Thank you so much Tim!! Happy Holidays! Kelly
*Kelly Burns * *329 N. Humphrey | Oak Park, IL | 60302* *Mobile: (312) 909-0925Skype: kellyburns2005Email: * *kellyburns2...@gmail.com* <kellyburns2...@gmail.com> On Tue, Dec 24, 2013 at 7:44 AM, Tim D <timothy.j.da...@gmail.com> wrote: > Kelly, > > Switching out of SSL/HTTPS opens up possible exploits. It is an OWASP > security standards recommendation to stay in TLS/SSL. > https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Use_TLS_for_All_Login_Pages_and_All_Authenticated_Pages > > Engineering will try to conform to OWASP guidelines and the recent 11.1 > HF4 should have brought the product in line at least around the top > exploits. I'd recommend using this and looking at SSL offloading or > acceleration if performance is a concern. > > If you wan the classic setup leave off the SSL option on install. You may > be able to get the login over SSL worst case is editing some ASP pages to > force it to SSL(this would potentially break on any future > patches/upgrades). > > Best, > Tim > > > On Friday, December 20, 2013 3:22:13 PM UTC-5, Kelly wrote: >> >> We found this in Release Notes for 11.1: *"t* >> *here is no automatic fallback to HTTP anymore."* Has anyone found a >> workaround or hot fix for this? >> >> We are currently in 10.1 planning our 11.1 upgrade. Users start their >> session in HTTP mode, login page then reloads in HTTPS mode, user logs in >> securely using 443/TCP -- but after login, user is returned to HTTP mode. >> Below is the paragraph from Release Notes re: new SSL for 11.1. >> >> Thanks!! >> >> Kelly >> >> >> *Secure Installation and Extended SSL Support (from Release Notes for WSM >> 11.1)* >> >> When installing Management Server 11.1, the default installation mode is >> to install with SSL option. >> >> With this option selected, Management Server is only accessible via HTTP >> S; there is no automatic fallback to HTTP anymore. For installation with >> SSL, HTTPS support must be prepared in IIS. If SSL is not available, an e >> rror message will occur. >> >> If Management Server should run with HTTP, the option *U**se secure >> connection *in the configuration utility should be cleared. >> >> -- > You received this message because you are subscribed to a topic in the > Google Groups "RedDot CMS Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/reddot-cms-users/4bCp-lI4xM8/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > reddot-cms-users+unsubscr...@googlegroups.com. > To post to this group, send email to reddot-cms-users@googlegroups.com. > Visit this group at http://groups.google.com/group/reddot-cms-users. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "RedDot CMS Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to reddot-cms-users+unsubscr...@googlegroups.com. To post to this group, send email to reddot-cms-users@googlegroups.com. Visit this group at http://groups.google.com/group/reddot-cms-users. For more options, visit https://groups.google.com/groups/opt_out.
