SSL broken on sub files

[ontime]

any one can help it's highly appreciated

I have our own SSL certificate, installed successfully, and main page is accessible through HTTPS, but all links on the main page is take you to unsecured page!! if you move the mouse over any link on the main page you can see it take you to HTTP not HTTPS


here a copy of my configure.php


define('HTTP_SERVER', 'http://ashroti.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://ashroti.com'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', 'ashroti.com');
define('HTTPS_COOKIE_DOMAIN', 'ashroti.com');
define('HTTP_COOKIE_PATH', '/catalog/');
define('HTTPS_COOKIE_PATH', '/catalog/');
define('DIR_WS_HTTP_CATALOG', '/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/catalog/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

[michael_s]

Only the checkout pages and login are secured. No other pages need to be since no sensitive information is ever passed on other pages.

So, when I go to your site and try to login, it correctly switches to ssl, then after logging in, correctly switches back to non-ssl.

Same for the checkout process. On your site when I try to checkout, it correctly switches to ssl.

[ontime]

Thanks for your response
You are right, it switch automatically to SSL in sensitive pages as login & order process
but, still have other 2 concerns!!

1. when browse any HTTPS page, there is "ERROR ON PAGE" message display in the left bottom corner on "Internet Explorer 7" browser window, when use "Netscape 7" there is NO error


2. when login to ADMIN area using HTTPS, it display "You are protected by a unknown secure SSL connection" when log with HTTP it display "You are not protected by a secure SSL connection" our SSL certificate is valid & issued by trustable ssl source

Any advice?

[jpf]

Which certificate authority did you purchase your SSL from? More than likely if it is from one of the NEWER firms - you have not updates Windows ROOT CERTIFICATES AUTHORITIES. Run Windows Update to fix IE....

Now if you setup your own SSL or created a SELF SIGNED SSL then IE 7 is working.

..... But looks like you got it from GoDaddy.com Which is fine.....

...Except...you have a Go Daddy Class 2 Certification Authority Root Certificate - which is a new(er) Certificate Chain. Which means WINDOWS IE does not know about it. You can also get the needed CRT or CER files from:

https://certificates.godaddy.com/Repository.go



Good Luck!

[jpf]

PS - my PC is patched to date so it shows up just fine in IE, Firefox, and Netscape.

[Autoegocrat]

Quote:

Originally Posted by ontime

Thanks for your response
You are right, it switch automatically to SSL in sensitive pages as login & order process
but, still have other 2 concerns!!

1. when browse any HTTPS page, there is "ERROR ON PAGE" message display in the left bottom corner on "Internet Explorer 7" browser window, when use "Netscape 7" there is NO error

I had this same problem when I tried browsing my OSCMax shop through IE, but Firefox could view it without a hitch. After a short time of digging in the forums I found a solution posted by Michael in a number of threads. Works like a charm:

Error line 168

Aside from that, I also have the problem with some referencing coming up as http when they should be https causing the "Partially Encrypted" SSL warning. My SSL provider is also GoDaddy, and of the Turbo variety. My admin page comes up secure in both FF and IE (although the lock graphic on the OSCMax admin page is still unlocked but I don't really care about that yet). I've also done quite a bit of digging on this topic in both these forums and the OSCommerce ones, but have been unable to find a definitive fix. I convinced my host to switch PHP from CGI to the ISAPI module, and that fixed a slew of problems, and my webserver is IIS. I'm 99% sure my configure.php for the catalog is correct, but if you desire, I will post it when I get back to this forum next to check messages and I have more time.

Thanks!

Auto

[Autoegocrat]

Quote:

Originally Posted by ontime

Thanks for your response
You are right, it switch automatically to SSL in sensitive pages as login & order process
but, still have other 2 concerns!!

1. when browse any HTTPS page, there is "ERROR ON PAGE" message display in the left bottom corner on "Internet Explorer 7" browser window, when use "Netscape 7" there is NO error


2. when login to ADMIN area using HTTPS, it display "You are protected by a unknown secure SSL connection" when log with HTTP it display "You are not protected by a secure SSL connection" our SSL certificate is valid & issued by trustable ssl source

Any advice?

Just a friendly update to let you know how I fixed these problems. Sorry about the reference to the Error Line 106 thread or whatever...I misread the post. This should fix both of your issues in one fell swoop- it did for me! (Backflips!)

As with the other issues I've had with the setup, dig and dig and dig some more in the forums, try all of the possible solutions, and then post a new thread if none of them work. I found this particular solution in an OSCommerce thread, but it may also be posted here in the OSCMax ones.
Here goes:

In /catalog/includes/APPLICATION_TOP.PHP -

Replace:

PHP Code:

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; 


With this:

PHP Code:

$request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'SSL' : 'NONSSL'; 


Good luck!

Auto

[Autoegocrat]

Quote:

Originally Posted by jpf

Which certificate authority did you purchase your SSL from? More than likely if it is from one of the NEWER firms - you have not updates Windows ROOT CERTIFICATES AUTHORITIES. Run Windows Update to fix IE....

Now if you setup your own SSL or created a SELF SIGNED SSL then IE 7 is working.

..... But looks like you got it from GoDaddy.com Which is fine.....

...Except...you have a Go Daddy Class 2 Certification Authority Root Certificate - which is a new(er) Certificate Chain. Which means WINDOWS IE does not know about it. You can also get the needed CRT or CER files from:

https://certificates.godaddy.com/Repository.go



Good Luck!

As an afterthought, I guess you're right. He should check to see if his Chained cert (Turbo SSL is a chained cert!) is correctly installed first. If the intermediate package is overlooked and not installed, this also could cause the security warnings to pop up.

What is a chained certificate?
In order to enhance the security of the Root certificate we have created two intermediate certificates from which SSL certificates are signed and issued. An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate and ending with the SSL certificate issued to you. Such certificates are called chained root certificates.

Refer to their instructions, and make sure that you install the intermediate package before the actual SSL file. Here are GoDaddy's instructions- Pick your webserver and follow the instructions.

https://certificates.godaddy.com/Ins...uctions_alt.go

and, like JPF said, obtain the intermediate cert package for your specific webserver here:

https://certificates.godaddy.com/Repository.go



On to the next hurdle!!!

Auto