SSL breaks Flash media uploader

[roothorick]

If /wp-admin/media-new.php is accessed from an SSL connection, the Flash uploader will always fail with a cryptic "IO error" message. Accessing the page normally works just fine, and the browser uploader works fine too.

Tested with Mozilla Firefox 3.5.5 under Windows XP, Flash version 10.0 r32

[aaron44126]

Same problem here. I just discovered it, having set up SSL for my admin sessions a few days ago. But apparently, this is not a new problem, and has been tied to a bug with Flash --- see ​http://bugs.adobe.com/jira/browse/FP-201. Apparently, this doesn't affect Flash under Internet Explorer, but only browsers that use the Netscape plug-in interface.

Still, I'd love to see a workaround in WordPress if possible to get the Flash uploader working with SSL on all browsers.

[aaron44126]

Turns out that it's not a WordPress or swfupload problem, it has to do with Flash and SSL certificate validation.

If you are using a self-signed certificate, or a certificate that is otherwise not trusted by default (for the wrong domain, signed by an untrusted CA like cacert.org, etc.), then you need to get it trusted by Windows before it'll work with the Flash uploader. For me, this was a self-signed certificate, and I added it to the Trusted Root Certificates Store (or some such) through the Windows GUI and now my uploads work in Firefox.

Apparently, if you have a good certificate from a good CA, this shouldn't be an issue. The problem is when Flash encounters the untrusted certificate (whether you've told Firefox to trust it or not), you get the error.

[aaron44126]

If any devs read this, I am close to a workaround using a plug-in, but I need a little help. This workaround would have file uploads NOT use SSL to work around the bug in Adobe Flash.

I have FORCE_SSL_ADMIN enabled, so that administrative sessions have to run over SSL. My goal is to allow wp-admin/async-upload.php, which is in charge of receiving the uploads from the Flash uploader, to be accessed from a non-SSL session.

I added a filter to 'admin_url' to switch ​https:// to ​http:// if we are getting the URL to async-upload.php. This tells the Flash uploader to connect via regular http to upload the file.

I added a filter to 'wp_redirect' to cancel any redirect from http to https if async-upload.php is the page being loaded. This keeps the Flash uploader from being bumped to SSL, even though I have FORCE_SSL_ADMIN enabled.

Now, when I try to upload a file, instead of getting the vague "IO error", the file upload seems to go through (I see the progress bar complete, and then it says "Crunching..." for a few seconds) --- but when it's done, nothing happens. I suspect this is because somewhere else, there is a check to see if I am using SSL, and I'm not, so it fails.

[nacin]

I'd think an admin who is forcing SSL would rather have an upload go through a secure browser uploader than an insecure Flash uploader.

Sounds like falling back to the browser uploader should be the workaround, not making the Flash uploader less secure.

[aaron44126]

Agreed.

Still, if you'd like to use the Flash uploader, I have a working plug-in that will let you use it. This plug-in DISABLES SSL for Flash uploads, and will expose your auth cookie, keep that in mind. roothorick, I am interested in hearing if it works for you.

​http://aaron-kelley.net/wp-content/uploads/2009/12/aaron-no-ssl-flash-upload-0.9.zip

From what I've gathered by spending a while with this problem, this is the only way to fix it until Adobe gives us some way to have Flash ignore certain SSL errors (or respect the rules you've set in your browser).

[ocean90]

WordPress is now using Plupload. Plupload uses HTML5 first and should fall back to flash only in IE if silverlight is not installed.

Please test if you still have issues with the media uploader in trunk.

See #18206 for the new file uploader.