Skip to:
Content
Pages
Categories
Search
Top
Bottom

Buddypress breaks https

  • Avatar of PJ
    PJ
    Participant

    @pjnu

    I added

    `# BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://www.mysite.com/$1 [R,L]

    # END WordPress`

    To the .htaccess file and the entire site went https (I have a private SSL and dedicated IP).

    I installed/activated BuddyPress and the entire site has a broken https with the following message:
    Your connection to http://www.mysite.com is encrypted with 256-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the behavior of the page.

    The connection uses TLS 1.0.

    The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.

    The connection is not compressed.

Viewing 9 replies - 1 through 9 (of 9 total)
  • You need to figure out and tell us what is being included over http. Also your WordPress and BuddyPress versions. Thanks.

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    Likely image urls are the culprit as is often the case with ssl connections. A certain amount of googling will fill you in on the ins and outs of using SSL and the warnings that are generated (it’s not broken SSL it’s just a warning that the page request has mixed resources)

    Possibly BP needs to be doing some checks to see how the server is configured with respect to SSL, not something I have had cause to look at with BP.

    Avatar of PJ
    PJ
    Participant

    @pjnu

    Paul,

    Ideally I’d like to have the whole site forced https since I have a private ssl. So, WP+BP in all https if possible.

    I did a fresh install of WP and just installed BP, so I doubt it’s an image issue. Is there a way to go totally https?

    I also went to Settings > General and changed WordPress Address (URL) to have an https rather than http. Anytime I click BP parts of the site it goes back to regular http.

    Your browser’s warning says that some content is being served over http. You need to figure out *what* file is being requested then we can tell you if it’s a BuddyPress core problem, or your theme, or a plugin.

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    PJ you do need to try and identify what files are the issue, Paul did ask that first time around, that info would allow both of us to have a clearer idea of what to look at.

    Images paths are often the culprit in this sort of mixed resource scenario, which is why I mentioned them.

    On a sidenote although it may seem an odd idea to run an entire site under https, there are those that advocate ALL sites changing to https regardless of whether they have obvious need for it such as payment gateway security.

    After spending an hour trying things, I’ve discovered that if you’re on https, the user avatar includes are always http.

    EDIT: Made a ticket http://buddypress.trac.wordpress.org/ticket/4110

    Just committed a fix for what I found.

    Avatar of PJ
    PJ
    Participant

    @pjnu

    Hmm, I’m a bit confused.

    So I have to change all instances of http in all of my files to https?
    Even if avatars are forced to https why would http be an issue?

    Paul, did you find a fix or do I have to wait for another version to come out?

    Avatar of Hugo
    Hugo
    Moderator

    @hnla

    PJ we still don’t know what files you found to be an issue, Paul has applied a patch/fix for an issue where avatar paths are hardcoded to ‘http’ – as I suggested might be the issue or one of the issues – knowing exactly what files you had issue with would still help to confirm this is actually the problem.

    If the baseurl is correctly set to ‘https’ then ‘http’ isn’t an issue, it’s only an issue at present as the secured page attempts to retrieve objects from a non secured protocol ‘http’

    Paul’s links to a ticket where he’s added a patch for the avatar issue this – when included – would normally appear in the next release (1.6) could be ported back to 1.5 branch?, but you may need to add the workaround to your files for the moment.

    Have you a link to this site? Is it possible for us to see the mixed content in action?

Viewing 9 replies - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.