Forum OpenACS Q&A: A patch to get ns(open)ssl to work.

Collapse
1: A patch to get ns(open)ssl to work.
Posted by Pascal Scheffers on 03/03/01 09:56 AM
I have created a 10K patch that will get OpenSSL and nsssl to work correctly. At first I thought I was just having a problem with nsopenssl, but soon discovered that nsssl could not have been working correctly either. I could not find any reference to SSL in the SDM.

My first priority was to protect my /admin pages, so I updated ad-admin.tcl. The events-defs.tcl functions makeinsecure and insecure url included the port number even if it was 80, so I changed that too. In ecommerce I only changed the checks for ssl and change to ssl, I have not touched the 'change back to http' code (which is probably wrong in some places BTW). I have only tested the admin pages and the events_make[in]secure and events_[in]securelink functions.

The biggest problem is that the existing code keeps checking if { [ns_conn driver] == "nsssl" }, which will always remain false even if the connection uses nsopenssl... I changed all of those to if {[ad_secure_conn_p]}, which checks [ns_conn location] for regexp {^https:}. I also added a proc_doc ad_ssl_host_and_port to ad-admin.tcl, which gets the hostname from either the nsssl, nsopenssl or nssock configuration section. I have used ad_ssl_host_and_port to build the change-to-https functions.

the patchfile expects the to-be patched files in acs3-pg, alternatively you can just cd /web/youracs/ and patch -p1 < /tmp/openssl.patch.
The patch alters:
acs3-pg/tcl/ad-admin.tcl
acs3-pg/tcl/ecommerce-defs.tcl
acs3-pg/tcl/events-defs.tcl
acs3-pg/www/cookie-chain.tcl
acs3-pg/www/ecommerce/checkout-2.tcl
acs3-pg/www/ecommerce/checkout.tcl
acs3-pg/www/ecommerce/gift-certificate-order.tcl
acs3-pg/www/ecommerce/shipping-address-2.tcl
acs3-pg/www/ecommerce/shipping-address-international-2.tcl

I do not use ecommerce or cookie-chain, so I have not been able to test them. I have not compiled the nsssl(e).so module, so that too remains untested. (Personally I have no interest in nsssl, as it features only very limited SSL functionality.) Volunteers?!?
Using OpenSSL is pretty straight forward, it can be used as a drop-in replacement for nsssl. Just compile openssl and nsopenssl and load nsopenssl.so instead of nsssl(e).so. I am willing to write up an ns(open)ssl-howto, if people are interested...

Collapse
2: Response to A patch to get ns(open)ssl to work. (response to 1)
Posted by Don Baccus on 03/03/01 04:36 PM
A how-to would be great, I'm sure Roberto would be glad to fold it
into the documentation.

You're right, security checking shouldn't be dependent on the driver name.

ad_secure_conn_p is the method used by ACS 4x, so your patch should be
OK.  It would be nice if someone would test with nsssl, as you
request.  I starting to get busy with the 4x port myself so don't
really have time...

Collapse
3: Response to A patch to get ns(open)ssl to work. (response to 1)
Posted by Roberto Mello on 03/03/01 05:35 PM
Pascal,

Can you please mail this patch to me? Your link to the patch is broken, plus it's easier to keep track of what I have to do by simply going through the messages in my openacs-todo inbox.

And documentation would be excellent! I would gladly incorporate it into our docs.

Collapse
4: Response to A patch to get ns(open)ssl to work. (response to 1)
Posted by Pascal Scheffers on 03/05/01 09:57 AM
It seems that the link to the patch was giving some troubles, so I changed the mime for .patch to text/plain.

This URL works for me: http://pascal.scheffers.net/patch/openssl.patch

Collapse
5: Response to A patch to get ns(open)ssl to work. (response to 1)
Posted by Richard Hamilton on 10/24/02 09:15 PM
Has this patch been rolled into OpenACS4.5 or do we still need to apply it?

Regards
Richard