SSL on tickets.opscode.com?


#1

Ohai,

It’s weird to see that tickets.opscode.com is not running on SSL.
Submitting a password over plain text seems so 2010. Is there any future
plans to move this over to SSL?

Thanks!

  • Ketan

#2

It appears to just be a mis-configuration - the server does have an SSL
certificate: https://tickets.opscode.com/login.jsp
https://tickets.opscode.com/login.jsp

Matt Moretti

On Mon, Sep 2, 2013 at 10:17 PM, Ketan Padegaonkar <
ketanpadegaonkar@gmail.com> wrote:

Ohai,

It’s weird to see that tickets.opscode.com is not running on SSL.
Submitting a password over plain text seems so 2010. Is there any future
plans to move this over to SSL?

Thanks!

  • Ketan

#3

What’s worse is it does support SSL, but redirects back to HTTP.

  • About to connect() to tickets.opscode.com port 443 (#0)
  • Trying 184.106.28.82…
  • connected
  • Connected to tickets.opscode.com (184.106.28.82) port 443 (#0)
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using AES256-SHA
  • Server certificate:
  •  subject: C=US; ST=Washington; L=Seattle; O=Opscode, Inc; 
    

CN=*.opscode.com

  •  start date: 2013-04-12 00:00:00 GMT
    
  •  expire date: 2014-06-16 12:00:00 GMT
    
  •  subjectAltName: tickets.opscode.com matched
    
  •  issuer: C=US; O=DigiCert Inc; CN=DigiCert Secure Server CA
    
  •  SSL certificate verify ok.
    

GET / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0
OpenSSL/0.9.8x zlib/1.2.5
Host: tickets.opscode.com
Accept: /

< HTTP/1.1 302 Moved Temporarily
< Server: ngx_openresty
< Date: Tue, 03 Sep 2013 02:42:27 GMT
< Content-Type: text/html;charset=UTF-8
< Content-Length: 0
< Connection: keep-alive
< X-AREQUESTID: 162x1785459x1
< Set-Cookie:
atlassian.xsrf.token=A2WE-4IXS-SD1Z-PGER|2feda24d811bcd770b5bfd628451f375ab610515|lout;
Path=/
< X-AUSERNAME: anonymous
< X-Content-Type-Options: nosniff
< Set-Cookie: JSESSIONID=04180BA21DFE150C2E15D4AB113142D8; Path=/; HttpOnly
< Location: http://tickets.opscode.com/secure/MyJiraHome.jspa

On 9/2/13 7:17 PM, Ketan Padegaonkar wrote:

Ohai,

It’s weird to see that tickets.opscode.com
http://tickets.opscode.com is not running on SSL. Submitting a
password over plain text seems so 2010. Is there any future plans to
move this over to SSL?

Thanks!

  • Ketan

!DSPAM:522546ed26481348188260!


#4

I could approve this error. When i login on tickets.opscode.com, i still exist on HTTP-version of site. Your Jira didn’t redirect me to https-site after successful login.


With best regards, Anton Baranov.

вторник, 3 сентября 2013 г. в 11:43, Scott M. Likens написал:

What’s worse is it does support SSL, but redirects back to HTTP.

  • About to connect() to tickets.opscode.com (http://tickets.opscode.com) port 443 (#0)
  • Trying 184.106.28.82…
  • connected
  • Connected to tickets.opscode.com (http://tickets.opscode.com) (184.106.28.82) port 443 (#0)
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using AES256-SHA
  • Server certificate:
  •  subject: C=US; ST=Washington; L=Seattle; O=Opscode, Inc; CN=*.opscode.com (http://opscode.com)
    
  •  start date: 2013-04-12 00:00:00 GMT
    
  •  expire date: 2014-06-16 12:00:00 GMT
    
  •  subjectAltName: tickets.opscode.com (http://tickets.opscode.com) matched
    
  •  issuer: C=US; O=DigiCert Inc; CN=DigiCert Secure Server CA
    
  •  SSL certificate verify ok.
    

GET / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5
Host: tickets.opscode.com (http://tickets.opscode.com)
Accept: /

< HTTP/1.1 302 Moved Temporarily
< Server: ngx_openresty
< Date: Tue, 03 Sep 2013 02:42:27 GMT
< Content-Type: text/html;charset=UTF-8
< Content-Length: 0
< Connection: keep-alive
< X-AREQUESTID: 162x1785459x1
< Set-Cookie: atlassian.xsrf.token=A2WE-4IXS-SD1Z-PGER|2feda24d811bcd770b5bfd628451f375ab610515|lout; Path=/
< X-AUSERNAME: anonymous
< X-Content-Type-Options: nosniff
< Set-Cookie: JSESSIONID=04180BA21DFE150C2E15D4AB113142D8; Path=/; HttpOnly
< Location: http://tickets.opscode.com/secure/MyJiraHome.jspa

On 9/2/13 7:17 PM, Ketan Padegaonkar wrote:

Ohai,

It’s weird to see that tickets.opscode.com (http://tickets.opscode.com) is not running on SSL. Submitting a password over plain text seems so 2010. Is there any future plans to move this over to SSL?

Thanks!

  • Ketan

!DSPAM:522546ed26481348188260!