(According to https://developers.facebook.com/tools-and-support/ there are Facebook engineers reading this.)
Some of our web hosting customers recently complained about missing images/text when sharing content from their https website to Facebook.
I tracked this problem to a security change in our environment that disabled TLS v1.0 for customer HTTPS sites. The curl output in Facebook Debugger merely showed an SSL connection error and I can reproduce the problem locally if I force curl to not try TLS v1.1 nor v1.2.
These values in Apache 2.4 vhost configuration makes Facebook not connect to my customers site:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
Changing SSLProtocol to this make Facebook work OK:
SSLProtocol All -SSLv2 -SSLv3
'All' includes TLS v1.1 and v1.2. Why doesn't Facebook link-sharing and the Facebook Debugger work against modern sites that use TLS v1.1 and TLS v1.2 (and have SSLv3 & TLSv1 disabled)?
Thanks.
Related
I am setting a webhooks for a Facebook application, and they required a call back url, this url must be in https
I do have a server with a call back website but it is not https, it is in http protocol
Any idea to bypass that? (work around? )
There's no way to bypass it.
However, if you don't want to buy SSL certificate for your domain, you can configure your domain name with CloudFlare and use their universal ssl.
I have used it with facebook webhooks and it works very well. It's free and very easy to configure.
The free plan allows you to use Flexible SSL. As per the docs:
Flexible SSL: secure connection between your visitor and CloudFlare, but no secure connection between CloudFlare and your web server. You don't need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled.
I disabled SSLv3 on my server to protect users from the POODLE vulnerability, but since doing so Facebook's scraper no longer works on my sites (so sharing pages on facebook doesn't result in a share image, title, or description being pulled in).
When I try using the debug tool with a URL, it shows this error:
Curl Error : SSL_CONNECT_ERROR error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I have been Googling and searching on here, but haven't been able to find much information on this.
Do I have to keep SSLv3 enabled in order to share pages on Facebook?
I ran your domain through several SSL checkers, and weirdly sslcheck.globalsign.com complains that you had neither TLS v1.0, TLS v1.1 nor TLS v1.2 enabled.
Since other checkers are not reporting this (and Chrome says TLS v1.2 is used as well when I visit the site), one might suspect it to be an error of this particular tool – but since you’re having trouble with the FB scraper as well, it might indicate that there is something wrong with your configuration.
I'm developing a Facebook canvas app. I don't have a SSL certificate so I've been using a plain http:// URL + sandbox mode for the creation and testing process.
Suddenly I realized my Facebook account turned to Secure Browsing mode and I'm unable to turn it off via Account Settings >> Security >> Secure Browsing. There is no "edit" button. None of my co-workers experienced the same problem. Their Secure Browsing option is off, editable and the app is visible. Anyone familiar with the same issue?
If you're testing your app you shouldn't really need to disable HTTPS, nor is that really a representative test if you're using HTTP but almost all your users will be using HTTPS (as is the case with Facebook)
It'd be better to get a free cert from startssl.com or similar free CAs, use OpenSSL to generate an in-house CA or self-signed certs, or accept the certificate warnings from the default cert that ships in your webserver, if any, than to disable the secure browsing option on your Facebook account for this purpose;
As for the option itself in the Facebook setting, that's somewhat off topic for here, and I'm unsure what the exact status is but I believe the option to browse Facebook insecurely is being phased out
Another option for testing is to run a test server with a separate proxy to your production environment (e.g nginx) for test purposes and log all the traffic to that server for debugging
We develop local apps that redirect to a secure web host which then sends the relevant FB app info to our FB app which in turn redirects back to our web server which redirects back to our local app. The local app stores the relevant FB user info so that user interaction is then posted to FB as per their approval. Everything works perfectly except for our latest project.
Our latest project running in Dubai is having latency issues between FB, the web server and our localhost on its return from the FB app authorisation. When the PHP script execution time was set to 30 seconds the redirect would timeout. We have increased this execution duration and the app works again but the wait is not ideal as ppl are queued in malls waiting to try out the activation.
I see it is possible to setup SSL on the localhost server as per: How do I allow HTTPS for Apache on localhost?
So my question is: Would FB allow this SSL connection or would the certificate have to come from an authority on a certified web server?
I was thinking of using the localhost WAMP server as the web server aswell and setting up its own OpenSSL to try reduce the latency issues.
I never built the original application so does the FB PHP SDK even need to be hosted on a secure site?
Currently i am creating an sample facebook application. The problem is its asking for my application url in two types. Canvas url and Secure canvas url i had hosted my application on this link Fb app url but the hosting is not providing me ssl i.e. the link with https Because of this problem i am unable to include the Secure canvas url
How can i overcome this issue. How can i solve this. Is there any way to submit the facebook application without secure canvas url or is there any free webhosting site which also provides ssl (https). Please suggest me
try heroku . Facebook provides you that option while you are registering your app.
no you have to get the ssl certificate to secure url
check this What is SSL and what are Certificates? and Https connection without SSL certificate
this is Free SSL Certificate :by Comodo for 90 days but never tried by me