Lucee.org and HTTPS/TLS

Just updating everyone that the new site is live and we have https for lucee.org as well as the cdn subdomain. A couple of the other subdomains still need to be re directed to https. We are working on that.

Regards,
Joy

Awesome, thanks for the info. FYI, some of content is hard to read because it ends up being white text on a white-ish background… :slight_smile:

Thanks for the feedback! I will pass that along to the person who maintains that subdomain.

Joy

New site looks good, just one little thing, is it possible to mention cfml right up front?

Both the new site and the GitHub repo intro make a bigger deal about slightly obscure Java stuff rather than lucee’s core functionality as the leading open source cfml application server/engine

Looks great!

Unfortunately, all of the crucial areas of the site for which I originally raised this issue still don’t support SSL:

download.lucee.org
release.lucee.org 
Links to cdn.lucee.org from Download
(though that does now have a valid cert if you play around with it).

Example URL:
http://release.lucee.org/rest/update/provider/light/5.2.8.50?s3=false

Presuming these are the subdomains mentioned here:

A couple of the other subdomains still need to be re directed to https. We are working on that.

Any ETA on that part? That’s really all that I was hoping for. At the moment there’s almost no security when downloading Lucee releases - no checksums, and no TLS.

Thanks for your hard work on the main site! : - )

1 Like

Good point Zac. Will see if we can add/change wording on the site. I don’t have access to the GitHub area, but i’ll mention it to those that do in case they miss this conversation.

It’s wonderful to finally see a s in this url https://download.lucee.org/

Ah fantastic progress all, thanks kindly!

If we can just get releases.lucee.org behind SSL too we’ll be in a wonderful position.

‘releases’ was nothing more than a redirect, so guessing that’s going to change to the fixed URL before it gets treated to SSL

I was wrong about this. ‘releases’ serves a REST interface. Thanks Brad for letting me know! =)

1 Like

release.lucee.org and updates.lucee.org are still being served over http :frowning:

$ curl https://release.lucee.org/ -v
*   Trying 205.210.189.210...
* TCP_NODELAY set
* Connected to release.lucee.org (205.210.189.210) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

The “updates” URL also functions with SSL but is using the SSL from “downloads”.

Looks like it responds on HTTP and HTTPS.

Is the problem that Lucee itself is downloading updates via HTTP and would need to be updated to use HTTPS?

Is there any problems with Lucee downloading an update by following a redirect if a HTTP->HTTPS redirect was put in place? /cc @micstriit

1 Like