#2885 Strange SSL issue in 4.2.4

v4.2.4
open
nobody
None
7
2012-02-08
2012-02-08
Shredder
No

Apache Webserver, shared SSL, PHP 5
Site is running well with https, port 443.

But in Configuration: Phpgedview Url is automatically recognized as http connection but with port 443.
Same if you access site directly via https or via http redirect to https
Mail is sent for new user registration with the link: http://domain.com:443/...
If manually adding the paths to the site configuration, above value is added too it causing an endless loop.

Can it be that $Server https is blank and this is the cause for the wrong values?

Thank you for helping!

Discussion

  • Shredder
    Shredder
    2012-02-08

    Screenshot

     
    Attachments
  • Shredder
    Shredder
    2012-02-08

    • priority: 5 --> 7
     
  • Shredder
    Shredder
    2012-02-08

    This happens on logout:

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>400 Bad Request</title>
    </head><body>
    <h1>Bad Request</h1>
    <p>Your browser sent a request that this server could not understand.<br />
    Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
    Instead use the HTTPS scheme to access this URL, please.<br />
    <blockquote>Hint: <a href="https://127.0.0.1/"><b>https://127.0.0.1/</b></a></blockquote></p>
    <hr>
    <address>Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 Server at 127.0.0.1 Port 443</address>
    </body></html>

     
  • Shredder
    Shredder
    2012-02-08

    • assigned_to: nobody --> canajun2eh
     
  • Shredder
    Shredder
    2012-02-08

    This is the behaviour with IE 6:

    returns to login page as it should, but: without https.
    "http://www.fitzek.cc:443/login.php?url=index.php?ctype=user"

     
  • Gerry Kroll
    Gerry Kroll
    2012-02-08

    Please don't assign bug reports. This should not be done by the reporter.

    What happens when you fill in the $SERVER_URL value in the "config.php" file with the correct information? You might have to do this manually, since PGV obviously won't run properly.

    You might need to set a value into the $LOGIN_URL variable too.

    I have no experience with https , so i'm not going to be able to advise you very well.

     
  • Gerry Kroll
    Gerry Kroll
    2012-02-08

    • assigned_to: canajun2eh --> nobody
     
  • Shredder
    Shredder
    2012-02-08

    thank you for your answer, sorry, didn´t know this about assignments, new here...

    if i fill in the $server_url in config.php both values are used, the filled in one and the system estimated one is added behind, resulting in an endless loop.

    same if $login_url is set.

    could it be that the ssl proxy host has to be defined somewhere as it is NOT the localhost?

    the site is running free of errors on port 443, logout results in the call for a http page but with port 443. so it looks that the parameter for the protocol is not properly set too https

     
  • Shredder
    Shredder
    2012-02-08

    following info might help:

    if i login with twice with two browsers, both function over https without problem.

    logout from the first browser results to above described problem

    but if i logout from the second browser, this one redirects correctly to https.login-page

     
  • Gerry Kroll
    Gerry Kroll
    2012-02-09

    Please try upgrading to the "SVN" version. The download link and instructions are in a recent Help topic whose title begins with "Repost: ..."

    If you're editing the config.php file manually, be sure to include the "http://" or "https://" at the beginning of the server URL, and also be sure that there is a trailing "/" in the URL.

    The Login URL should be empty.

    How are you launching PGV before you log in? Are you using a URL that begins with "https://"? If not, that could be the source of your problem.

     
  • Shredder
    Shredder
    2012-02-09

    if a user comes with http he is redirected by .htaccess to https:// this works fine
    if a user comes directly with https works fine too

    no errors in phpgedview when working with it

    but on logout phpgedview tries to open the login page with http on port 443 instead of https

    this is not matter of webspace config or phpgedview config

    it seems that phpgedview is not handling the server url correctly as http is in the url instead of https

    changing config.php results in endless loop as the value of config.php is added to the url which is estimated by phpgedview itsellf.

    when logged in with https the value for admin/configuration is estimated as: http://www.fitzek.cc:443/

    this value is causing the problems for logout, and user registration as the reg-link is wrong too.

    it seems phpgedview is handling the $server parameters wrong

     
  • Shredder
    Shredder
    2012-02-09

    SVN update did not change anything

     
  • Shredder
    Shredder
    2012-02-09

    which function(s) do the estimation of the server url? I think there is the error.
    are there problems because of open ssl and the ssl proxy?

     
  • Shredder
    Shredder
    2012-02-09

    i made it working now, but this is still a bug:

    session.php line 203: replaced port "80" by port "443"

    (empty($_SERVER['SERVER_PORT']) || $_SERVER['SERVER_PORT']==443 ? '' : ':'.$_SERVER['SERVER_PORT'])

     
  • Gerry Kroll
    Gerry Kroll
    2012-02-09

    Sorry, you've lost me here, ....

    Exactly HOW is that server_url supposed to behave?

    What I see in the code is this:
    1. Depending on whether the incoming protocol is SSL or not, the front part of the URL is either "https://" or "http://". This has nothing to do with the port on which the request comes in.

    2. Following the protocol designation from (1), we have the plain-vanilla URL such as "foo.bar.com" or an IP address of some sort. The logic says this part could be empty, but I don't see how that's ever possible.

    3. Lastly, we have an optional port number that has nothing to do with the protocol designation decided upon in (1). If the incoming request didn't use port 80, the port number is appended to the concatenated (1) and (2).

     
  • Shredder
    Shredder
    2012-02-09

    well, it works with this "workaround" very well. i´m not a programmer and i have only little knowledge on php.

    the site was connected via https:// and it worked well except on logout, the program tried to access the login page via http:// on port 443. this the server didn´t like.

    it looks like the port i changed is not an option but hardcoded port 80, there is no alternative switch to port 443 as i could see. two lines above there is an option for http or https for the program, concerning the port there isn´t.

    as i changed it, it worked. no errors, no problems, simply perfect.

    the original code is in ./includes/session.php:

    define('PGV_SERVER_NAME',
    (empty($_SERVER['HTTPS']) || !in_array($_SERVER['HTTPS'], array('1', 'on', 'On', 'ON')) ? 'http://' : 'https://').
    (empty($_SERVER['SERVER_NAME']) ? '' : $_SERVER['SERVER_NAME']).
    (empty($_SERVER['SERVER_PORT']) || $_SERVER['SERVER_PORT']==80 ? '' : ':'.$_SERVER['SERVER_PORT'])

    this seems to lead to a wrong server_url including http instead of https.

    now, after changing the port value, also in admin/configuration the correct value is shown as https://........

     
  • Gerry Kroll
    Gerry Kroll
    2012-02-09

    What values do you have set in the config.php file for (a) server URL and (b) login URL? These configuration entries would normally be empty.

     
  • Shredder
    Shredder
    2012-02-09

    no values in there.

    if i added values, it resulted in a summary of the system estimated value plus the manually inserted value.

    now, after changing the port, the system would accept changed values, but i don´t need them, so left empty.