Forum OpenACS Q&A: Problems with https login

Collapse
Posted by Jade Rubick on
I have a new OpenACS 5.1 (upgraded to 5.1.1) site I'm testing out, and I'm running into the following issue:

When a user browses to the site (currently at http://usbakery.acornhosting.net:8000/), they get the main page.

When they try to login, however, they hang forever. Yes, RestrictLoginToSSLP is set to true.

Any ideas of what is going on?

PS

The same happens when trying to login through the IP address, although I swear that when I did it earlier, I was redirected from the IP address:

http://69.93.192.95:8000/

to

https://69.93.192.95:8000/

Note that I was correctly redirected to https, but the port was the same. This might have been fixed by changing a parameter in acs-kernel, as that is no longer happening.

I do see a comment in the util_current_location proc however:

  Note: IE fouls up the Host header if a server is on a non-standard port; it
  rdoes not change the port number when redirecting to https.  So
    we would get redirects from http://some-host:8000 to
    https://some-host:8000

I'm not using IE, I'm using Safari and Mozilla, but that's exactly the behavior I was getting. My SSL is on 8443.

Collapse
Posted by Jade Rubick on
I should also mention that if I browse to the site in https, and then try to login, it works fine.
Collapse
Posted by Jade Rubick on
I'm finding this difficult to track down.

I put ns_log statements in util_current_location, and that didn't seem to help much.

I then found the ad_restrict_to_https proc in acs-tcl/tcl/admin-procs.tcl

It is supposed to redirect the user to https, but putting an ns_log statement in it and restarting seems to show that it isn't even called.

Also, I find this problem not just when trying to log in, but anytime the server tries to redirect to https. This happens anytime an anonymous user tries to click on a link that requires them to login. I get a debug statement in error.log that looks like this:

[08/Jul/2004:14:04:16][28906.49156][-conn:usb-dev::0] Notice: RP (8 ms): rp_handler: handling request: GET /register/?return%5furl=http%3a%2f%2fusbakery%2eacornhosting%2enet%3a8000%2fnotifications%2fmanage

But it still hangs.

Collapse
Posted by Jade Rubick on
Bart figured out the cause of this.

It runs out that because the format for nsopenssl has changed with nsopenssl 3 (used by Aolserver 4), the acs-tcl/tcl/security-procs.tcl get_https_port proc was getting the wrong port number. It was trying to get it from

[ns_config ns/server/[ns_info server]/modules nsopenssl]

and it defaults to 443 if nothing is found.

So if you're using a non-standard port for SSL, it uses 443 anyway.

I'll fix this hopefully tomorrow.

Collapse
Posted by Jade Rubick on
I've committed a fix to the bug in get_https_port in both HEAD and oacs-5-1.

However, that still actually does not fix the problem. I'm looking into it right now.

Collapse
Posted by Jade Rubick on
I've fixed this on oacs-5-1.
Collapse
Posted by Bruno Mattarollo on
Hello Jade,

can you confirm that this is a problem only with nsopenssl 3/AOLServer 4? Or is it something we should look into for nsopenssl 2.1a/AOLServer 3.x?

Cheers
/B

Collapse
Posted by Bruno Mattarollo on
I have applied your patch on some instance that we have internally and it solved some of the issues we were having as well, so THANKS! :) (btw nsopenssl 2.1a and AOLServer 3.3.1)
Collapse
Posted by Jade Rubick on
Bruno, glad it helped you out. There were actually two bugs: one was Aolserver 4 specific, and the other was a general bug. I fixed both of them.
Collapse
Posted by Richard Hamilton on
Jade,

I have just run into these symptoms on 5.4.3 with Aolserver 4.5 as well. You say there were two bugs. I get the first one but what was the second one?

Regards
Richard

Collapse
Posted by Richard Hamilton on
Just for clarity here is a summary of the situation with oacs 5.4.3.

I have a server at an IP address (no domain name) running an http listener on port 8001 and an https listener on 8442. On OpenAcs 4.6.3 I had it set so that all logins were over a secure connection which meant that a request for http://xxx.xxx.xxx.xxx:8001/register/ would automatically transfer the connection to https://xxx.xxx.xxx.xxx:8442/register/

I have tried with OpenACS 5.4.3 and it doesn't work despite having all the same parameters settings.

The following Kernel parameters are set:

RegisterRestrictEntireServerToRegisteredUsersFilters  0
RegisterRestrictToSSLFilters  1
RestrictLoginToSSLP  0 [have also tried setting this to 1]
SystemURL  https://xxx.xxx.xxx.xxx:8442/

The following 'Main Site' parameters are set:

RestrictEntireServerToRegisteredUsersP  0
RestrictToSSL  acs-admin/* register/* index/*
RegistrationRedirectUrl  <Nothing Set> [have also tried inserting 'https://xxx.xxx.xxx.xxx:8442/register/'; here]

When I visit the Main Site index page and select 'Log in' I am expecting the request to be intercepted and redirected to the https listener. However this does not happen. The request occurs unaltered as per the 'Log in' link and therefore the request fails and times out.

This is the unaltered 'Log in' link as it appears in the browser:

http://xxx.xxx.xxx.xxx:8001/register/?return%5furl=http%3a%2f%2fxxx%2exxx%2exxx%2exxx%3a8001%2f

The behaviour is consistent with both Firefox and IE7.

If I connect specifically on the https listener then everything works fine. It is the automatic re-direct that is not working. I am not entirely sure if this is exactly the same issue as Jade had, or merely a closely related occurrence.

Any ideas gratefully received! :-|

Richard

Collapse
Posted by Richard Hamilton on

I am going to explore this more fully tomorrow but I am suspicious of the references to the aolserver config file in get_https_port because:

In the ns_openssl v2.x configuration, there is only one driver configured and only a single port is used. The parameter is called 'ns_param ServerPort' and is under ns_section "ns/server/${servername}/module/nsopenssl"

HOWEVER.......

In the ns_openssl v3.x configuration, there are multiple drivers on multiple ports. This means that the secure ports are actually contained in:
ns_section "ns/server/${servername}/module/nsopenssl/ssldriver/users",
ns_section "ns/server/${servername}/module/nsopenssl/ssldriver/admins" and
ns_section "ns/server/${servername}/module/nsopenssl/ssldriver/clients".

Furthermore, in each case the port number is contained in 'ns_param port' instead of 'ns_param ServerPort' as with v2.x.

(See http://aolserver.cvs.sourceforge.net/viewvc/aolserver/nsopenssl/nsd.tcl?revision=1.13&view=markup&sortby=author)

I therefore have my doubts that the following code will work with an aolserver configuration file in which ns_openssl v.3.x style config has been used.

ad_proc -private security::get_https_port {} {
    Return the HTTPS port specified in the AOLserver config file.
    
    @return The HTTPS port or the empty string if none is configured.

    @author Peter Marklund
} {
    set ssl_port ""
    if { [ns_config ns/server/[ns_info server]/modules nsssl] != "" } {
        set ssl_port [ns_config -int "ns/server/[ns_info server]/module/nsssl" Port 443]
    } elseif { [ns_config ns/server/[ns_info server]/modules nsopenssl] != "" } {
	set ssl_port [ns_config -int "ns/server/[ns_info server]/module/nsopenssl" ServerPort 443]
    } elseif { [ns_config ns/server/[ns_info server]/modules nsssle] != "" } {
        set ssl_port [ns_config -int "ns/server/[ns_info server]/module/nsssle" Port 443]
    }

    return $ssl_port
}

Nevertheless, I am still not sure why my server doesn't issue a redirect to https://xxx.xxx.xxx.xxx:443/register/ which is what I would have expected to happen even if this code is flawed.

Any thoughts?

Collapse
Posted by Richard Hamilton on
Success! I configured nscp and poked about in the running server to confirm this. I have modified my security::get_https_port proc and now all works perfectly.

I will post details of a proposed fix later (I don't have cvs commit rights)- out of time for now! :-)

R.

Collapse
Posted by Torben Brosten on
Richard,

Are you using the config.tcl file that comes with 5.4?

I believe the https configuration changed significantly between early oacs 5.1 and subsequent versions. Also, note that the register redirect for 5.4 may not work (especially according to ecommerce workflow). Look at these changes on head to fix:

http://cvs.openacs.org/cvs/openacs-4/packages/acs-tcl/tcl/security-procs.tcl?r1=1.46.2.2&r2=1.52&sortby=date
http://cvs.openacs.org/cvs/openacs-4/packages/acs-tcl/tcl/utilities-procs.tcl?r1=1.111&r2=1.112&sortby=date

cheers,

Torben

Collapse
Posted by Torben Brosten on
Ops, you'll also need to add SuppressHttpPort parameter to acs-tcl.info:
http://cvs.openacs.org/cvs/openacs-4/packages/acs-tcl/acs-tcl.info?r1=1.56&r2=1.54&pathrev=MAIN&sortby=date
Collapse
Posted by Richard Hamilton on
Torben,

Thank you very much for posting that. The first link you posted includes code that does what my successful alteration to security::get_https_port does and is obviously a fully worked through solution - which is great. Am I correct in understanding that this code is newer than 5.4.3 because the core checkout I have is 5.4.3?

To answer your question, I use nsopenssl v 3.x and have my own nsd.tcl file that I have developed over a long period. I use a standard nsopenssl 3.x structure which is covered in the code that you posted a link to.

I guess I shouldco HEAD for security-procs.tcl and utilities-procs.tcl at a minimum and see if it works.

As far as security::get_https_port is concerned, I wonder how that has been left? In 5.4.3 that function is not nsopenssl v3.x compatible. I imagine that this new code supercedes its use in redirects and so, I wonder, is it still used, is it to be deprecated or should it also be updated so that it is at least compatible?

R.

Collapse
Posted by Torben Brosten on
Richard, definitely diff your nsd.tcl against the head version of config.tcl. There have been a few serious changes, some for performance and dealing specifically with aolserver4.5 and other feature enhancements.

security::get_https_port is used in security::https_available_p so it should be updated to consider nsopenssl v3 also. The security::locations code shows how to reference the port for nsopenssl v3.

cheers,

Torben

Collapse
Posted by Richard Hamilton on
Torben,

Thanks. I'll study the nsd.tcl code for changes.

Who should update security::get_https_port? I would do it but I don't have cvs commit and in any case I am not authorised to fiddle with the core! :-)

R.

Collapse
Posted by Torben Brosten on
Ah, I'll try an update. Thank you for the alert.
Collapse
Posted by Torben Brosten on
Following Dave's lead with optimizations on security::locations, I updated get_https_port on head.

cheers!

Collapse
Posted by Ammaar Mahmoor on
It seems so many bloggers have the same log in problem... We expect a good feedback from you...
Collapse
Posted by bradD weyand on
what is the web site made with?
Collapse
Posted by Jim Lynch on
what is the web site made with?

Since you're asking here, I will assume you mean sites built with openacs.

First, there is the web server itself, which is usually aolserver, which was designed from the start for fast web apps. It has a built in scripting language, TCL, which is used for aolserver config files and for application scripting.

Openacs and apps built using it use a database. There are two supported databases, postgres and oracle.

Finally, openacs itself is a collection of tcl scripts, database scripts and a plugin infrastructuire which allows packages and their development to happen independently of other work; you can write packages which are applications and packages which are support of other packages.

These packages can have user interface (which is normally templated html), a data model which describes how data for the package is stored and how it relates to the rest of the openacs data nodel, a library containing TCL procedure definitions and a catalog of internationalized/localized phrases and sentences.

For more info, see http://openacs.org/

-Jim