Improve SSL instructions in report page.

GoyaPtyLtd · May 18, 2016 · 88fcb96 · 88fcb96
1 parent 05839cf
commit 88fcb96
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 23 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,6 @@
+### 4.0.3 (Released 2016-05-18) ###
+- Improve SSL instructions in report page.
+
 ### 4.0.2 (Released 2016-04-21) ###
 - Detect and allow for Apache versions with buggy rewrite causing redirection
   failure during configuration.

diff --git a/RESTfm.ini.php.dist b/RESTfm.ini.php.dist
@@ -41,17 +41,15 @@ $config['settings'] = array (
     'SSLOnly' => FALSE,
 
     // Enforce strict SSL certificate checking when RESTfm is connecting to
-    // FileMaker Server Web Publishing Engine. Disabling this is a security
-    // risk, and should not be used on a production server. It may be useful
-    // to disable this during development on systems using self-signed SSL
-    // certificates or the FMI certificate bundled with FileMaker Server.
+    // FileMaker Server Web Publishing Engine.
+    // Check http://www.restfm.com/restfm-manual/install/ssl-troubleshooting
+    // for further details.
     'strictSSLCertsFMS' => TRUE,
 
     // Enforce strict SSL certificate checking for RESTfm connecting to
     // itself when executing the report page (report.php).
-    // Disabling this may hide the fact that access to RESTfm over SSL is
-    // insecure. It may be useful to disable this during development on systems
-    // using self-signed SSL certificates.
+    // Check http://www.restfm.com/restfm-manual/install/ssl-troubleshooting
+    // for further details.
     'strictSSLCertsReport' => TRUE,
 
     // Respond 403 Forbidden on 401 Unauthorized.

diff --git a/lib/RESTfm/Diagnostics.php b/lib/RESTfm/Diagnostics.php
@@ -287,8 +287,16 @@ public function test_webserverRedirect($reportItem) {
             $reportItem->status = ReportItem::ERROR;
             $reportItem->details .=  'cURL failed with error: ' . curl_errno($ch) . ': ' . curl_error($ch) . "\n";
             if (curl_errno($ch) == 60) {    // SSL certificate problem: self signed certificate
-                $reportItem->details .= 'On development (not production) systems it is possible to disable this check' ."\n";
-                $reportItem->details .= 'by setting "strictSSLCertsReport" to FALSE in ' . RESTfmConfig::CONFIG_INI ."\n";
+                $reportItem->details .= "\n";
+                $reportItem->details .= 'The host\'s SSL certificate has failed a verification check. This may be' . "\n";
+                $reportItem->details .= 'due to the certificate being invalid, or PHP\'s CA root certificates' . "\n";
+                $reportItem->details .= 'being out of date.' . "\n";
+                $reportItem->details .= "\n";
+                $reportItem->details .= 'Please consult ' .
+                                        '<a target="_blank" href="http://www.restfm.com/restfm-manual/install/ssl-troubleshooting">SSL Troubleshooting</a>' .
+                                        ' in the RESTfm manual for further details.' . "\n";
+                $reportItem->details .= "\n";
+                $reportItem->details .= 'It is possible to disable this check by setting "strictSSLCertsReport" to FALSE in ' . RESTfmConfig::CONFIG_INI ."\n";
             }
         } elseif ( strpos($result, 'RESTfm is not configured') ) {
             $reportItem->status = ReportItem::ERROR;
@@ -344,10 +352,9 @@ public function test_filemakerAPI($reportItem) {
         curl_setopt($ch, CURLOPT_HEADER, 0);
         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 2);
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
-        if (RESTfmConfig::getVar('settings', 'strictSSLCertsReport') === FALSE) {
-            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
-            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
-        }
+        // SSL certificates were checked in an earlier test.
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
         curl_setopt($ch, CURLOPT_FRESH_CONNECT, TRUE);
         curl_setopt($ch, CURLOPT_FORBID_REUSE, TRUE);
         curl_setopt($ch, CURLOPT_USERAGENT, 'RESTfm Diagnostics');
@@ -368,6 +375,7 @@ public function test_filemakerAPI($reportItem) {
 
     public function test_filemakerConnect($reportItem) {
         $reportItem->name = 'FileMaker Server connection test';
+        $reportItem->details = '';
 
         if ($this->_isSSLOnlyAndNotHTTPS()) {
             $reportItem->status = ReportItem::WARN;
@@ -377,7 +385,7 @@ public function test_filemakerConnect($reportItem) {
 
         if ($this->_report->filemakerAPI->status != ReportItem::OK) {
             $reportItem->status = ReportItem::ERROR;
-            $reportItem->details = 'Cannot test, FileMaker PHP API not found.' . "\n";
+            $reportItem->details .= 'Cannot test, FileMaker PHP API not found.' . "\n";
             return;
         }
 
@@ -406,8 +414,16 @@ public function test_filemakerConnect($reportItem) {
             $reportItem->status = ReportItem::ERROR;
             $reportItem->details .=  'cURL failed with error: ' . curl_errno($ch) . ': ' . curl_error($ch) . "\n";
             if (curl_errno($ch) == 60) {    // SSL certificate problem: self signed certificate in certificate chain
-                $reportItem->details .= 'On development (not production) systems it is possible to disable this check' ."\n";
-                $reportItem->details .= 'by setting "strictSSLCertsFMS" to FALSE in ' . RESTfmConfig::CONFIG_INI ."\n";
+                $reportItem->details .= "\n";
+                $reportItem->details .= 'The host\'s SSL certificate has failed a verification check. This may be' . "\n";
+                $reportItem->details .= 'due to the certificate being invalid, or PHP\'s CA root certificates' . "\n";
+                $reportItem->details .= 'being out of date.' . "\n";
+                $reportItem->details .= "\n";
+                $reportItem->details .= 'Please consult ' .
+                                        '<a target="_blank" href="http://www.restfm.com/restfm-manual/install/ssl-troubleshooting">SSL Troubleshooting</a>' .
+                                        ' in the RESTfm manual for further details.' . "\n";
+                $reportItem->details .= "\n";
+                $reportItem->details .= 'It is possible to disable this check by setting "strictSSLCertsFMS" to FALSE in ' . RESTfmConfig::CONFIG_INI ."\n";
             }
         } elseif (stripos($result, 'FileMaker') === FALSE) {
             $reportItem->status = ReportItem::ERROR;
@@ -425,12 +441,11 @@ public function test_filemakerConnect($reportItem) {
 
         $FM = new FileMaker();
         $FM->setProperty('hostspec', $hostspec);
-        if (RESTfmConfig::getVar('settings', 'strictSSLCertsFMS') === FALSE) {
-            $FM->setProperty('curlOptions', array(
-                                CURLOPT_SSL_VERIFYPEER => FALSE,
-                                CURLOPT_SSL_VERIFYHOST => FALSE,
-                                ));
-        }
+        // SSL certificates were checked in an earlier test.
+        $FM->setProperty('curlOptions', array(
+                            CURLOPT_SSL_VERIFYPEER => FALSE,
+                            CURLOPT_SSL_VERIFYHOST => FALSE,
+                            ));
 
         $fileMakerResult = $FM->listDatabases();
         $unauthorised = FALSE;

diff --git a/lib/RESTfm/Version.php b/lib/RESTfm/Version.php
@@ -21,7 +21,7 @@
  * Version static class to hold release version.
  */
 class Version {
-    private static $_release     = '4.0.2';
+    private static $_release     = '4.0.3';
     private static $_revision    = '%%REVISION%%';
     private static $_protocol    = '5';     // Bump this when REST API changes.