I have created a 10K
patch that
will get OpenSSL and nsssl to work correctly. At first I thought I was
just having a problem with nsopenssl, but soon discovered that nsssl
could not have been working correctly either. I could not find any
reference to SSL in the SDM.
My first priority was to protect my /admin pages, so I updated
ad-admin.tcl. The events-defs.tcl
functions
makeinsecure and insecure url included the port number even if it was
80, so I changed that too.
In ecommerce I only changed the checks for ssl and change to
ssl, I have not touched the 'change back to http' code (which is
probably wrong in some places BTW). I have only tested
the admin pages and the events_make[in]secure and
events_[in]securelink functions.
The biggest problem is that the existing code keeps checking
if { [ns_conn driver] == "nsssl" }
, which will always
remain false even if the connection uses nsopenssl... I changed all of
those to
if
{[ad_secure_conn_p]}
, which checks [ns_conn location] for
regexp {^https:}. I also added a proc_doc ad_ssl_host_and_port to
ad-admin.tcl, which
gets the hostname from either the nsssl, nsopenssl or nssock
configuration section. I have used ad_ssl_host_and_port to build the
change-to-https functions.
the patchfile expects the to-be patched files in acs3-pg,
alternatively you can just cd /web/youracs/
and
patch -p1 < /tmp/openssl.patch
.
The patch alters:
acs3-pg/tcl/ad-admin.tcl
acs3-pg/tcl/ecommerce-defs.tcl
acs3-pg/tcl/events-defs.tcl
acs3-pg/www/cookie-chain.tcl
acs3-pg/www/ecommerce/checkout-2.tcl
acs3-pg/www/ecommerce/checkout.tcl
acs3-pg/www/ecommerce/gift-certificate-order.tcl
acs3-pg/www/ecommerce/shipping-address-2.tcl
acs3-pg/www/ecommerce/shipping-address-international-2.tcl
I do not use ecommerce or cookie-chain, so I have not been able to
test them. I have not compiled the nsssl(e).so
module, so that too remains untested. (Personally I have no interest
in
nsssl, as it features only very limited SSL functionality.)
Volunteers?!?
Using OpenSSL is pretty straight forward, it can be used as a drop-in
replacement for nsssl. Just compile openssl and
nsopenssl and load nsopenssl.so instead of nsssl(e).so. I am willing
to write up an ns(open)ssl-howto, if people are interested...