From cc68e06deee9a7fd5f62bfa0b26fc8b686ffa22c Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Tue, 6 May 2014 17:32:22 -0700
Subject: setup: check for open https port with an invalid cert, even if
 configured to use http. Also a bit more word-smithing on the resultant error
 text but it's still not perfect.

---
 mod/setup.php | 36 +++++++++++++++++++++++++-----------
 1 file changed, 25 insertions(+), 11 deletions(-)

(limited to 'mod/setup.php')

diff --git a/mod/setup.php b/mod/setup.php
index 07ad34ac5..9eccffe75 100755
--- a/mod/setup.php
+++ b/mod/setup.php
@@ -545,22 +545,36 @@ function check_htaccess(&$checks) {
 	$a = get_app();
 	$status = true;
 	$help = "";
+	$ssl_error = false;
+
+	$url = $a->get_baseurl() . '/test/rewrite';
+
 	if (function_exists('curl_init')){
-        $test = z_fetch_url($a->get_baseurl()."/setup/testrewrite");
+        $test = z_fetch_url($url);
 		if(! $test['success']) {
-			if(strstr($a->get_baseurl(),'https://')) {
-				$test = z_fetch_url($a->get_baseurl() . "/setup/testrewrite",false,0,array('novalidate' => true));
+			if(strstr($url,'https://')) {
+				$test = z_fetch_url($url,false,0,array('novalidate' => true));
+				if($test['success']) {
+					$ssl_error = true;
+				}
+			}
+			else {
+				$test = z_fetch_url(str_replace('http://','https://',$url),false,0,array('novalidate' => true));
 				if($test['success']) {
-					$help = t('SSL certificate cannot be validated. Fix certificate or disable https access to this site.') . EOL;
-					$help .= t('If you use https access, you MUST use a certification instance known by all internet browsers. You MUST NOT use self-signed certificates!') . EOL;
-					$help .= t('This restriction is incorporated because public posts from you may for example contain references to images on your own hub. If your') . EOL;
-					$help .= t('certificate is not known by the internet browser of users they get a warning message complaining about some security issues. Although') . EOL;
-					$help .= t('these complains are not the real truth - there are no security issues with your encryption! - the users may be confused, nerved or even') .EOL;
-					$help .= t('worse may become scared about redmatrix having security issues. Use one of the free certification instances!') . EOL;
-
-					check_add($checks, t('SSL certificate validation'),false,true, $help);
+					$ssl_error = true;
 				}
 			}
+
+			if($ssl_error) {
+				$help = t('SSL certificate cannot be validated. Fix certificate or disable https access to this site.') . EOL;
+				$help .= t('If you have https access to your website or allow connections to TCP port 443 (the https: port), you MUST use a browser-valid certificate. You MUST NOT use self-signed certificates!') . EOL;
+				$help .= t('This restriction is incorporated because public posts from you may for example contain references to images on your own hub.') . EOL;
+				$help .= t('If your certificate is not recognised, members of other sites (who may themselves have valid certificates) will get a warning message on their own site complaining about security issues.') . EOL;
+				$help .= t('This can cause usability issues elsewhere (not just on your own site) so we must insist on this requirement.') .EOL;
+				$help .= t('Providers are available that issue free certificates which are browser-valid.'). EOL;
+
+				check_add($checks, t('SSL certificate validation'),false,true, $help);
+			}
 		}		
 
         if ((! $test['success']) || ($test['body'] != "ok")) {
-- 
cgit v1.2.3