Incorrectly Detected SSL was Available

  • Resolved Nathan Ingram

    (@nathaningram)


    7 years, 6 months ago

    Hi, thanks for your work on this plugin… and I love the concept.

    In testing for our monthly Plugin Roundup at iThemes Training, however, I found that the plugin incorrectly detected SSL was available on my test site. It is not.

    Proceeding, of course, produced the expected security warning from my browser and required me to disable the plugin via FTP. This would certainly cause real trouble for a novice.

    I’d love to see this issue fixed so I can feature your plugin on next month’s roundup.

    And a followup question… You mention in the description that the plugin automatically fixes mixed content issues by updating CSS files, scripts, etc to load over https. How are you accomplishing this?

    Thanks again!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Tribulant Software

    (@contrid)

    @nathaningram

    Sorry to hear that the plugin caused a problem for you.

    It does a remote request to the home URL of the site over SSL (https://) to see if it loads and if the HTTP response code is 200 then assumes that SSL is available.

    Can you provide a URL to the website so that we can see why this happens?

    The plugin does a PHP regular expression match and replace on all resources such as stylesheets, scripts, etc. to make sure they load over SSL (https://). It doesn’t actually change the contents of the files, just the URL over which the resource is loaded.

    I look forward to your response.

    Thread Starter Nathan Ingram

    (@nathaningram)

    Hi there. Thanks for the reply.

    The site in question is my test site at https://wpnathan.com/. You will notice that going there as https will produce a “Your Connection is not Private” alert in Chrome since there is no SSL certificate.

    Thanks!

    Plugin Author Tribulant Software

    (@contrid)

    @nathaningram

    Thanks for the link and information.

    We investigated this and even though the site: https://wpnathan.com says “Your Connection Is Not Private”, the site is still accessible which is considered as working. It gives a 200 OK HTTP header.

    The plugin will only say that there isn’t SSL support if the https:// URL gives an HTTP error code 403, 404, 500, etc… anything but 200. The plugin doesn’t actually check that the SSL certificate is valid, just that the site is accessible so that the user doesn’t end up with a broken WordPress site.

    It uses the WordPress function wp_http_supports(array('ssl'), $url) which returns true on your website.

    We have now made an improvement to not just check if the site is accessible since the same domain on a different protocol can load a different virtual path or folder on the server like yours does, making it inaccessible. It will now also check to make sure it is the same WordPress site that the plugin is loaded on.

    An update will be released shortly with this improvement included.

    Thanks for the report!

    Plugin Author Tribulant Software

    (@contrid)

    @nathaningram

    We are also considering doing SSL verify peer and host or at least SSL verify host on the request when the SSL support is checked which will indicate if the certificate is valid or not.

    Check to see if the SSL certificate is valid (not self-signed, actually for the site in the request) and will deny the response if it isn’t. If you are requesting HTTPS and know that the site is self-signed or is invalid and are reasonably sure that it can be trusted, then set to false

    Plugin Author Tribulant Software

    (@contrid)

    @nathaningram

    We have already updated the plugin with these improvements.

    For some reason, the plugin’s version hasn’t updated yet though the files are in the repository: https://plugins.svn.www.ads-software.com/one-click-ssl/trunk/

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Incorrectly Detected SSL was Available’ is closed to new replies.

Tags