Forums not redirecting to HTTPS

Whether you are a current user, former user, a Zimbra employee, or anyone with experience using any of our products, we welcome your feedback. Please include a specific product name and version when relevant.
Post Reply
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Forums not redirecting to HTTPS

Post by halfgaar »

I don't quite know where to post this, but the forums are not redirecting to HTTPS:
ZimbraForumScreenshot.png
ZimbraForumScreenshot.png (35.99 KiB) Viewed 29661 times

Code: Select all

$ curl --head http://forums.zimbra.org
HTTP/1.1 200 OK
Cache-Control: private, no-cache="set-cookie"
Content-Type: text/html; charset=UTF-8
Date: Wed, 07 Apr 2021 11:39:42 GMT
Expires: Wed, 07 Apr 2021 11:39:43 GMT
Server: Apache
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Connection: keep-alive
Last edited by halfgaar on Wed Apr 07, 2021 11:40 am, edited 1 time in total.
User avatar
rleiker
Advanced member
Advanced member
Posts: 149
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: Forums not redirecting to HTTPS

Post by rleiker »

You are correct. Additionally, if someone visits http://forums.zimbra.com, the forum will display in HTTP mode, but if changing the URL to https://forums.zimbra.com, a visitor's browser will display a mismatched SSL certificate warning, since the wildcard certificate presented is for *.zimbra.org.

I have opened a support case with Zimbra to try and bring some attention to these two misconfigurations. It is a trivial configuration correction that is needed in the web server hosting the Forum to fix both the issue you pointed out, in addition to the needed forums.zimbra.com to forums.zimbra.org redirect. Without the redirect from HTTP to HTTPS mode, it can easily expose user's Forum logins to eavesdroppers.
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: Forums not redirecting to HTTPS

Post by halfgaar »

I see the certificate is from DigiCert. Using certbot to request one at Let's Encrypt is easy and you can easily add many domains. Of course, depending on how it's hosted. It's easy when hosting oneself.
Post Reply