Just updating everyone that the new site is live and we have https for lucee.org as well as the cdn subdomain. A couple of the other subdomains still need to be re directed to https. We are working on that.
Regards,
Joy
Awesome, thanks for the info. FYI, some of content is hard to read because it ends up being white text on a white-ish background… 
Thanks for the feedback! I will pass that along to the person who maintains that subdomain.
Joy
New site looks good, just one little thing, is it possible to mention cfml right up front?
Both the new site and the GitHub repo intro make a bigger deal about slightly obscure Java stuff rather than lucee’s core functionality as the leading open source cfml application server/engine
Looks great!
Unfortunately, all of the crucial areas of the site for which I originally raised this issue still don’t support SSL:
download.lucee.org
release.lucee.org
Links to cdn.lucee.org from Download
(though that does now have a valid cert if you play around with it).
Example URL:
http://release.lucee.org/rest/update/provider/light/5.2.8.50?s3=false
Presuming these are the subdomains mentioned here:
A couple of the other subdomains still need to be re directed to https. We are working on that.
Any ETA on that part? That’s really all that I was hoping for. At the moment there’s almost no security when downloading Lucee releases - no checksums, and no TLS.
Thanks for your hard work on the main site! : - )
1 Like
Good point Zac. Will see if we can add/change wording on the site. I don’t have access to the GitHub area, but i’ll mention it to those that do in case they miss this conversation.
Ah fantastic progress all, thanks kindly!
If we can just get releases.lucee.org behind SSL too we’ll be in a wonderful position.
‘releases’ was nothing more than a redirect, so guessing that’s going to change to the fixed URL before it gets treated to SSL
I was wrong about this. ‘releases’ serves a REST interface. Thanks Brad for letting me know! =)
1 Like
$ curl https://release.lucee.org/ -v
* Trying 205.210.189.210...
* TCP_NODELAY set
* Connected to release.lucee.org (205.210.189.210) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
The “updates” URL also functions with SSL but is using the SSL from “downloads”.
Looks like it responds on HTTP and HTTPS.
Is the problem that Lucee itself is downloading updates via HTTP and would need to be updated to use HTTPS?
Is there any problems with Lucee downloading an update by following a redirect if a HTTP->HTTPS redirect was put in place? /cc @micstriit
1 Like