Kelly, Switching out of SSL/HTTPS opens up possible exploits. It is an OWASP security standards recommendation to stay in TLS/SSL. https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Use_TLS_for_All_Login_Pages_and_All_Authenticated_Pages
Engineering will try to conform to OWASP guidelines and the recent 11.1 HF4 should have brought the product in line at least around the top exploits. I'd recommend using this and looking at SSL offloading or acceleration if performance is a concern. If you wan the classic setup leave off the SSL option on install. You may be able to get the login over SSL worst case is editing some ASP pages to force it to SSL(this would potentially break on any future patches/upgrades). Best, Tim On Friday, December 20, 2013 3:22:13 PM UTC-5, Kelly wrote: > > We found this in Release Notes for 11.1: *"t* > *here is no automatic fallback to HTTP anymore."* Has anyone found a > workaround or hot fix for this? > > We are currently in 10.1 planning our 11.1 upgrade. Users start their > session in HTTP mode, login page then reloads in HTTPS mode, user logs in > securely using 443/TCP -- but after login, user is returned to HTTP mode. > Below is the paragraph from Release Notes re: new SSL for 11.1. > > Thanks!! > > Kelly > > > *Secure Installation and Extended SSL Support (from Release Notes for WSM > 11.1)* > > When installing Management Server 11.1, the default installation mode is > to install with SSL option. > > With this option selected, Management Server is only accessible via HTTPS > ; there is no automatic fallback to HTTP anymore. For installation with SS > L, HTTPS support must be prepared in IIS. If SSL is not available, an erro > r message will occur. > > If Management Server should run with HTTP, the option *U**se secure > connection *in the configuration utility should be cleared. > > -- You received this message because you are subscribed to the Google Groups "RedDot CMS Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/reddot-cms-users. For more options, visit https://groups.google.com/groups/opt_out.
