[2.0.0-beta2] HTTPS (SSL/TLS)

Found a bug? Tell us!!
Post Reply
thh
Regular
Posts: 419
Joined: Thu Oct 26, 2006 2:38 pm
Location: Stuttgart, Germany
Contact:

[2.0.0-beta2] HTTPS (SSL/TLS)

Post by thh »

I've got some problems with the new 2.0 beta version and using SSL/TLS, e.g. connecting over HTTPS (to protect the login credentials for the backend). I'm not sure if it's 2.0-related, though, as I didn't test it with my old s9y blog.

The front-end and back-end templates (using the 2k11 theme) contain links using plain HTTP, leading to a failure (in my current Firebird) to load those includes.

This applies to (frontend): and to (backend): You get pages served without .js and CSS, and even if you accept "unsafe loading", you'll get no icons in the backend, as the icon fonts don't seem to be loaded properly.

All those problems could, AFAIS, be fixed by
  • dropping protocol (and host) from those links,
  • setting the correct protocol (the same the page was loaded with) or
  • using "//" instead of "http://", I think.
Grepping through the code, serendipity_rewriteURL could be the (one?) culprit:

Code: Select all

$ grep -r stylesheet *|grep serendipity_admin
include/functions_smarty.inc.php: $serendipity['smarty_vars']['head_link_stylesheet'] = serendipity_rewriteURL('serendipity_admin.css');
plugins/serendipity_event_sidebarhider/serendipity_event_sidebarhider.php: <link rel="stylesheet" type="text/css" href="<?php echo serendipity_rewriteURL('serendipity_admin.css');?>" />
Regards,
-thh
onli
Regular
Posts: 2825
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: [2.0.0-beta2] HTTPS (SSL/TLS)

Post by onli »

Hi
Thanks for the report. While it sure might be possible that we broke something in that area (through the template), it is actually a part of s9y that was not changed that much (in the core). serendipity_rewriteURL is a very small function: https://github.com/s9y/Serendipity/blob ... c.php#L492

Given that the URLs to those virtual files are indeed created in that function, my guess is that baseURL is not set to https//: (either because that option was overlooked, or the optional autodetection fails). Can you have a look? Configurations -> Paths, URL to Blog (and the option below).
thh
Regular
Posts: 419
Joined: Thu Oct 26, 2006 2:38 pm
Location: Stuttgart, Germany
Contact:

Re: [2.0.0-beta2] HTTPS (SSL/TLS)

Post by thh »

onli wrote:Thanks for the report. While it sure might be possible that we broke something in that area (through the template), it is actually a part of s9y that was not changed that much (in the core).
You were - of course - completely right. Looks like I didn't see the forest for the trees, figuratively speaking.
onli wrote:Given that the URLs to those virtual files are indeed created in that function, my guess is that baseURL is not set to https//: (either because that option was overlooked, or the optional autodetection fails). Can you have a look? Configurations -> Paths, URL to Blog (and the option below).
It wouldn't do to set the baseURL to HTTPS, as my certificate is self-signed - that would lead to problems for people accessing the blog over plain HTTP, as most browsers (Firefox at least) won't show a certificate error dialog for "includes" like CSS or .js with HTTPS links, but silently fail and don't load them, if the certificate is not trusted.

The latter option ("HTTP-Hostnamen automatisch erkennen"), though, nailed it. It's now working like a charm. Should have thought of that myself ...
thh
Regular
Posts: 419
Joined: Thu Oct 26, 2006 2:38 pm
Location: Stuttgart, Germany
Contact:

Re: [2.0.0-beta2] HTTPS (SSL/TLS)

Post by thh »

The one thing that still doesn't work with HTTPS seems to be the serendipity_event_flattr plugin. The Flattr buttons were not dipslayed, and the code that is inserted into the blog looks like that:

Code: Select all

<script type="text/javascript">
/* <![CDATA[ */
(function() {
    var s = document.createElement('script');
    var t = document.getElementsByTagName('script')[0];
    s.type = 'text/javascript';
    s.async = true;
    s.src = 'http://api.flattr.com/js/0.6/load.js?mode=auto';
    s.src += '&popout=0';
    s.src += '&uid=thh';
    s.src += '&language=de_DE';
    s.src += '&category=text';
        s.src += '&button=compact';
        t.parentNode.insertBefore(s, t);
 })();
/* ]]> */
</script>
, defaulting to http.

Should I file a bug for that?
onli
Regular
Posts: 2825
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: [2.0.0-beta2] HTTPS (SSL/TLS)

Post by onli »

Yes, please. It is difficult to do that properly in s9y, // was too new back then (if it existed). But we should just change it to that.
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: [2.0.0-beta2] HTTPS (SSL/TLS)

Post by garvinhicking »

I just defaulted that to https:// - this is clear and will always use SSL, which should be preferrable. Thanks!
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
thh
Regular
Posts: 419
Joined: Thu Oct 26, 2006 2:38 pm
Location: Stuttgart, Germany
Contact:

Re: [2.0.0-beta2] HTTPS (SSL/TLS)

Post by thh »

garvinhicking wrote:I just defaulted that to https:// - this is clear and will always use SSL, which should be preferrable. Thanks!
Thanks! - I just saw your change as I was going to file the bug. :-)

Works like a charm for me.
Post Reply