SSL Support change in version 11.1???
Kelly
We found this in Release Notes for 11.1: "there is no automatic fallback to HTTP anymore." Has anyone found a workaround or hot fix for this?
We are currently in 10.1 planning our 11.1 upgrade. Users start their session in HTTP mode, login page then reloads in HTTPS mode, user logs in securely using 443/TCP -- but after login, user is returned to HTTP mode. Below is the paragraph from Release Notes re: new SSL for 11.1.
Thanks!!
Kelly
Secure Installation and Extended SSL Support (from Release Notes for WSM 11.1)
When installing Management Server 11.1, the default installation mode is to install with SSL option.
With this option selected, Management Server is only accessible via HTTPS; there is no automatic fallback to HTTP anymore. For installation with SSL, HTTPS support must be prepared in IIS. If SSL is not available, an error message will occur.
If Management Server should run with HTTP, the option Use secure connection in the configuration utility should be cleared.
Tim D
Kelly Burns
--
You received this message because you are subscribed to a topic in the Google Groups "RedDot CMS Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/reddot-cms-users/4bCp-lI4xM8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to reddot-cms-use...@googlegroups.com.
To post to this group, send email to reddot-c...@googlegroups.com.
Visit this group at http://groups.google.com/group/reddot-cms-users.
For more options, visit https://groups.google.com/groups/opt_out.
Richard Hauer
<rant>
Security exploits on internal-only websites are completely irrelevant, and SSL introduces an unnecessary processing overhead on your server.
Unless your CMS is public-facing (and it most certainly should not be) SSL is moot, even for the login screen (you should be using integrated login anyway).
If you have external parties that need access to the CMS they should be using a VPN tunnel to do so.
</rant>
Sorry.
Merry Christmas.
From: Kelly Burns
Sent: 25/12/2013 5:16
To: reddot-c...@googlegroups.com
Subject: Re: SSL Support change in version 11.1???
Kelly,Switching out of SSL/HTTPS opens up possible exploits. It is an OWASP security standards recommendation to stay in TLS/SSL. https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Use_TLS_for_All_Login_Pages_and_All_Authenticated_PagesEngineering will try to conform to OWASP guidelines and the recent 11.1 HF4 should have brought the product in line at least around the top exploits. I'd recommend using this and looking at SSL offloading or acceleration if performance is a concern.If you wan the classic setup leave off the SSL option on install. You may be able to get the login over SSL worst case is editing some ASP pages to force it to SSL(this would potentially break on any future patches/upgrades).Best,Tim
On Friday, December 20, 2013 3:22:13 PM UTC-5, Kelly wrote:We found this in Release Notes for 11.1: "there is no automatic fallback to HTTP anymore." Has anyone found a workaround or hot fix for this?
We are currently in 10.1 planning our 11.1 upgrade. Users start their session in HTTP mode, login page then reloads in HTTPS mode, user logs in securely using 443/TCP -- but after login, user is returned to HTTP mode. Below is the paragraph from Release Notes re: new SSL for 11.1.
Thanks!!
Kelly
Secure Installation and Extended SSL Support (from Release Notes for WSM 11.1)
When installing Management Server 11.1, the default installation mode is to install with SSL option.
With this option selected, Management Server is only accessible via HTTPS; there is no automatic fallback to HTTP anymore. For installation with SSL, HTTPS support must be prepared in IIS. If SSL