Results 1 to 7 of 7

Thread: zmtlsctl "redirect" mode still allowing non-SSL

Hybrid View

  1. #1
    Join Date
    Oct 2007
    Posts
    54
    Rep Power
    8

    Default zmtlsctl "redirect" mode still allowing non-SSL

    Some time back, I followed CLI zmtlsctl to set Web Server Mode - Zimbra :: Wiki to set my mode to "redirect". While doing some tcpdumping, I just happened to notice that this is apparently not happening in a few places, and non-SSL traffic is getting through. Specifically. if I go to:

    http://server.domain.com, I get redirected to https://server.domain.com:443/zimbra/

    However, if I hit either of these next two URLs, I don't get redirected and in fact the calendar path prompts for a username and password without SSL:

    http://server.domain.com/home/user/Calendar => password prompt
    http://server.domain.com/service/soap => the expected 405 error, but no redirection or SSL-related error

    I've even confirmed that I have the REDIRECT blocks in zimbra.web.xml and zimbraAdmin.web.xml:

    Code:
        <security-constraint>
            <web-resource-collection>
            <web-resource-name>force https</web-resource-name>
            <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <user-data-constraint>
                <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
        </security-constraint>
    mailboxd has definitely been restarted since running zmtlsctl, so I'm not sure what is going on...

    -Mike

  2. #2
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    I'm pretty sure I filed a bug on that a while back.

    I have zimbra set to https only, with an apache process performing the redirect. If you follow suit, note that you have to kill apache when upgrading ZCS, otherwise the upgrade may detect a conflict on port 80 and abort. But to better handle dns spoofing and local mitm threats, I'm negotiating with support folks to turn all such redirects off and insist that users start with https. It's the only way to be sure.

  3. #3
    Join Date
    Oct 2007
    Posts
    54
    Rep Power
    8

    Default

    Do you have a bug #? I searched bugzilla a bit but I didn't find anything...

    -Mike

  4. #4
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    I can't find anything either (even by searching for my email). File a new bug.

  5. #5
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    Related security issue:

    ZM_AUTH_TOKEN and JSESSIONID cookies are not restricted to secure sessions. Someone in a position to play a monkey-in-the-middle attack can steal your login.

    ZM_ADMIN_AUTH_TOKEN and ZM_TEST do get the secure flag set.

    Bug 33342 &ndash; "Secure" flag not set on cookies for https sessions
    Last edited by Rich Graves; 11-19-2008 at 01:21 PM.

  6. #6
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

  7. #7
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    I'm seeing this issue again, under 6.0.6. Can anyone else test on a recent version of GnR?

    Steps:

    1. su - zimbra
    2. zmtlsctl redirect
    3. zmcontrol stop && zmcontrol start
    4. Share Calendar (viewer) to another ZCS user in your domain.
    5. Make sure they're not currently logged into ZWC with the web browser you'll be testing.
    6. Have them go to http://<servername>/home/<user@domain>/Calendar.html

    Observe that their password is sent unencrypted (at least, Safari says so), and the resulting page is http, not https.

    About the only thing that could be relevant in my setup is that we have three domains:

    zimbra.mprinc.com (the actual FQDN of the server)
    mprinc.com (virtual domain)
    connectedcalifornia.org (virtual domain)

    All three have zimbraPublicServiceProtocol https

Similar Threads

  1. OpenLDAP SSL Mode
    By tkramis in forum Administrators
    Replies: 1
    Last Post: 06-04-2008, 01:09 PM
  2. SLES10: Problem upgrading from Zimbra NE 5.0 to NE 5.0.1
    By trapanator in forum Installation
    Replies: 11
    Last Post: 02-27-2008, 01:51 PM
  3. Installation Issues - SLES 10_Zimbra 5.0 Beta 3
    By rhartman in forum Installation
    Replies: 3
    Last Post: 01-14-2008, 07:18 AM
  4. Help with tomcat ssl errors...
    By sgtstadanko in forum Administrators
    Replies: 4
    Last Post: 03-19-2007, 10:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •