Zimbra

mikelcu · #1 (**permalink**) 11-18-2008, 04:31 PM

Some time back, I followed CLI zmtlsctl to set Web Server Mode - Zimbra :: Wiki to set my mode to "redirect". While doing some tcpdumping, I just happened to notice that this is apparently not happening in a few places, and non-SSL traffic is getting through. Specifically. if I go to:

http://server.domain.com, I get redirected to https://server.domain.com:443/zimbra/

However, if I hit either of these next two URLs, I don't get redirected and in fact the calendar path prompts for a username and password without SSL:

http://server.domain.com/home/user/Calendar => password prompt
http://server.domain.com/service/soap => the expected 405 error, but no redirection or SSL-related error

I've even confirmed that I have the REDIRECT blocks in zimbra.web.xml and zimbraAdmin.web.xml:

Code:

    <security-constraint>
        <web-resource-collection>
        <web-resource-name>force https</web-resource-name>
        <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

mailboxd has definitely been restarted since running zmtlsctl, so I'm not sure what is going on...

-Mike

Rich Graves · #2 (**permalink**) 11-18-2008, 05:14 PM

I'm pretty sure I filed a bug on that a while back.

I have zimbra set to https only, with an apache process performing the redirect. If you follow suit, note that you have to kill apache when upgrading ZCS, otherwise the upgrade may detect a conflict on port 80 and abort. But to better handle dns spoofing and local mitm threats, I'm negotiating with support folks to turn all such redirects off and insist that users start with https. It's the only way to be sure.

mikelcu · #3 (**permalink**) 11-19-2008, 10:57 AM

Do you have a bug #? I searched bugzilla a bit but I didn't find anything...

-Mike

Rich Graves · #4 (**permalink**) 11-19-2008, 11:00 AM

I can't find anything either (even by searching for my email). File a new bug.

Rich Graves · #5 (**permalink**) 11-19-2008, 11:07 AM

Related security issue:

ZM_AUTH_TOKEN and JSESSIONID cookies are not restricted to secure sessions. Someone in a position to play a monkey-in-the-middle attack can steal your login.

ZM_ADMIN_AUTH_TOKEN and ZM_TEST do get the secure flag set.

Bug 33342 – "Secure" flag not set on cookies for https sessions

mmorse · #6 (**permalink**) 11-19-2008, 11:58 AM

Bug 33341 - zmtlsctl "redirect" mode still allowing non-SSL
Bug 33342 - "Secure" flag not set on cookies for https sessions

ewilen · #7 (**permalink**) 08-04-2010, 04:26 PM

I'm seeing this issue again, under 6.0.6. Can anyone else test on a recent version of GnR?

Steps:

1. su - zimbra
2. zmtlsctl redirect
3. zmcontrol stop && zmcontrol start
4. Share Calendar (viewer) to another ZCS user in your domain.
5. Make sure they're not currently logged into ZWC with the web browser you'll be testing.
6. Have them go to http://<servername>/home/<user@domain>/Calendar.html

Observe that their password is sent unencrypted (at least, Safari says so), and the resulting page is http, not https.

About the only thing that could be relevant in my setup is that we have three domains:

zimbra.mprinc.com (the actual FQDN of the server)
mprinc.com (virtual domain)
connectedcalifornia.org (virtual domain)

All three have zimbraPublicServiceProtocol https

Zimbra

Downloads

Product Information

Toolbox

Why Join?