Help test SSL

jason

jason

Administrator
Management Council Member
Joined
Jul 4, 2006
Messages
5,128
Location
Lincoln, Nebraska
Display Name
Display name:
Jason W (FlyNE)
We're adding an option to access the site via SSL for those that would like to do so. After a couple of months of testing, we'll probably make it all SSL. If all of you could do me a favor and test the SSL version of the site from every browser and let me know if you have problems. Make sure that you test any issue with and without SSL before posting so that we know that it is truely a SSL issue.

I'll say right off the bat that I've got the ciphers and everything pretty tightened up on this install. It may not work in some browsers. As we get some feedback we may try to adjust it.

Non-SSL
http://www.pilotsofamerica.com/community/threads/help-test-ssl.90625/

SSL
https://www.pilotsofamerica.com/community/threads/help-test-ssl.90625/

The only difference in switching any URL on the site to SSL is just to add the 's' at the end of 'http'
 
Well, I was able to bring up this thread on iOS Safari with no problems! In general, I think it's a good idea.
 
Testing with Safari on the iPhone. I discovered the only way I can tell I am using it is the lock symbol before "pilotsofamerica.com". So far so good.

image.png
 
SSL works on Ubuntu 14.04 and Firefox 43.0

Jim
 
Did that part already. You are correct..... https://www.pilotsofamerica.com/community/index.php ..... goes right to the main SSL page. Thanks!

Jim

Edit- Sorry about the funky colors. Point is modify links to add the 's' AND change to 'community' :)
 
Last edited:
Looks good so far. I wouldn't be opposed to forcing all plaintext to redirect to SSL. I'm just kinda surprised y'all went with Let's Encrypt for the cert. While it's neat and so far functionally secure, I'm just wondering how well it'll scale when the CRL is billions long. Just out of curiosity, how'd y'all set it up in AWS? Just using letsencrypt-aws?
 
mkosmo said:
Looks good so far. I wouldn't be opposed to forcing all plaintext to redirect to SSL. I'm just kinda surprised y'all went with Let's Encrypt for the cert. While it's neat and so far functionally secure, I'm just wondering how well it'll scale when the CRL is billions long. Just out of curiosity, how'd y'all set it up in AWS? Just using letsencrypt-aws?
Click to expand...
Just going for free. That was all. We can change it if they have scaling problems. It would take $17 and 10 minutes. We could have used free AWS certificates, but then we'd have to use an ELB and there is no point to that with only one backend server.

I just have a corn script that checks every week to see if it needs renewed and does it.
 
jason said:
Just going for free. That was all. We can change it if they have scaling problems. It would take $17 and 10 minutes. We could have used free AWS certificates, but then we'd have to use an ELB and there is no point to that with only one backend server.

I just have a corn script that checks every week to see if it needs renewed and does it.
Click to expand...
Ah, yeah that particular script I referred to is specifically for fronting the ELB(s). How do y'all have this architected? Single box with everything, or an application server and an RDS for the DB? I'll tell you this, I've fallen in love with Aurora and use it in nearly every instance I can unless a requirement makes me use a different engine.
 
mkosmo said:
Ah, yeah that particular script I referred to is specifically for fronting the ELB(s). How do y'all have this architected? Single box with everything, or an application server and an RDS for the DB? I'll tell you this, I've fallen in love with Aurora and use it in nearly every instance I can unless a requirement makes me use a different engine.
Click to expand...
Single box w/ snapshots for backups. We need to build up some money before paying to split it out.
 
jason said:
Single box w/ snapshots for backups. We need to build up some money before paying to split it out.
Click to expand...
Yeah, I can understand that. Which instance size is it all running on?
 
Unable to connect via SSL from any browser. I wonder if our IT dpt here at work is blocking it for some reason.
I will try from home sometime later.
 
Two items
  • Looks like the logo in the top left is hard coded to http so clicking it from the https connection will take you back to the http version. Woops!
  • Getting mixed content warning on this thread due to users sig linking to an external http image. Granted, I doubt theres much to be done about this one.
Cheers!
 
I got logged out and now it seems the site defaults to non-ssl, even using the link.
 
Strange, sometimes I see the lock symbol and sometimes I don't. I am on iOS.
 
Do the SSL cookies not get secure flag set or is my browser just being dumb?
 
Some "stuff"...

(Oh hey, look at that, I still have a CAP folder in my bookmarks I never use anymore... heh...)

Firefox 44.02/Mac doesn't like the connection and tosses a warning.

Screen Shot 2016-02-26 at 15.40.48.png

Screen Shot 2016-02-26 at 15.40.59.png

It's complaining about embedded stuff having non https:// links, I assume. I haven't looked at it with Firebug, or Chrome.

Screen Shot 2016-02-26 at 15.41.34.png

Cert (being that it's from Let's Encrypt) is kinda sparse on info... no O or OU.

Screen Shot 2016-02-26 at 15.41.44.png

Understanding Let's Encrypt, I know why this says this, but seeing "Is Not A Certificate Authority" never gives me a warm fuzzy.

Screen Shot 2016-02-26 at 15.42.34.png

There ya go...
 
I didn't have a problem with Firefox or IE 11 on the desktop and I didn't have a problem with Ghostery or Safari on the iPad.

Noted that IE 11 showed the certificate as being an ESet certificate, so it looks like Eset may be acting as a proxy on IE (which might explain some things). FF shows Let's Encrypt as the authority.
 
I could point our automation at it (if it's not broken today) that tests like twenty browser versions...

Hahaha. Nah. They'd give me crap for using those for this... Maybe okay after hours. I'd have to check in the test code to our repo to get Jasper to kick it off. ("what's this PoA commit???")

(Selenium is fascinating stuff. We have a farm of VMs and real machines with various browsers locked to a version on them -- Windows 10 is a huge PITA in this regard with no good way to stop browser updates,?Microsoft are such jerks -- that we can script to hit a site and beat the holy hell out of it with tons of browsers. Unfortunately we don't use it "enough" yet, but it's going to be nice to have in the auto-test stuff in Jasper... eventually...)
 
SSL issue?... I've been logging in using this... https://www.pilotsofamerica.com/community/ Login and authentication are fine and shows https:// etc in the browser adddress, but at random times as I browse the forums, I'm logged out and booted out to the Recent Posts page. It's lost my authentication, and the browser address indicates the non-secure address (http:// etc). Did I misunderstand? Is this not ready for prime time? Thanks!

Jim
 
Jim Rosenow said:
SSL issue?... I've been logging in using this... https://www.pilotsofamerica.com/community/ Login and authentication are fine and shows https:// etc in the browser adddress, but at random times as I browse the forums, I'm logged out and booted out to the Recent Posts page. It's lost my authentication, and the browser address indicates the non-secure address (http:// etc). Did I misunderstand? Is this not ready for prime time? Thanks!

Jim
Click to expand...
Do you ever click on the logo to get back to the home page?
 
I use SeaMonkey and it's reporting the same issues as Safari re: the cert and other non-https: links is all. I applaud your efforts to secure your site - many forums I see referenced at work are infected with javascript malware.

"Just say no to javascript & flash."
 
FYI, I was wrong -- when you log in SSL, it does set the session cookie secure. But I also didn't realize that so many non-expiring vB cookies were left behind! Oh yeah, what's that poapassword cookie all about?

PoACookies.PNG
 
mkosmo said:
FYI, I was wrong -- when you log in SSL, it does set the session cookie secure. But I also didn't realize that so many non-expiring vB cookies were left behind! Oh yeah, what's that poapassword cookie all about?

View attachment 44251
Click to expand...
Hence the need to make the change from forum software that was written 15 years ago.

I should write a little header injection that expires all of those old cookies.
 
jason said:
Hence the need to make the change from forum software that was written 15 years ago.

I should write a little header injection that expires all of those old cookies.
Click to expand...
Do that and get rid of the links that hard link to the non-SSL site and I'd be very happy.
 
mkosmo said:
Do that and get rid of the links that hard link to the non-SSL site and I'd be very happy.
Click to expand...
In time. I'm going to need to test an image proxy so we don't get mixed media warnings on non-ssl embedded content.

Are you interested in compiling a list on non-xenforo cookies that you see?
 
jason said:
In time. I'm going to need to test an image proxy so we don't get mixed media warnings on non-ssl embedded content.

Are you interested in compiling a list on non-xenforo cookies that you see?
Click to expand...
Sure thing. I'll pull them together tomorrow for you.

Also, not sure if you were worried about it, but I noticed you're leaking X-Powered-By and Server in the response headers.

X-Powered-By: PHP/5.5.9-1ubuntu4.14
Server: nginx
 
mkosmo said:
FYI, I was wrong -- when you log in SSL, it does set the session cookie secure. But I also didn't realize that so many non-expiring vB cookies were left behind! Oh yeah, what's that poapassword cookie all about?
Click to expand...
Long story. That was some custom code I wrote into vBulletin a few years back. It's not a password and has nothing to do with a password or authentication.
 
jesse said:
Long story. That was some custom code I wrote into vBulletin a few years back. It's not a password and has nothing to do with a password or authentication.
Click to expand...
Sounds like my favorite kind of hackery :)
jason said:
Are you interested in compiling a list on non-xenforo cookies that you see?
Click to expand...
Appears there are only 8. 4 of which are from PoA, 4 of which appear to be outdated Google Analytics cookies:

Google Analytics - Appears to be out of date given the referral path. No GA in the new forum yet?
* __utma --- current contents: 34025632.1452917749.327.11.utmcsr=pilotsofamerica.com|utmccn=(referral)|utmcmd=referral|utmcct=/forum/
* __utmz
* _ga
* gat

PoA
* poalastactivity
* poalastvisit
* poapassword
* poauserid

And there are two XF cookies that appear to be entirely valid.
 
I'm not sure if it's mixed media related or what, but when using the SSL site, my session keeps getting booted. Not sure if it's being invalidated or what, but I have to (re-)log in VERY frequently.
 
mkosmo said:
I'm not sure if it's mixed media related or what, but when using the SSL site, my session keeps getting booted. Not sure if it's being invalidated or what, but I have to (re-)log in VERY frequently.
Click to expand...
That happened to me too, so I switched back to non SSL and haven't had to log in since.

I had almost forgotten about it until you revived this thread.
 
mkosmo said:
I'm not sure if it's mixed media related or what, but when using the SSL site, my session keeps getting booted. Not sure if it's being invalidated or what, but I have to (re-)log in VERY frequently.
Click to expand...
Because it sets the secure flag on the cookie when you log in with SSL it invalidates the cookie if you ever stumble back to non-SSL. Since the main logo is hard linked to the non-SSL side you'll get logged out if you ever click that (among other things). That should go away once we switch to all SSL.
 
jason said:
Because it sets the secure flag on the cookie when you log in with SSL it invalidates the cookie if you ever stumble back to non-SSL. Since the main logo is hard linked to the non-SSL side you'll get logged out if you ever click that (among other things). That should go away once we switch to all SSL.
Click to expand...
This isn't even clicking on the logo or a non SSL link. Sometimes it's just opening threads.
 
You must log in or register to reply here.
Back
Top