Uploaded image for project: 'XenServer Org'
  1. XenServer Org
  2. XSO-624

TLS connection/cert for https://www.xenserver.org fails, issued wrongly for *.cloudaccess.net.

    XMLWordPrintable

Details

    • Bug
    • Status: Done (View Workflow)
    • Major
    • Resolution: Done
    • 7.1
    • 7.1
    • other
    • Website

    Description

      The TLS / SSL cert for the website fails, as it has been issued for *.cloudaccess.net, and not for xenserver.org, when accessing https://xenserver.org or https://www.xenserver.org

      If you click through and accept the certificate anyway, you get an error from it sending you to the wrong server. This is really bad for being the official website for a major hypervisor, as it means we have no way of knowing whether we've downloaded an authentic and unmodified copy of the software.

      The site that links to the ISO should have TLS as otherwise it could be MitM'd to point to another ISO. Secondly, the download link to the ISO (http://downloadns.citrix.com.edgesuite.net/11616/XenServer-7.0.0-main.iso) rejects TLS connections, as the certificate is for Akamai, not for the very misleading URL downloadns.citrix.com.edgesuite.net. There is no indication in my mind that edgesuite.net is even a legitimate website, as there's nothing there at the domain/URL apart from an error!

      It's really easy to get a valid, free certificate from somewhere such as Let's Encrypt ( https://letsencrypt.org/ ).

      I think it is really important that all connections to this site use a valid TLS certificate, and use TLS 1.2 by default.

      Attachments

        Activity

          People

            Andym Andy Melmed
            mpdehnel Martin Dehnel-Wild
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 week
                1w