Support

Admin Tools

#24801 Live update troubleshooting

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Tuesday, 26 April 2016 17:20 CDT

Sunday, 27 March 2016 14:19 CDT

Vseva
 Hey Nicolas;

How are you going ?
Great I hope !?!
Not doing too bad myself !
;O )

First of all my entire is Https.
SO I tried the live update on Admintool pro, but I get the message: "Live Update is not supported on this server".
I tried to follow the instructions you give in the message box too, but still no luck.
1) Enable cURL - basically I can't because I'm already using curlssl ( server config says us one or the other - not both)
2) fopen wrappers are activated.
3) And as I'm using CSF (ConfigServer Security & Firewall) on my VPS, I can allow IP addresses but I can't seem to enter a physical URL.

So I suspect it's CURLSSL php setting I enabled in EasyApache.
Mind you i sort need this as this site connects to secure payment gateways.

So finally the question:
Should change my php settings to cURL (and the CURLSSL)?
And will open up a security risk if I do so ?

Sunday, 27 March 2016 16:36 CDT

nicholas
Last time I checked most if not all all payment gateways were still using SSL certificates signed with SHA-1 sums for their API systems and only SHA-256 signed certificates for the user-facing systems. In fact the first payment gateway to upgrade their certificates is PayPal and the upgrade only goes into effect June 17th 2016. Everybody else is sticking with the PCI (Payment Card Industry) revised timeline of late 2017. So, being able to connect to payment gateways means absolutely nothing about your libcURL and libssl except that they are updated sometime in the last 4 years :D

Here's the problem with old, SHA-1 signed certificates. They are now reported as invalid (red bar) in Chrome and Firefox because SHA-1 has known cryptographic attacks against it, meaning that an attacker can spoof an SHA-1 signed certificate with a very modest cost. That's no bueno: it's insecure and would make us look bad. This is why as soon as we saw that we upgraded our SSL certificate. That was a few months ago. However, this now meant that you need the PHP cURL module compiled against libcurl 0.40.0 or later which is in turn must be compiled against libssl (OpenSSL) 1.0.1c or later. Anything lower and you can't access our HTTPS update provisioning site because it's too secure for old versions of OpenSSL and cURL (oh, the irony...).

So, you should update OpenSSL, libcurl and the PHP curl module, in this order. Not only it doesn't cause a security issue on your server, it actually makes it more secure and ensures that it will be able to communicate with third party secure servers in the future as security measures get tighter.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 26 April 2016 17:20 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2016-04-26 17:20 CDT

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!