Forum OpenACS Q&A: A patch to get ns(open)ssl to work.

I have created a 10K patch that will get OpenSSL and nsssl to work correctly. At first I thought I was just having a problem with nsopenssl, but soon discovered that nsssl could not have been working correctly either. I could not find any reference to SSL in the SDM.

My first priority was to protect my /admin pages, so I updated ad-admin.tcl. The events-defs.tcl functions makeinsecure and insecure url included the port number even if it was 80, so I changed that too. In ecommerce I only changed the checks for ssl and change to ssl, I have not touched the 'change back to http' code (which is probably wrong in some places BTW). I have only tested the admin pages and the events_make[in]secure and events_[in]securelink functions.

The biggest problem is that the existing code keeps checking if { [ns_conn driver] == "nsssl" }, which will always remain false even if the connection uses nsopenssl... I changed all of those to if {[ad_secure_conn_p]}, which checks [ns_conn location] for regexp {^https:}. I also added a proc_doc ad_ssl_host_and_port to ad-admin.tcl, which gets the hostname from either the nsssl, nsopenssl or nssock configuration section. I have used ad_ssl_host_and_port to build the change-to-https functions.

the patchfile expects the to-be patched files in acs3-pg, alternatively you can just cd /web/youracs/ and patch -p1 < /tmp/openssl.patch.
The patch alters:
acs3-pg/tcl/ad-admin.tcl
acs3-pg/tcl/ecommerce-defs.tcl
acs3-pg/tcl/events-defs.tcl
acs3-pg/www/cookie-chain.tcl
acs3-pg/www/ecommerce/checkout-2.tcl
acs3-pg/www/ecommerce/checkout.tcl
acs3-pg/www/ecommerce/gift-certificate-order.tcl
acs3-pg/www/ecommerce/shipping-address-2.tcl
acs3-pg/www/ecommerce/shipping-address-international-2.tcl

I do not use ecommerce or cookie-chain, so I have not been able to test them. I have not compiled the nsssl(e).so module, so that too remains untested. (Personally I have no interest in nsssl, as it features only very limited SSL functionality.) Volunteers?!?
Using OpenSSL is pretty straight forward, it can be used as a drop-in replacement for nsssl. Just compile openssl and nsopenssl and load nsopenssl.so instead of nsssl(e).so. I am willing to write up an ns(open)ssl-howto, if people are interested...

Collapse
Posted by Don Baccus on
A how-to would be great, I'm sure Roberto would be glad to fold it
into the documentation.

You're right, security checking shouldn't be dependent on the driver name.

ad_secure_conn_p is the method used by ACS 4x, so your patch should be
OK.  It would be nice if someone would test with nsssl, as you
request.  I starting to get busy with the 4x port myself so don't
really have time...

Collapse
Posted by Roberto Mello on
Pascal,

Can you please mail this patch to me? Your link to the patch is broken, plus it's easier to keep track of what I have to do by simply going through the messages in my openacs-todo inbox.

And documentation would be excellent! I would gladly incorporate it into our docs.

Collapse
Posted by Pascal Scheffers on
It seems that the link to the patch was giving some troubles, so I changed the mime for .patch to text/plain.

This URL works for me: http://pascal.scheffers.net/patch/openssl.patch

Collapse
Posted by Richard Hamilton on
Has this patch been rolled into OpenACS4.5 or do we still need to apply it?

Regards
Richard