SSL Certificate Error and Explore page not resolving based on URL variations

[Andrew-Clement]

On entry and after quick searches, after some processing delay it just gives a blank response:

Labels: bug critical immediate @colinmccann @agamba

[dcwalk]

Appears from @agamba 's email that this is resolved?

[Andrew-Clement]

I think the problem was that I first accessed the page as www.ixmaps.ca/explore (i.e. w/o the php). Thereafter, even adding the php didn't help. Closing the window and entering the correct URL fixed the problem.

[dcwalk]

@agamba and @colinmccann I don't exactly want to reopen this, but I am experiencing a similar(?) issue.

I cannot isolate to just ensuring .php is in the URL, and in fact results are inconsistent (e.g. sometimes http vs https; sometimes .php vs not).

I think there is something that needs to be investigated regarding how the explore page is working currently?

[colinmccann]

Scary...

On Mon, Jul 4, 2016 at 12:51 PM, dcwalk notifications@github.com wrote:

@agamba https://github.com/agamba and @colinmccann https://github.com/colinmccann I don't exactly want to reopen this, but I am experiencing a similar(?) issue.

I cannot isolate to just ensuring .php is in the URL, and in fact results are inconsistent (e.g. sometimes http vs https; sometimes .php vs not).

I think there is something that needs to be investigated regarding how the explore page is working currently?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ixmaps/website/issues/17#issuecomment-230326976, or mute the thread https://github.com/notifications/unsubscribe/AAuEmEWBBvbVvYXZiPHpJL-zNroE2XTFks5qSTougaJpZM4JD6tz .

Colin

[agamba]

Thanks for bringing this up. In fact Dawn is right. After I enable again the access through http:// as well in order to allow the IXmapsClient to submit contributions, this opened as well access to the Explore page in the same none encrypted way. However, many of the references to js code as well as the pulling of data in the queries is pointing to https:// access. This causes the explore page to fail in some of its functionality. I'm going to add a fix to this and force proper redirection to https:// using a script in the code and not by forcing it from apache, which as I said before, will brake the IXmapsClient

[dcwalk]

I've updated the name to (hopefully) better reflect the issue.

@agamba, for clarification--

• Are all connections from IXmapsClient going over http? Is that desired?
• If there are hardcoded https links and that is part of the problem maybe we could ensure consistent use of relative references within the website code?

In my (limited) experience redirects to https are best handled by the webserver not scripting on a page.

[agamba]

Yes, connections from the IXmapsClient are going over http, and this is the desired behaviour until we fix the issues with the SSL certificate.for the moment, the client (NodeJS) will fail to submit and retrieve data if accessed via htttps

[Andrew-Clement]

Thanks for the clarifications

It appears that sorting out the http/https issues are critical and urgent for our testing this week.

On 2016-07-04, at 12:22 PM, Antonio Gamba-Bari notifications@github.com wrote:

Yes, connections from the IXmapsClient are going over http, and this is the desired behaviour until we fix the issues with the SSL certificate.for the moment, the client (NodeJS) will fail to submit and retrieve data if accessed via htttps

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or mute the thread.

[agamba]

I've added a fix for this in the Explore page.Now any access through http will redirect to https, e.g. http://www.ixmaps.ca/explore.php?trid=265084

I think the issue doesn't affect other pages in the site, at least not critical as they don't pull dynamic data from the browser. We we could add a global rule (perhaps in header.php) that forces https redirection in every page.

[dcwalk]

For reference the commit @agamba addressed this in is https://github.com/ixmaps/website/commit/f8f9dc3fbe22c1c14f5c02eb53a5b81dd351b621

[Andrew-Clement]

Great. So do you think this resolves things for now?

Is three something I can test?

eg I can do the Typeform survey again thoroughly, testing all links.

On 2016-07-04, at 12:52 PM, Antonio Gamba-Bari notifications@github.com wrote:

I've added a fix for this in the Explore page.Now any access through http will redirect to https, e.g. http://www.ixmaps.ca/explore.php?trid=265084

I think the issue doesn't affect other pages in the site, at least not critical as they don't pull dynamic data from the browser. We we could add a global rule (perhaps in header.php) that forces https redirection in every page.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or mute the thread.

[dcwalk]

However, per the conversation we had last the week prior about the SSL cert is not working for some browser configurations, this fix (https://github.com/ixmaps/website/commit/f8f9dc3fbe22c1c14f5c02eb53a5b81dd351b621) appears to be feature breaking.

For some people (e.g., anyone who uses Firefox and has some degree of hardening RE: ssl certificates) they can no longer use the explore page as it stands.

[colinmccann]

I will make this my top priority this week (limited time)

On Mon, Jul 4, 2016 at 4:06 PM, dcwalk notifications@github.com wrote:

However, per the conversation we had last the week prior about the SSL cert is not working for some browser configurations, this fix (f8f9dc3 https://github.com/ixmaps/website/commit/f8f9dc3fbe22c1c14f5c02eb53a5b81dd351b621) is feature breaking.

For some people (e.g., anyone who uses Firefox and has some degree of hardening RE: ssl certificates) they can no longer use the explore page as it stands

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ixmaps/website/issues/17#issuecomment-230348564, or mute the thread https://github.com/notifications/unsubscribe/AAuEmJNl-KjTaoUobbLCwWwYmYjNVHF9ks5qSWeqgaJpZM4JD6tz .

Colin

[colinmccann]

Let me rephrase - I will make this my top priority, if and only if we're still weeks away from moving to the new server. We will not have the same problems there...

On Mon, Jul 4, 2016 at 5:54 PM, Colin McCann colindmccann@gmail.com wrote:

I will make this my top priority this week (limited time)

On Mon, Jul 4, 2016 at 4:06 PM, dcwalk notifications@github.com wrote:

However, per the conversation we had last the week prior about the SSL cert is not working for some browser configurations, this fix (f8f9dc3 https://github.com/ixmaps/website/commit/f8f9dc3fbe22c1c14f5c02eb53a5b81dd351b621) is feature breaking.

For some people (e.g., anyone who uses Firefox and has some degree of hardening RE: ssl certificates) they can no longer use the explore page as it stands

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ixmaps/website/issues/17#issuecomment-230348564, or mute the thread https://github.com/notifications/unsubscribe/AAuEmJNl-KjTaoUobbLCwWwYmYjNVHF9ks5qSWeqgaJpZM4JD6tz .

Colin

Colin

[colinmccann]

Holy crap. I think I figured it out.

Please confirm: https://ixmaps.ca in FF will throw an untrusted https://www.ixmaps.ca in FF is fine

Awk

On Mon, Jul 4, 2016 at 6:01 PM, Colin McCann colindmccann@gmail.com wrote:

Let me rephrase - I will make this my top priority, if and only if we're still weeks away from moving to the new server. We will not have the same problems there...

On Mon, Jul 4, 2016 at 5:54 PM, Colin McCann colindmccann@gmail.com wrote:

I will make this my top priority this week (limited time)

On Mon, Jul 4, 2016 at 4:06 PM, dcwalk notifications@github.com wrote:

However, per the conversation we had last the week prior about the SSL cert is not working for some browser configurations, this fix (f8f9dc3 https://github.com/ixmaps/website/commit/f8f9dc3fbe22c1c14f5c02eb53a5b81dd351b621) is feature breaking.

For some people (e.g., anyone who uses Firefox and has some degree of hardening RE: ssl certificates) they can no longer use the explore page as it stands

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ixmaps/website/issues/17#issuecomment-230348564, or mute the thread https://github.com/notifications/unsubscribe/AAuEmJNl-KjTaoUobbLCwWwYmYjNVHF9ks5qSWeqgaJpZM4JD6tz .

Colin

Colin

Colin

[colinmccann]

Christ, same behaviour in Chrome. I've been barking up the wrong tree for weeks. I should be able to resolve this fairly easily...

On Mon, Jul 4, 2016 at 6:03 PM, Colin McCann colindmccann@gmail.com wrote:

Holy crap. I think I figured it out.

Please confirm: https://ixmaps.ca in FF will throw an untrusted https://www.ixmaps.ca in FF is fine

Awk

On Mon, Jul 4, 2016 at 6:01 PM, Colin McCann colindmccann@gmail.com wrote:

Let me rephrase - I will make this my top priority, if and only if we're still weeks away from moving to the new server. We will not have the same problems there...

On Mon, Jul 4, 2016 at 5:54 PM, Colin McCann colindmccann@gmail.com wrote:

I will make this my top priority this week (limited time)

On Mon, Jul 4, 2016 at 4:06 PM, dcwalk notifications@github.com wrote:

However, per the conversation we had last the week prior about the SSL cert is not working for some browser configurations, this fix (f8f9dc3 https://github.com/ixmaps/website/commit/f8f9dc3fbe22c1c14f5c02eb53a5b81dd351b621) is feature breaking.

For some people (e.g., anyone who uses Firefox and has some degree of hardening RE: ssl certificates) they can no longer use the explore page as it stands

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ixmaps/website/issues/17#issuecomment-230348564, or mute the thread https://github.com/notifications/unsubscribe/AAuEmJNl-KjTaoUobbLCwWwYmYjNVHF9ks5qSWeqgaJpZM4JD6tz .

Colin

Colin

Colin

Colin

[colinmccann]

And fixed. Simple as hell, once I tracked down the actual behaviour.

In short, the cert was set up to only cover www.ixmaps.ca (and not ixmaps.ca). This was my fault, I've never encountered this issue before - all other servers I've worked with didn't need the extra coverage. I'm guessing apache usually does some redirecting (eg to www.), but not on the ixmaps server.

Lmk if you are still encountering the issue, but I think we should be gtg...

On Mon, Jul 4, 2016 at 6:10 PM, Colin McCann colindmccann@gmail.com wrote:

Christ, same behaviour in Chrome. I've been barking up the wrong tree for weeks. I should be able to resolve this fairly easily...

On Mon, Jul 4, 2016 at 6:03 PM, Colin McCann colindmccann@gmail.com wrote:

Holy crap. I think I figured it out.

Please confirm: https://ixmaps.ca in FF will throw an untrusted https://www.ixmaps.ca in FF is fine

Awk

On Mon, Jul 4, 2016 at 6:01 PM, Colin McCann colindmccann@gmail.com wrote:

Let me rephrase - I will make this my top priority, if and only if we're still weeks away from moving to the new server. We will not have the same problems there...

On Mon, Jul 4, 2016 at 5:54 PM, Colin McCann colindmccann@gmail.com wrote:

I will make this my top priority this week (limited time)

On Mon, Jul 4, 2016 at 4:06 PM, dcwalk notifications@github.com wrote:

However, per the conversation we had last the week prior about the SSL cert is not working for some browser configurations, this fix (f8f9dc3 https://github.com/ixmaps/website/commit/f8f9dc3fbe22c1c14f5c02eb53a5b81dd351b621) is feature breaking.

For some people (e.g., anyone who uses Firefox and has some degree of hardening RE: ssl certificates) they can no longer use the explore page as it stands

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ixmaps/website/issues/17#issuecomment-230348564, or mute the thread https://github.com/notifications/unsubscribe/AAuEmJNl-KjTaoUobbLCwWwYmYjNVHF9ks5qSWeqgaJpZM4JD6tz .

Colin

Colin

Colin

Colin

Colin

[agamba]

I'm afraid the issue persists...

Mozilla defines the issue as SEC_ERROR_UNKNOWN_ISSUER

Searching a bit I found this https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER#w_the-error-occurs-on-one-particular-site-only

They suggest that the error often occurs when an "intermediate certificate" is missing. After testing the site against https://www.ssllabs.com/ssltest/analyze.html?d=www.ixmaps.ca it seems that the cause of the problem is that our server does not allow TLS 1.2,

"No support for TLS 1.2, which is the
  only secure protocol version."

[colinmccann]

Anto, I can't dup. See attached. Can you do a private browsing session or some such? Are you on FF47?

Re the ssllabs report - they are very strict. We absolutely will not be able to clean things up until we move to the new server. But C is not a fail. It just means we're vulnerable (eg CRIME, Heartbleed, etc). Not great, but functional.

On Mon, Jul 4, 2016 at 6:28 PM, Antonio Gamba-Bari <notifications@github.com

wrote:

I'm afraid the issue persists...

Mozilla defines the issue as SEC_ERROR_UNKNOWN_ISSUER

Searching a bit I found this

https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER#w_the-error-occurs-on-one-particular-site-only

They suggest that the error often occurs when an "intermediate certificate" is missing. After testing the site against https://www.ssllabs.com/ssltest/analyze.html?d=www.ixmaps.ca it seems that the cause of the problem is that our server does not allow TLS 1.2,

"No support for TLS 1.2, which is the only secure protocol version."

[image: screen shot 2016-07-04 at 6 12 01 pm] https://cloud.githubusercontent.com/assets/999407/16570493/347305d8-4214-11e6-9725-0b6477d9f222.png

[image: screen shot 2016-07-04 at 6 25 18 pm] https://cloud.githubusercontent.com/assets/999407/16570532/d871dd62-4214-11e6-83f0-e9f72ef1e960.png

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ixmaps/website/issues/17#issuecomment-230360179, or mute the thread https://github.com/notifications/unsubscribe/AAuEmJ6N6asCtabxLBO8pjMylPptSqceks5qSYkjgaJpZM4JD6tz .

Colin

[agamba]

Experiencing these...

[colinmccann]

Closing - moving to new server has addressed the issue (correct?)