_item - 25 Mar 2016 - Tested successfully
avatar JoshuaLewis
JoshuaLewis - comment - 25 Mar 2016

I have tested this item :white_check_mark: successfully on a4f1749


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar zero-24
zero-24 - comment - 25 Mar 2016

@roland-d maybe we should send a error message that we cant enable that?

avatar roland-d
roland-d - comment - 25 Mar 2016

@zero-24 I am not sure if we should do that. You could even take it further, not even give the option to change if there is no SSL.

avatar brianteeman
brianteeman - comment - 25 Mar 2016

If we have an option present and when you set that option nothing changes then there should be a message explaining why


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar roland-d
roland-d - comment - 25 Mar 2016

@brianteeman Fair enough. Can you suggest a sentence to use? I can add it to this PR.

avatar brianteeman
brianteeman - comment - 25 Mar 2016

If I understand the PR correctly then how about

HTTPS has not been enabled as it is not available on this server

On 25 March 2016 at 09:39, RolandD notifications@github.com wrote:

@brianteeman https://github.com/brianteeman Fair enough. Can you
suggest a sentence to use? I can add it to this PR.


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#9584 (comment)

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

avatar joomla-cms-bot
joomla-cms-bot - comment - 25 Mar 2016

This PR has received new commits.

CC: @JoshuaLewis


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar joomla-cms-bot joomla-cms-bot - change - 25 Mar 2016
Labels Added: ?
avatar roland-d
roland-d - comment - 25 Mar 2016

Sounds like a good text to me, I have updated the PR and this will now show the following upon saving:

image

avatar brianteeman
brianteeman - comment - 25 Mar 2016

Thank you

On 25 March 2016 at 09:48, RolandD notifications@github.com wrote:

Sounds like a good text to me, I have updated the PR and this will now
show the following upon saving:

[image: image]
https://cloud.githubusercontent.com/assets/359377/14042099/0bd22100-f277-11e5-80e1-85d8dbd1823f.png


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#9584 (comment)

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

avatar brianteeman brianteeman - test_item - 25 Mar 2016 - Tested successfully
avatar brianteeman
brianteeman - comment - 25 Mar 2016

I have tested this item :white_check_mark: successfully on d6d79c5


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar brianteeman brianteeman - change - 25 Mar 2016
Labels
avatar brianteeman brianteeman - change - 25 Mar 2016
Category Installation
avatar andrepereiradasilva andrepereiradasilva - test_item - 25 Mar 2016 - Tested unsuccessfully
avatar andrepereiradasilva
andrepereiradasilva - comment - 25 Mar 2016

I have tested this item :red_circle: unsuccessfully on d6d79c5

My server is https capable and the notice appears.

I think this happens because you are only checking ssl:// transport.

I have no SSL, just TLS. Also i have an invalid cert because it's a test server but should use https too.

See http://php.net/manual/en/transports.inet.php

Wouldn't it be better to test an https connection (json to be faster like the URL used in keepalive for instance)?


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar roland-d
roland-d - comment - 25 Mar 2016

@andrepereiradasilva I don't have access to an TLS setup so didn't test it nor thought about it :)

We could also check the tls:// transport if ssl:// fails.

As for the certificate, we are not checking if it is valid or not, just if it is there.

Wouldn't it be better to test an https connection

I did that at first but got mixed results. I don't think there is anything wrong using the transport check if we add the tls:// options, is there?

avatar andrepereiradasilva
andrepereiradasilva - comment - 25 Mar 2016

sure, then check tls too.

ssl is deprecated and is being removed.
So the order should be the opposite, first check tls and then ssl

See https://tools.ietf.org/html/rfc7568

avatar roland-d
roland-d - comment - 25 Mar 2016

Yes, you are correct, I read that already just didn't express it that way :)

Would it be possible to test it against your test server?

avatar andrepereiradasilva
andrepereiradasilva - comment - 25 Mar 2016

of course, make the changes and i will test

avatar joomla-cms-bot
joomla-cms-bot - comment - 25 Mar 2016

This PR has received new commits.

CC: @andrepereiradasilva, @brianteeman, @JoshuaLewis


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar roland-d
roland-d - comment - 25 Mar 2016

@andrepereiradasilva I made the changes, since I can't test them I have been guessing ;)

avatar andrepereiradasilva andrepereiradasilva - test_item - 25 Mar 2016 - Tested successfully
avatar andrepereiradasilva
andrepereiradasilva - comment - 25 Mar 2016

I have tested this item :white_check_mark: successfully on f804bbe

I just did the "Testing on a SSL enabled site" part on a TLS only HTTPS server.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar andrepereiradasilva
andrepereiradasilva - comment - 25 Mar 2016

@roland-d just tested the "Testing on a non-SSL enabled site" part with nginx.

I disabled the HTTPS in my host and it doesn't work. It fallbacks to the default nginx host SSL server_name _; so it saves the config and then redirects to HTTPS, since in the default server that URI doens't exist got a HTTP not found or forbidden error.

And, even if i remove the default host, it doesn't work: it saves the config and then redirects to HTTPS, since HTTPS doens't exist i got a HTTP 500 error.

avatar andrepereiradasilva andrepereiradasilva - test_item - 25 Mar 2016 - Tested unsuccessfully
avatar andrepereiradasilva
andrepereiradasilva - comment - 25 Mar 2016

I have tested this item :red_circle: unsuccessfully on f804bbe

tested unsuccessfully (see comments above)


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar roland-d
roland-d - comment - 25 Mar 2016

@andrepereiradasilva

And, even if i remove the default host, it doesn't work:

Well we would need to check what feedback is received in this case. Would it be possible to get access to this site so I can test and debug it?

avatar creativeprogramming creativeprogramming - test_item - 25 Mar 2016 - Tested unsuccessfully
avatar creativeprogramming
creativeprogramming - comment - 25 Mar 2016

I have tested this item :red_circle: unsuccessfully on f804bbe

I don't agree having PHP checking the x.509 certificate opening a socket to the site.

Why?

1) The machine running PHP maybe have an outdated CA certificate repository

2) The PHP host can be running even with no openssl compiled in it, but this doesn't mean the website (not the server!) is not HTTPS capable (e.g. but you may have an TLS termination proxy in front of your site)

3) Even if it's letsencrypt.org epoch and i'm a big fan of https everywhere, there are many sysadmins that use dummy ssl certificate while testing sites, i don't agree that validating the certificate is the way to detect HTTPS capability, HTTPS can be enable even with a certificate not trusted for testing.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar roland-d
roland-d - comment - 25 Mar 2016

@creativeprogramming Apart from telling me all the reasons you don't want this, perhaps you can also share how you think this should be solved?

As I stated before, the validity of the certificate is not being checked, we merely check if there is a certificate.

In addition I would like to say that there is currently no mechanism at all to prevent users from locking themselves out by forcing the HTTPS connection. Even though this won't be a 100% solution at least it is a step forward and we can enhance it's implementation where needed.

avatar brianteeman
brianteeman - comment - 25 Mar 2016

Points 1 and 3 are invalid as the certificate is not checked for anything other than existing. Point 2 is rare and atypical and the benefit of not killing peoples web sites is far greater. I'm not even sure if in scenario 2 you would even be correct to set this option anyway

avatar andrepereiradasilva
andrepereiradasilva - comment - 25 Mar 2016

i also think is good if we find a working solution for this. It should always be avoidable sending the user to the configuration.php.

reggarding....

2) The PHP host can be running even with no openssl compiled in it, but this doesn't mean the website (not the server!) is not HTTPS capable (e.g. but you may have an TLS termination proxy in front of your site)

Point 2 is rare and atypical and the benefit of not killing peoples web sites is far greater. I'm not even sure if in scenario 2 you would even be correct to set this option anyway

is not so uncommon. i have a lot websites like this.

Anyhow, IMHO the point is, if this is not very reliable you could find yourself without the ability to add HTTPS in a site that clearly support it.

So, IMHO i still think it would be better to make an https request with JHttp to check if server is HTTPS capable. that way you don't care if the termination is a server, a proxy or anything or even if is using TLS or SSL.

would something like this work?:

try
{
    $options = new \Joomla\Registry\Registry;
    $options->set('userAgent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0');
    $options->set('transport.curl', array(CURLOPT_SSL_VERIFYPEER => false));
    $http     = JHttpFactory::getHttp($options);
    $host     = JUri::getInstance()->getHost();
    $uri      = 'https://' . $host . JURI::base(true) . '/';
    $headers  = array('Host' => $host);
    $timeout  = 10;
    $response = $http->head($uri, $headers, $timeout);
}
catch (RuntimeException $e)
{
    $data['force_ssl'] = 0;

    // Also update the user state
    $app->setUserState('com_config.config.global.data.force_ssl', 0);

    // Inform the user
    $app->enqueueMessage(JText::_('COM_CONFIG_ERROR_SSL_NOT_AVAILABLE'), 'notice');
}

UPDATED: updated since we have to have cookies to use the admin URL

avatar brianteeman
brianteeman - comment - 25 Mar 2016

Not tested but the theory sounds ok

avatar JoshuaLewis
JoshuaLewis - comment - 25 Mar 2016

"So, IMHO i still think it would be better to make an https request with JHttp to check if server is HTTPS capable. that way you don't care if the termination is a server, a proxy or anything or even if is using TLS or SSL."

Sounds like a great method that accommodates most if not all situations of HTTPS. I'm hoping this gains traction. :-)


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar andrepereiradasilva
andrepereiradasilva - comment - 25 Mar 2016

@roland-d

With this code i have no issues. don't know if will work on all cases, but works in mine, please check it

// Check if we need to verify the HTTPS request.
if ((int) $data['force_ssl'] !== 0 && (int) $data['force_ssl'] !== (int) JFactory::getConfig()->get('force_ssl', '0'))
{
    try
    {
        // Make an HTTPS request to check if the site is available in HTTPS.
        $host    = JUri::getInstance()->getHost();
        $options = new \Joomla\Registry\Registry;
        $options->set('userAgent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0');
        $options->set('transport.curl', array(CURLOPT_SSL_VERIFYPEER => false));
        $response = JHttpFactory::getHttp($options)->get('https://' . $host . JUri::root(true) . '/', array('Host' => $host), 10);

        // If available in HTTPS check also the status code.
        if (!in_array($response->code, array(200, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 503)))
        {
            throw new RuntimeException('HTTPS version of the site returned an invalid HTTP status code.');
        }
    }
    catch (RuntimeException $e)
    {
        $data['force_ssl'] = 0;

        // Also update the user state
        $app->setUserState('com_config.config.global.data.force_ssl', 0);

        // Inform the user
        $app->enqueueMessage(JText::_('COM_CONFIG_ERROR_SSL_NOT_AVAILABLE'), 'warning');
    }
}
avatar joomla-cms-bot
joomla-cms-bot - comment - 26 Mar 2016

This PR has received new commits.

CC: @andrepereiradasilva, @brianteeman, @creativeprogramming, @JoshuaLewis


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar roland-d
roland-d - comment - 26 Mar 2016

@andrepereiradasilva Your code works fine for me as well. I have updated the PR. Thank you.

avatar roland-d
roland-d - comment - 27 Mar 2016

Just something else that came to mind since we are nitpicking. Should we change the wording of Force SSL to Force HTTPS as we may not be using SSL but TLS ;) What do you think?

avatar JoshuaLewis
JoshuaLewis - comment - 27 Mar 2016

@roland-d That actually makes a lot of sense. Especially if more methods are created in the future for HTTPS. Personally I would make that as a separate PR due to potential disagreement.

People are a lot more familiar with seeing HTTPS than SSL or TLS, despite their popularity. This is due to seeing it often in the url address bar. It's more versatile, accurate, and better known to say "Force HTTPS". :-)

avatar brianteeman
brianteeman - comment - 27 Mar 2016

There is already a PR to change the language throughout joomla

avatar zero-24
zero-24 - comment - 27 Mar 2016
avatar joomla-cms-bot
joomla-cms-bot - comment - 27 Mar 2016

This PR has received new commits.

CC: @andrepereiradasilva, @brianteeman, @creativeprogramming, @JoshuaLewis


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar roland-d
roland-d - comment - 27 Mar 2016

Pefect, I have left that change out and only updated the code description.

avatar brianteeman brianteeman - change - 27 Mar 2016
Milestone Added:
avatar brianteeman brianteeman - test_item - 27 Mar 2016 - Tested successfully
avatar brianteeman
brianteeman - comment - 27 Mar 2016

I have tested this item :white_check_mark: successfully on 16a8f91


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar JoshuaLewis
JoshuaLewis - comment - 1 Apr 2016

The latest version of the PR still allows for a lockout. Without a certificate, this PR makes it so that you can't force HTPPS in the Joomla configuration which is a good thing. However if your site has forced HTTPS enabled, had a certificate, but has the certificate removed later on, you will be once again locked out of the site completely.

The current version of this PR is still an improvement to the current situation, but it would be nice to prevent lockouts in the future. The first version of this PR worked perfectly on my end. However I understand that it did not play well with TLS hence why it was changed up.

For those wondering why you would ever remove a certificate from your site, it has to do with testing reasons and trying to figure out underlying problems with extensions. I love HTTPS, but it is another thing to look out for when making sure things run smoothly. ;-) Due to the added benefit of this PR I'll still mark it as a successful test.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar JoshuaLewis JoshuaLewis - test_item - 1 Apr 2016 - Tested successfully
avatar JoshuaLewis
JoshuaLewis - comment - 1 Apr 2016

I have tested this item :white_check_mark: successfully on 16a8f91


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar roland-d
roland-d - comment - 1 Apr 2016

@JoshuaLewis Apart from removing a certificate users can also remove the configuration.php or manually edit the configuration.php to bring down their site. We can't fix everything but at least it's harder now to bring down your site :)

avatar JoshuaLewis
JoshuaLewis - comment - 1 Apr 2016

I guess then the admin will just have to be extra careful when disabling HTTPS for testing reasons. ;-)

avatar roland-d
roland-d - comment - 1 Apr 2016

Removing a certificate is at least more cumbersome than changing a dropdown box :P

avatar JoshuaLewis
JoshuaLewis - comment - 1 Apr 2016

True.

Removing the certificate would be intentional, just as removing a configuration.php file would typically be intentional. The unintended part is being locked out of one's site as a result. But I suppose that if one was to remove a certificate intentionally, forgets to change the Joomla configuration (force SSL), then odds are they know how to change the configuration.php file to unlock them from the site.

My intention for bringing this aspect up is another layer of convenience in case of a mistake on the admins end and of course for less threads about getting locked out of one's Joomla site. ;-) I accidentally made this mistake last week which is why I brought it up as an issue. But again, I appreciate that this PR fixes part of the issue.

avatar roland-d
roland-d - comment - 1 Apr 2016

You are correct, if you know how to install/remove a certificate, you are no longer a beginner.

To sort of fix the removal of a certificate we would need to check on every page load if the certificate exists, this I think is overkill. It would be best to document what to do if you get such an error.

avatar JoshuaLewis
JoshuaLewis - comment - 1 Apr 2016

I assumed the same was true with the PR (in terms of checking each time). I agree that we would not want to use more system resources than what is needed. So does this PR make it so that it only checks for the certificate when changing the Joomla configuration?

avatar roland-d
roland-d - comment - 1 Apr 2016

This PR only checks when saving the global configuration and if the setting has changed and the setting is not set to Don't use.

avatar JoshuaLewis
JoshuaLewis - comment - 1 Apr 2016

Excellent, that's exactly what we want then. :-) I'm currently battling the flu, so pardon me being a little thick on this subject. The head ache is not helping either. Anyways, should be RTC soon.

avatar roland-d roland-d - change - 1 Apr 2016
Labels Added: ?
avatar roland-d
roland-d - comment - 1 Apr 2016

No worries, get well soon. I have set it to RTC :)

avatar joomla-cms-bot joomla-cms-bot - change - 1 Apr 2016
Labels Removed: ?
avatar zero-24
zero-24 - comment - 1 Apr 2016

@roland-d the @joomla-cms-bot is not happy :p

avatar andrepereiradasilva
andrepereiradasilva - comment - 1 Apr 2016

@roland-d i have just one question: has this been tested in sites without internet access? (e.g. intranets)

avatar roland-d
roland-d - comment - 1 Apr 2016

@andrepereiradasilva I didn't test it on an intranet but I wonder if it makes a difference. The code is calling the site you are on, so it should be reachable already. Or am I mistaken here?

@zero-24 I will check, didn't get a message though :/

avatar andrepereiradasilva
andrepereiradasilva - comment - 1 Apr 2016

The code is calling the site you are on, so it should be reachable already. Or am I mistaken here?

Is the server cannot connect to the internet, will it fetch the https page?

avatar zero-24
zero-24 - comment - 1 Apr 2016

@roland-d you need to set the issue RTC on Jissues to make @joomla-cms-bot happy :)

avatar roland-d roland-d - change - 1 Apr 2016
Status Pending Ready to Commit
Labels
avatar joomla-cms-bot joomla-cms-bot - change - 1 Apr 2016
Labels Added: ?
avatar rdeutz rdeutz - reference | 40a331b - 12 Apr 16
avatar rdeutz rdeutz - merge - 12 Apr 2016
avatar rdeutz rdeutz - close - 12 Apr 2016
avatar rdeutz rdeutz - change - 12 Apr 2016
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2016-04-12 19:50:33
Closed_By rdeutz
avatar roland-d roland-d - head_ref_deleted - 13 Apr 2016
avatar rdeutz rdeutz - change - 1 May 2016
Milestone Removed:
avatar rdeutz rdeutz - change - 1 May 2016
Milestone Added:
avatar rdeutz rdeutz - change - 1 May 2016
Milestone Added:
avatar rdeutz rdeutz - change - 1 May 2016
Milestone Removed:
avatar brianteeman brianteeman - change - 11 May 2016
Labels Removed: ?
avatar silke14 silke14 - test_item - 22 Aug 2016 - Tested unsuccessfully
avatar silke14
silke14 - comment - 22 Aug 2016

I have tested this item ? unsuccessfully on 16a8f91

Hi,

Using J3.6.2, started from a "Force HTTPS": "Administrator Only" setup.

  • Detection result was wrong.
  • Worse: It downgraded the settings value to "None".

DETAILS:

Prelude/Side Note: In J 3.5.1 (before upgrading from 3.5.1 -> 3.6.0 -> 3.6.2) the preview link in the top right corner of the backend did link to the https website when called from the https backend (even on "Force SSL: None") = it kept me on the same security level (expected behaviour).
After upgrading to 3.6.2 the link refers to the http-link always, no matter what the "Force HTTPS" setting does state (unexpected behaviour !!).

Tried to "Force HTTPS: Entire Site". - BUT setting this switch resulted in
1) an false "Warning
HTTPS has not been enabled as it is not available on this server."
(I am even calling the backend through https - what is the "test" like to be positive here?).
2) Joomla CHANGING my setting from "Administrator Only" to "None", thus decreasing security level (!bad!), and every try to reset it through the backend does fail.

So, what do you need to correct this behaviour? How do you check that there is "no SSL certificate present"

  • Using a self-signed certificate (openSSL), PKCS #1 SHA-256 with RSA-Encryption
  • working in a development environment with HTTP_AUTH (maybe relevant?)

PS: No idea if this will fix the non-https link yet. In the end I do not expect a change by this.

Thanks ahead,
sailor


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar zero-24
zero-24 - comment - 22 Aug 2016

please open a new issue. This is closed / merged into 3.6.0

avatar sailor16
sailor16 - comment - 22 Aug 2016

Reviewing the current implementation in administrator/components/com_config/model/application.php line 121 ff.
Yes, the routine does ignore existing http-authentication parameters (which could be taken from the existing session).
@roland-d: Would you please review the commit and adjust respectively? Please let me know if I can be of any help.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar andrepereiradasilva
andrepereiradasilva - comment - 22 Aug 2016

@sailor16 you can make a Pull Request for that, or else open an issue (this PR is already merged).

avatar sailor16
sailor16 - comment - 22 Aug 2016

I opened https://issues.joomla.org/tracker/joomla-cms/11735.
Is it possible to close this issue for comments if this is not the right way to follow up?


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9584.

avatar rdeutz
rdeutz - comment - 22 Aug 2016

@sailor16 we don't look conversations, sometimes there is something to say :-)

Add a Comment

Login with GitHub to post a comment