Project

General

Profile

Actions

Bug #7647

closed

Hunter ACERT site has SSL error

Added by Raffi Khatchadourian about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority name:
Normal
Assignee:
-
Category name:
Security
Target version:
Start date:
2017-02-08
Due date:
% Done:

0%

Estimated time:
Deployment actions:

Description

When I click "site" from https://commons.gc.cuny.edu/groups/acert/ (which brings me to https://acert.commons.gc.cuny.edu/), I get a warning that "Your connection is not private."

REGRESSION: http://acert.hunter.cuny.edu does not have this problem (probably because no certificate is involved).

DETAILS: Your connection is not private

Attackers might be trying to steal your information from acert.hunter.cuny.edu (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID

Actions #1

Updated by Boone Gorges about 7 years ago

  • Status changed from New to Reporter Feedback
  • Target version set to 1.10.10

Hi Raffi - Thanks for the report.

The issue is with the mapped domain redirect. Mapped domains are stored schemeless in the database (acert.hunter.cuny.edu rather than http://acert.hunter.cuny.edu). Our domain mapping plugin assumes that if you're currently on an HTTPS page, you'll also want to redirect to one - irrespective of whether the mapped domain supports SSL certificates.

In an ideal world, the domain mapping plugin would allow you to specify the scheme of the redirect. This way, we could distinguish at the admin level between mapped domains that support SSL and those that don't. This kind of refactor is beyond what we can do at the moment. So, as a stopgap, I've patched the plugin so that mapped domains are always supposed to have http:// URLs. Those that do support HTTPS will likely perform the necessary redirects themselves once the request hits the webserver.

This change is in place on the production server. Raffi, can you confirm that redirects are now working properly?

For internal reference: https://github.com/cuny-academic-commons/cac/commit/5c2fa3b729d891b435019fe470efd9ed07bdfe7f I'll block wordpress-mu-domain-mapping from auto-updates in the future (though it's not ever updated anyway).

Actions #2

Updated by Raffi Khatchadourian about 7 years ago

Boone Gorges wrote:

This change is in place on the production server. Raffi, can you confirm that redirects are now working properly?

Confirmed. Thanks!

Actions #3

Updated by Boone Gorges about 7 years ago

  • Status changed from Reporter Feedback to Resolved

Thank you!

Actions

Also available in: Atom PDF