Uploaded image for project: 'XenServer Org'
  1. XenServer Org
  2. XSO-624

TLS connection/cert for https://www.xenserver.org fails, issued wrongly for *.cloudaccess.net.

    Details

    • Type: Bug
    • Status: Done (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 7.1
    • Fix Version/s: 7.1
    • Component/s: other
    • Labels:
    • Environment:

      Website

      Description

      The TLS / SSL cert for the website fails, as it has been issued for *.cloudaccess.net, and not for xenserver.org, when accessing https://xenserver.org or https://www.xenserver.org

      If you click through and accept the certificate anyway, you get an error from it sending you to the wrong server. This is really bad for being the official website for a major hypervisor, as it means we have no way of knowing whether we've downloaded an authentic and unmodified copy of the software.

      The site that links to the ISO should have TLS as otherwise it could be MitM'd to point to another ISO. Secondly, the download link to the ISO (http://downloadns.citrix.com.edgesuite.net/11616/XenServer-7.0.0-main.iso) rejects TLS connections, as the certificate is for Akamai, not for the very misleading URL downloadns.citrix.com.edgesuite.net. There is no indication in my mind that edgesuite.net is even a legitimate website, as there's nothing there at the domain/URL apart from an error!

      It's really easy to get a valid, free certificate from somewhere such as Let's Encrypt ( https://letsencrypt.org/ ).

      I think it is really important that all connections to this site use a valid TLS certificate, and use TLS 1.2 by default.

        Attachments

          Activity

            People

            • Assignee:
              andym Andy Melmed
              Reporter:
              mpdehnel Martin Dehnel-Wild
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 week
                1w