Post by Dhaupin » Tue Oct 07, 2014 1:33 am

Here is an overview of how SSL certs work on a single IP environment such as OpenCart multistore. This is assuming that your store is set with 1 or more domains needing an SSL attached. In our case we use "Addon domains" but it should work for standard A record or CNAME routing schemes as well.


Picking a Cert: Firstly, any kind of SSL will work - but they get expensive quick once you start needing wildcards and things. Generally you need 1 SSL cert for each store, so the standard 'DV" style is fine enough for most cases, the "OV" style being a bit better. "EV" or "Wildcard" are generally not needed unless you run a huge enterprise with tons of subdomains. The easiest way is to use whatever DV or OV SSL your host can get, since often they get massive reseller discounts. Then have them install it for you using the following considerations.


Important Registration Note: For many SSL certs, its important that you register the SSL with the explicit www or non-www mode. Many modernized SSL's work in either-or mode, but there are still plenty of providers that work only 1 way or the other. If you dont get it right the first time, there is a chance you will have to buy another cert.


SNI For 1 IP Support: Next, the way they set up multiple SSL domains pointed to 1 IP is using SNI (server name indication) at server level. Its a method to route all, and its dependent on modern browsers. Good news is that 100% of modern browsers support it. Bad news is that IE6 on SP1 WinXP doesnt. Your host will know what this means, make sure they set it up "SNI" if they all point at 1 server IP otherwise your SSL may be invalid. http://en.wikipedia.org/wiki/Server_Name_Indication


Forward Secrecy: You should make sure you or your host have FS (forward secrecy) set up on your server as well. This makes handshakes better for more secure browsing by using unique keys. Like SNI, modern browsers understand, old ie6sp1xp peoples do not. This is essential with an "economy" SSL: http://en.wikipedia.org/wiki/Forward_secrecy

** You may notice BingBot and YahooBot/SlurpBot "dont understand" SNI or FS...somehow they still index your pages https mode with no errors. Dont worry :)


Hardened Ciphers: Make sure your servers ciper suite doesn't allow anonymous SSL browsing. The default that ships with some servers is too broad to be PCI compliant. Most of the time your host would set this up, but if you have a WHM server it can be found under Service Configuration > Apache Configuration > Global Configuration > SSL Cipher Suite. You should use the mozilla suggested "intermediate compatibility" ciphers found here then restart Apache once you set them: https://wiki.mozilla.org/Security/Serve ... default.29

** If you're uncomfortable with intermediate ciphers due to old IE on XP support, you can go with the older/wider ones below it on that mozilla page and still get away with a B in SSL tests.


"Unstable" Technologies: You may hear about TLS/SPDY, HTTP2.0, and other new things, they can seriously speed up your server in https mode. Be weary though since its still "unstable" releases and actually provides a tunnel for CRIME and other exploits if not set up exactly right. http://en.wikipedia.org/wiki/CRIME


Lets Roll: Ok once its all set, you can test it using Qualys SSL test: https://www.ssllabs.com/ssltest/analyze.html If everything is set up ok, with the right ciphers, Qualys should score you an A- even with failed PCI test. Reducing ciper to be more XP compatible should take you to a solid B.

Hope that helps, good luck!
Last edited by Dhaupin on Thu Oct 09, 2014 8:37 am, edited 3 times in total.

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by Cue4cheap » Tue Oct 07, 2014 8:20 am

I was reading your other post you redirected to here and I have a few questions....

I have 5 stores set up and already had maindomain.com SSL purchased a few years ago.
Now I have the 4 other domains set up and it is coming time to renew my SSL (in about 5 months) I am interested in this post. The piece I do not know/understand it my web-host has these options:

Positive SSL
Comodo's Positive SSL Certificates are designed for securing intranets, extranets, and websites. These certificates are an ideal and low-cost way of securing your enterprise web server.

Positive Wildcard SSL
You can either spend a lot of money and time buying and managing individual SSL Certificates for each subdomain, or you can save hundreds or even thousands of dollars by purchasing just one Wildcard SSL certificate to secure them all.

It appears from what you say we only need the Positive SSL?

If that is the case then how do I get my webhost to understand that I need
maindomain.com
domain2.com
domain3.com
domain4.com
and domain5.com to all be recognized by that one certificate?
I read it has to do with this part of your instructions: "SSL domains pointed to 1 IP is using SNI (server name indication) at server level. Your host will know what this means" but when I contacted my host they actually said I would need to get a certificate for every domain.
So certificate with maindomain.com
another certificate with domain2com
etc.

How is it possible not to need that, or to give them enough info that it isn't needed?
Thank you,
Mike

cue4cheap not cheap quality


Expert Member

Posts

Joined
Fri Sep 20, 2013 4:45 am

Post by Dhaupin » Tue Oct 07, 2014 11:02 am

Sorry about the redirect, figured we all could dump all SSL multistore posts in 1 uberthread. I originally typed it as your reply, but it was worthy of split out as a "guidance" (not egothreading, its just good OC SEO domination :))

With SNI, its basically an option of browsers: "Do i trust this IP with X amount of SSL's ive found?" Most agree its a new age, IP's are short, frames can handle multi-domains.....they trust the SNI shared IP SSL...but it doesnt mean 1 SSL for all (more about this next). Some like bing bot or some very old IE users on XP have issues, but they seem to get by since they are probably used to it. In the case of bing, it still indexes your site in https-mode links even though it doesnt understand SNI nor Forward Secrecy.

As far as certs per-domain, you have to get 1 certificate for each domain unless you are willing to shell out tons of cash for a top enterprise level multi-TLD SSL. Until you are 20-30+ domains deep SSL, its worth it to stick with the economy. The economy in your case is called/marketed "Positive SSL". Its probably deep down a DV or OV style. Its the route you wanna go unless you can get a slamming deal on multi TLD wildcard :)

Ask your host too -- say you wanna register 8 or so domains SSL, maybe they can cut you a deeper a deal with their reseller rates.

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by Cue4cheap » Wed Oct 08, 2014 9:00 am

Dhaupin wrote:Sorry about the redirect, figured we all could dump all SSL multistore posts in 1 uberthread. I originally typed it as your reply, but it was worthy of split out as a "guidance" (not egothreading, its just good OC SEO domination :))

=====

As far as certs per-domain, you have to get 1 certificate for each domain unless you are willing to shell out tons of cash for a top enterprise level multi-TLD SSL. Until you are 20-30+ domains deep SSL, its worth it to stick with the economy. The economy in your case is called/marketed "Positive SSL". Its probably deep down a DV or OV style. Its the route you wanna go unless you can get a slamming deal on multi TLD wildcard :)

Ask your host too -- say you wanna register 8 or so domains SSL, maybe they can cut you a deeper a deal with their reseller rates.
The redirect is fine as it was easy to find and this may be useful to have as it's own thread.

Now you have me slightly confused....
Multi-stores by default have a single IP so your initial post seems to say one certificate will work for all...

Then above you wrote: "As far as certs per-domain, you have to get 1 certificate for each domain" which seems to contradict that.

Could you clarify for this :ponder: ing one?
Mike

cue4cheap not cheap quality


Expert Member

Posts

Joined
Fri Sep 20, 2013 4:45 am

Post by Dhaupin » Thu Oct 09, 2014 5:49 am

Ah good call, i will edit that. Yeah its 1 SSL per multistore for most cases.

A case where you could share SSL is using wildcard cert is if your multistores are all subdomains of 1 main domain. Example:

http://www.maindomain.com
electronics.maindomain.com
furniture.maindomain.com
outdoor.maindomain.com

Even then the cost may not justify, it varies.

EDIT: After some tinkering, discovered that only the leftmost part of a url works with wildcard in those SSL's. Also, forgot to mention that if you use that style, there is only 1 wildcard subdomain set per TLD or base scheme. So basically, you can only assign 1 level deep of addon subdomains with wildcard, everything else requires wildcards on wildcards subdomains which is edge, like a pioneer .

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA
Who is online

Users browsing this forum: No registered users and 49 guests