1

I've just setup SSL on the main domain in my whm/cpanel setup, the domain has it's own ip and is all up and running correctly.

However when browsing the site in Chrome I get the following:

Your connection to example.com is encrypted with 256-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transite and can be modified by an attacker to change the behaviour of the page.

The connection uses SSL 3.0.

The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.

The connection is not compressed.

The connection had to be retried using SSL 3.0. This usually means that the server is using very old software and may have other security issues.

I have checked the WHM > Server Configuration > Apache Configuration > Global Configuration

and SSL Cipher Suite is set to the following, as recommended: 

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH PCI recommended

I also have the following SSL report: http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=https%3A%2F%2Fmostplays.com%2F&protocol=https

I also get this error when displaying a blank html file with just a title so it isn't from includes from external sources.

<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Test Secure</title> </head> <body> <h1>Test Secure</h1> </body> </html>

I've checked the server software and it's using openSSL 0.9.8e, could this be a factor?

What is it that I'm doing wrong? are there any more settings that would help to diagnose the problem?

Improve this question
3
  • Are you including things on your website from other websites ? Commented Jan 14, 2012 at 15:51
  • Only javascript includes like jQuery from google? Commented Jan 14, 2012 at 15:55
  • 1
    Include it on your page directly rather then fetching it from google and see if this solves your problem. Commented Jan 14, 2012 at 15:58

3 Answers 3

Reset to default
3

However, this page includes other resources which are not secure. These resources can be viewed by others while in transite and can be modified by an attacker to change the behaviour of the page.

Open the Developer Tools panel in Chrome (View -> Developer) and go to the network tab. It will list everything that it's loading. In addition, click on the warnings/errors icons at the bottom right. They'll open the list of errors, including messages such as:

  • The page at ... displayed insecure content from http://...
  • Unsafe JavaScript attempt to access frame with URL https://.../ from frame with URL http://.... Domains, protocols and ports must match

Most likely, it will come from frames and contents embedded from ads. Once you've found the "offending" resources in the list in the network tab, the "Initiator" column should give you a clue regarding what's loading them.

The connection had to be retried using SSL 3.0. This usually means that the server is using very old software and may have other security issues.

Make sure you have this (in addition to the SSLCipherSuite directive):

SSLProtocol all -SSLv2
Improve this answer
2

In order to avoid that warning, all included elements (images, files, etc.) must use HTTPS connections. View the page source and look for http:// -- it's ok in links to other pages (<a href="...) but not to files (<img src="..., etc.)

Improve this answer
7
  • In my test page I don't have anything apart from just a h1 tag and it still gives the error? Commented Jan 14, 2012 at 16:19
  • Can you post a link to the blank page? Commented Jan 14, 2012 at 16:34
  • bit.ly/yvP53b Commented Jan 14, 2012 at 16:51
  • That page looks fine to me. (FF reports "Your connection to this website is encrypted to prevent eavesdropping.") Commented Jan 14, 2012 at 17:05
  • 1
    @Silver89, including https:// is fine, relative URLs like /logo.png are fine too. xmlns=http:// isn't a link, it's an XML namespace, so it's not retrieve (and it's fine). Commented Jan 15, 2012 at 1:03
0

The following in httpd.conf stopped all errors:

SSLProtocol -SSLv2 +SSLv3 +TLSv1 SSLCipherSuite !NULL:!ADH:!EXP:!LOW:SSLv3:+HIGH:+MEDIUM
Improve this answer
1
  • Not really, you still have plenty of mixed content, see little red cross next to struck through https. (SSLProtocol all -SSLv2 should be equivalent to` SSLProtocol -SSLv2 +SSLv3 +TLSv1`, by the way or TLS 1.1+ should harm anyway, same for the cipher suites you had except RC4+RSA perhaps.) Commented Jan 15, 2012 at 15:41

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.