Tag Archives: ssl

Posted on
by

I have a number of WordPress sites which use Dan Coulter’s Flickr API powered gallery plugin to render images from an attached Flickr account.

This plugin appears to no longer be maintained by the author, and I have previously written about having to make a couple of code changes in order to get it to work again.

Anyway, a little while ago, I noticed that my Flickr galleries had stopped working again, so here’s a fix.

SSL Redux

Firstly, the Flickr API now REQUIRES that you connect to it via SSL. However, the Flickr gallery code uses the non-ssl endpoints.

So, in phpFlickr.php we need to update the endpoint URLs

var $rest_endpoint = 'https://api.flickr.com/services/rest/';
var $upload_endpoint = 'https://api.flickr.com/services/upload/';
var $replace_endpoint = 'https://api.flickr.com/services/replace/';

If you use the database cache, at this point you’ll need to reset it, since you need to rebuild the cache using the correct URLS.

To do this, open up mysql (or mysqlmyadmin) and open your wordpress database. Next, delete all the rows from the cache, e.g.

mysql> use wordpress;
Database changed
mysql> delete from wp_phpflickr_cache;
Query OK, 904 rows affected (0.04 sec)

Broken Flickr shortcode

Next, it seems that there was a collision with the Flickr shortcode, seems something was already defining the code but was expecting different parameters (likely Jetpack, but I’ve not really investigated).

So, I modified flickr-gallery.php to define the shortcodes in the plugin’s init function, after un-registering the existing definitions, and altered the priority so that it was defined last.

Get the updated plugin on Github…

» Visit the project on Github...

Posted on
by

When building personal or internal projects, it is common practice to use self signed certificates in order to enable HTTPS support.

Self signed certificates, as the name implies, are certificates which you generate yourself. They are generally frowned on from a security point of view, since although they make encryption possible, as they are not signed by a recognised authority, they make no guarantees about trust.

This means that, at the very least, you’ll get a warning in your browser. Worse, it becomes very easy for an attacker to MITM your connection, since both situations will trigger a warning, unless you manually compare key signatures, you’ll never know.

The good news is that, if the only clients that ever connect to your service are under your control (your own custom client, or a browser on your computers in your office, etc), you can use self signed certificates safely by becoming your own certificate authority.

… So here’s how (mainly for my own reference).

Becoming your own certificate authority

The first step is to generate your own master key and certificate that you’ll use to sign your keys.

Start, by generating your root key. It is very important that you keep this safe as anyone who somehow gets a copy of it could create certificates signed as you!

openssl genrsa -out root.key 4096

Next, generate your master certificate using this key

openssl req -x509 -new -nodes -key root.key -days 1825 -out root.pem

Once you’ve generated this certificate, you need to install it on your clients. How this is done varies from client to client, but most browsers have an option (usually in the “advanced” or “security” section) to install a certificate provider. Have a google for “YOUR CLIENT” and “installing certificate” will usually get you somewhere.

On iOS devices the process is simply a matter of emailing the .pem to yourself and clicking on it, and the device will guide you through installation. This will make it available to Safari, but irritatingly there seems to be no way to install certificates for Chrome on iOS.

To update linux command line apps (incuding curl), copy and rename the .pem to /usr/local/share/ca-certificates and then run update-ca-certificates as root.

Generate your server certificates

Once you’ve installed your certificate authority key on the various computers and devices under your control, you are free to generate as many self signed certificates as you wish. Once these certificates are signed by your certificate authority, they will be accepted as legit by all the computers that you’ve installed your root.pem on.

This will provide not only encryption, but also trust, providing protection against eavesdropping and spoofing.

  • Generate your server key:

openssl genrsa -out server.key 4096

  • Generate a certificate signing request (CSR):

openssl req -new -key server.key -out server.csr

  • Generate your certificate, signing it with your master key:

openssl x509 -req -in server.csr -CA root.pem -CAkey root.key -CAcreateserial -out server.crt -days 365

Install your certificate, in Apache or wherever, as you would any other certificate.

Posted on
by

Dan Coulter has written a very nice WordPress plugin that lets you easily add flickr photos and flickr galleries to a blog.

I use this over on a number of sites to link to various resources hosted on Flickr.

Unfortunately, the plugin as is does not work very well over HTTPS, since it references resources (javascript, css and flicker thumbnails) over HTTP. At the very least this can leak information about the page you are viewing, but in more modern browsers, the request itself is blocked and the page may not function correctly.

There was no obvious way to push patches upstream, so for now I’ve created my own fork of the code, and have stuck it on github.

Hopefully this’ll be useful to you!

» Visit the project on Github...