XF 1.5 AutoChange links do not work when HTTPS is installed

[micron]

On the forum https. Redirected from http to https. If I publish a link with https, auto-replace does not work. If the link is http, AutoCorrect works! What's the matter?

 

[Paul B]

Do you mean the 'Convert URLs to page titles' feature?

We haven't had any other reports of it not working on a secure site.

It could be an add-on involved, a server configuration issue, the remote server, etc.
Some more details and examples may help to identify the cause.

 

[micron]

Do you mean the 'Convert URLs to page titles' feature?

Yes!

The server is running Nginx.

 

[Mike]

Are you talking about links to your own site or links to other sites?

 

[micron]

Mike, link to the forum topics. Own site.

 

[HWS]

Are you using centminmod?
If yes, there is a problem with the currently used ssl_ciphers, causing curl not to be able to connect with centminmod SSL sites. To solve, change the ssl_ciphers in your Nginx SSL site configuration to the current Mozilla recommended ones:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

 

[rdn]

@eva2000? What's wrong with your current cipher suite?

 

[micron]

Are you using centminmod?

No, FreeBSD.

 

[micron]

Here it is written on the server in the config:

ssl_ciphers

'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

 

[Mike]

The alternative issue is that when your server resolves the URL back to itself, it takes a different path through your web server configuration.

As an example, pick a URL to an image on your forum's domain such as your logo. Put that URL into the image proxy tester in the control panel. Does it report that it was fetched successfully? If not, then it's very likely that the VHost responding to your request is not the one that your site is configured on. Commonly, this is because your server is resolving your domain to 127.0.0.1/::1 and your web server isn't listening based on that.

 

[eva2000]

Are you using centminmod?
If yes, there is a problem with the currently used ssl_ciphers, causing curl not to be able to connect with centminmod SSL sites. To solve, change the ssl_ciphers in your Nginx SSL site configuration to the current Mozilla recommended ones:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

Strange works fine for me in latest centmin mod lemp stack but over the years the ssl_ciphers did change especially in latest beta. I tested Centmin Mod latest beta with both Xenforo 2 dev preview #10 and XF 1.5.14 and works fine here using ssl_ciphers

ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;

One possibility where this would be an issue, is if the external 3rd party site's server or if your xenforo server is behind a reverse proxy which has ssl_ciphers not supported by the xenforo server's curl version i.e. Cloudflare free flexible ssl is ECC 256bit ssl certs with ECDSA which some older linux distro's curl version might not support. Which could be case for @micron example checking if your xenforo server's system version of curl supports ECDSA againt cloudflare's blog

curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.21 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

curl -Iv --ciphers ecdhe_ecdsa_aes_128_sha https://blog.cloudflare.com

results in SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_CBC_

curl -Iv --ciphers ecdhe_ecdsa_aes_128_sha https://blog.cloudflare.com
* About to connect() to blog.cloudflare.com port 443 (#0)
*   Trying 2400:cb00:2048:1::6813:ca1d...
* Connected to blog.cloudflare.com (2400:cb00:2048:1::6813:ca1d) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_CBC_

if your version of curl doesn't support the ssl cipher, might get an error like

curl: (59) Unknown cipher in list: ecdhe_ecdsa_aes_128_sha

Though in @HWS case it wouldn't be Cloudflare issue if changing nginx's own ssl ciphers fixes the issue.

 

[HWS]

Here it is written on the server in the config:

ssl_ciphers

'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

I recommend to comment it out, restart the web server and look if it works with default ciphers. Also Mike's suggestion is worth trying!

 

[HWS]

Strange works fine for me in latest centmin mod lemp stack but over the years the ssl_ciphers did change especially in latest beta. I tested Centmin Mod latest beta with both Xenforo 2 dev preview #10 and XF 1.5.14 and works fine here using ssl_ciphers

A few days ago we installed a brand new server with centminmod. Like some other users at your forum we detected that the SSL-Test at https://tools.pingdom.com/ failed (the test at Qualis returned an A grade). Also access via curl from another server failed with an connect error. After some testing, we changed the ssl_ciphers to the current recommended ones and everything now works as expected.

It may make sense to check the ciphers in your default installation?

 

[eva2000]

A few days ago we installed a brand new server with centminmod. Like some other users at your forum we detected that the SSL-Test at https://tools.pingdom.com/ failed (the test at Qualis returned an A grade). Also access via curl from another server failed with an connect error. After some testing, we changed the ssl_ciphers to the current recommended ones and everything now works as expected.

It may make sense to check the ciphers in your default installation?

interesting will check - might be good to mention it on centmin mod forums https://community.centminmod.com/

a few weeks back did have a user report pingdom connection issue but that was due to IPv6 connectivity on their vps which they reported fix when they disabled IPv6 on server.

pingdom test for HTTP/2 HTTPS demo domain at https://http2.centminmod.com/

test https://tools.pingdom.com/#!/d3mMTg/http2.centminmod.com

 

[micron]

Thank you for your help! Proxying the logo does not work. We will look at server settings. I will report the result.

 

[micron]

ReCAPTCHA (No CAPTCHA) connection error: Unable to Connect to ssl://www.google.com:443. Error #0:
03:26 - library/Zend/Http/Client/Adapter/Socket.php:235

Is this error related to what I'm asking about in this thread?

 

[Arty]

Could be. Possibly php is compiled without mod_ssl. Try recompiling it.

 

[micron]

root@##:/usr/ports/ftp # php -m
[PHP Modules]
bcmath
bz2
Core
ctype
curl
date
dom
ereg
filter
gd
gettext
hash
iconv
imagick
json
libxml
mbstring
mcrypt
memcached
mhash
mysql
mysqli
mysqlnd
openssl
pcre
PDO
posix
Reflection
session
SimpleXML
sockets
SPL
standard
xml
xmlreader
xmlwriter
Zend OPcache
zip
zlib

 

[Arty]

SSL support is there, so it should work fine. Maybe its firewall rule preventing outgoing connections?

 

[micron]

Recompiled SSL and nginx and Curl
Test string for cloudfire doesn't work neither on my server nor yours nor another.