Zimbra Forums

Zimbra Collaboration & Zimbra Desktop Forums
https://forums.zimbra.org/

Forums not redirecting to HTTPS

https://forums.zimbra.org/viewtopic.php?t=69409

Page 1 of 1

Forums not redirecting to HTTPS

Posted: Wed Mar 31, 2021 8:55 am
by halfgaar
I don't quite know where to post this, but the forums are not redirecting to HTTPS:
ZimbraForumScreenshot.png
ZimbraForumScreenshot.png (35.99 KiB) Viewed 30115 times

Code: Select all

$ curl --head http://forums.zimbra.org
HTTP/1.1 200 OK
Cache-Control: private, no-cache="set-cookie"
Content-Type: text/html; charset=UTF-8
Date: Wed, 07 Apr 2021 11:39:42 GMT
Expires: Wed, 07 Apr 2021 11:39:43 GMT
Server: Apache
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Connection: keep-alive

Re: Forums not redirecting to HTTPS

Posted: Tue Apr 06, 2021 10:00 pm
by rleiker
You are correct. Additionally, if someone visits http://forums.zimbra.com, the forum will display in HTTP mode, but if changing the URL to https://forums.zimbra.com, a visitor's browser will display a mismatched SSL certificate warning, since the wildcard certificate presented is for *.zimbra.org.

I have opened a support case with Zimbra to try and bring some attention to these two misconfigurations. It is a trivial configuration correction that is needed in the web server hosting the Forum to fix both the issue you pointed out, in addition to the needed forums.zimbra.com to forums.zimbra.org redirect. Without the redirect from HTTP to HTTPS mode, it can easily expose user's Forum logins to eavesdroppers.

Re: Forums not redirecting to HTTPS

Posted: Wed Apr 07, 2021 11:42 am
by halfgaar
I see the certificate is from DigiCert. Using certbot to request one at Let's Encrypt is easy and you can easily add many domains. Of course, depending on how it's hosted. It's easy when hosting oneself.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited