XF 1.5 AutoChange links do not work when HTTPS is installed

#1
On the forum https. Redirected from http to https. If I publish a link with https, auto-replace does not work. If the link is http, AutoCorrect works! What's the matter?
 

Brogan

XenForo moderator
Staff member
#2
Do you mean the 'Convert URLs to page titles' feature?

We haven't had any other reports of it not working on a secure site.

It could be an add-on involved, a server configuration issue, the remote server, etc.
Some more details and examples may help to identify the cause.
 
#9
Here it is written on the server in the config:

ssl_ciphers

Code:
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 
Last edited:

Mike

XenForo developer
Staff member
#10
The alternative issue is that when your server resolves the URL back to itself, it takes a different path through your web server configuration.

As an example, pick a URL to an image on your forum's domain such as your logo. Put that URL into the image proxy tester in the control panel. Does it report that it was fetched successfully? If not, then it's very likely that the VHost responding to your request is not the one that your site is configured on. Commonly, this is because your server is resolving your domain to 127.0.0.1/::1 and your web server isn't listening based on that.
 

eva2000

Well-known member
#11
Are you using centminmod?
If yes, there is a problem with the currently used ssl_ciphers, causing curl not to be able to connect with centminmod SSL sites. To solve, change the ssl_ciphers in your Nginx SSL site configuration to the current Mozilla recommended ones:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Strange works fine for me in latest centmin mod lemp stack but over the years the ssl_ciphers did change especially in latest beta. I tested Centmin Mod latest beta with both Xenforo 2 dev preview #10 and XF 1.5.14 and works fine here using ssl_ciphers

Code:
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
One possibility where this would be an issue, is if the external 3rd party site's server or if your xenforo server is behind a reverse proxy which has ssl_ciphers not supported by the xenforo server's curl version i.e. Cloudflare free flexible ssl is ECC 256bit ssl certs with ECDSA which some older linux distro's curl version might not support. Which could be case for @micron example checking if your xenforo server's system version of curl supports ECDSA againt cloudflare's blog
Code:
curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.21 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
Code:
curl -Iv --ciphers ecdhe_ecdsa_aes_128_sha https://blog.cloudflare.com
results in SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_CBC_
Code:
curl -Iv --ciphers ecdhe_ecdsa_aes_128_sha https://blog.cloudflare.com
* About to connect() to blog.cloudflare.com port 443 (#0)
*   Trying 2400:cb00:2048:1::6813:ca1d...
* Connected to blog.cloudflare.com (2400:cb00:2048:1::6813:ca1d) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_CBC_
if your version of curl doesn't support the ssl cipher, might get an error like
Code:
curl: (59) Unknown cipher in list: ecdhe_ecdsa_aes_128_sha
Though in @HWS case it wouldn't be Cloudflare issue if changing nginx's own ssl ciphers fixes the issue.
 
Last edited:

HWS

Well-known member
#12
Here it is written on the server in the config:

ssl_ciphers

Code:
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
I recommend to comment it out, restart the web server and look if it works with default ciphers. Also Mike's suggestion is worth trying!
 
Last edited:

HWS

Well-known member
#13
Strange works fine for me in latest centmin mod lemp stack but over the years the ssl_ciphers did change especially in latest beta. I tested Centmin Mod latest beta with both Xenforo 2 dev preview #10 and XF 1.5.14 and works fine here using ssl_ciphers
A few days ago we installed a brand new server with centminmod. Like some other users at your forum we detected that the SSL-Test at https://tools.pingdom.com/ failed (the test at Qualis returned an A grade). Also access via curl from another server failed with an connect error. After some testing, we changed the ssl_ciphers to the current recommended ones and everything now works as expected.

It may make sense to check the ciphers in your default installation?
 

eva2000

Well-known member
#14
A few days ago we installed a brand new server with centminmod. Like some other users at your forum we detected that the SSL-Test at https://tools.pingdom.com/ failed (the test at Qualis returned an A grade). Also access via curl from another server failed with an connect error. After some testing, we changed the ssl_ciphers to the current recommended ones and everything now works as expected.

It may make sense to check the ciphers in your default installation?
interesting will check - might be good to mention it on centmin mod forums https://community.centminmod.com/ ;)

a few weeks back did have a user report pingdom connection issue but that was due to IPv6 connectivity on their vps which they reported fix when they disabled IPv6 on server.

pingdom test for HTTP/2 HTTPS demo domain at https://http2.centminmod.com/

test https://tools.pingdom.com/#!/d3mMTg/http2.centminmod.com
 
Last edited:
#18
root@##:/usr/ports/ftp # php -m
[PHP Modules]
bcmath
bz2
Core
ctype
curl
date
dom
ereg
filter
gd
gettext
hash
iconv
imagick
json
libxml
mbstring
mcrypt
memcached
mhash
mysql
mysqli
mysqlnd
openssl
pcre
PDO
posix
Reflection
session
SimpleXML
sockets
SPL
standard
xml
xmlreader
xmlwriter
Zend OPcache
zip
zlib
 
Top