[xwiki-users] HTTPS: No ciphers offerred?

2017-03-20 Thread Douglas Landau 
Greets,

I've enabled HTTPS on my XWiki.  But when I surf there, I get a failure with no 
explanation from Chrome, and this from IE:
--
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting 
to https://pwswiki10.westmarine.net  again. If this error persists, it is 
possible that this site uses an unsupported protocol or cipher suite such as 
RC4 (link for the details), which is not considered secure. Please contact your 
site administrator.
--

When I hit the site with this nmap command to enumerate the available ciphers, 
I get none.
# nmap --script ssl-enum-ciphers -p 443 pwswiki10


I googled it, and it looks like there was once some text about this problem on 
the XWiki site, something about re-enabling TLS, but when I click the link I 
land on the administration manual's Configuration page, which has a lot of good 
stuff but not the bit about re-enabling TLS.

I found the "ExcludeCipherSuites" section in jetty-ssl.xml, and tried 
commenting it out, but still get no ciphers. 
I tried adding the following section, but still get no ciphers:



  TLS_RSA_WITH_AES_128_CBC_SHA
  TLS_RSA_WITH_AES_256_CBC_SHA
  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  TLS_RSA_WITH_AES_128_CBC_SHA
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  TLS_RSA_WITH_AES_256_CBC_SHA
  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  TLS_RSA_WITH_AES_128_CBC_SHA
  TLS_RSA_WITH_AES_128_CBC_SHA256
  TLS_RSA_WITH_AES_128_GCM_SHA256
  TLS_RSA_WITH_AES_256_CBC_SHA
  TLS_RSA_WITH_AES_256_CBC_SHA256
  TLS_RSA_WITH_AES_256_GCM_SHA384

  
--

Seems like maybe I need to find the equivalent of this line from httpd.conf:
SSLProtocol -ALL +TLSv1.1 +TLSv1.2

I am searching the archives.  Meanwhile can anyone point me to what I am doing 
wrong /, or to an example of how that IncludeCipherSuites block should be?


Thanks
Doug


The information contained in this transmission may contain West Marine 
proprietary, confidential and/or privileged 
information.  It is intended only for the use of the person(s) named above. If 
you are not the intended recipient, you are 
hereby notified that any review, dissemination, distribution or duplication of 
this communication is strictly prohibited. 
If you are not the intended recipient, please contact the sender by reply email 
and destroy all copies of the original 
message. To reply to our email administrator directly, please send an email to 
netad...@westmarine.com.

[xwiki-users] https and iframe

2017-02-21 Thread aleksey-s 
Hi!

We want to use xwiki (7.4.5) in iframe on external site (https), but if I
open page with iframe then  browser show next error:

Mixed Content: The page at 'https://mysite/material/1' was loaded over
HTTPS, but requested an insecure resource
'http://xwiki-test/xwiki/bin/login/XWiki/XWikiLogin?srid=GQvB3gT7=%2Fxwiki%2Fbin%2Fview%2FMain%2F%3Fsrid%3DGQvB3gT7'.
This request has been blocked; the content must be served over HTTPS.

My xwiki works over https (if I go directly to https://xwiki-test/ then
after xwiki redirect me to login page over https) . 

In xwiki.cfg:

xwiki.url.protocol=https

On this page /xwiki/bin/view/XWiki/XWikiServerXwiki :

SECURE (SSL): 1

Iframe code:

https://xwiki-test/xwiki/bin/view/Main/; >
 

Why xwiki uses http redirect ?  



--
View this message in context: 
http://xwiki.475771.n2.nabble.com/https-and-iframe-tp7602807.html
Sent from the XWiki- Users mailing list archive at Nabble.com.

Re: [xwiki-users] https and iframe

2017-02-21 Thread Vincent Massol 

> On 21 Feb 2017, at 16:30, aleksey-s  wrote:
> 
> Hi!
> 
> We want to use xwiki (7.4.5) in iframe on external site (https), but if I
> open page with iframe then  browser show next error:
> 
> Mixed Content: The page at 'https://mysite/material/1' was loaded over
> HTTPS, but requested an insecure resource
> 'http://xwiki-test/xwiki/bin/login/XWiki/XWikiLogin?srid=GQvB3gT7=%2Fxwiki%2Fbin%2Fview%2FMain%2F%3Fsrid%3DGQvB3gT7'.
> This request has been blocked; the content must be served over HTTPS.

This looks wrong (it could be a bug fixed since 7.4.x is quite old now) since 
it should use HTTPS and not HTTP.

Could you reproduce on a recent XWiki version?

> My xwiki works over https (if I go directly to https://xwiki-test/ then
> after xwiki redirect me to login page over https) . 
> 
> In xwiki.cfg:
> 
> xwiki.url.protocol=https
> 
> On this page /xwiki/bin/view/XWiki/XWikiServerXwiki :
> 
> SECURE (SSL): 1
> 
> Iframe code:
> 
> https://xwiki-test/xwiki/bin/view/Main/; >
> 
> 
> Why xwiki uses http redirect ?  

When you request a protected page of the wiki and you’re not logged in then 
xwiki will ask you to log in and then redirect it to the page you were 
accessing initially.

Thanks
-Vincent

> View this message in context: 
> http://xwiki.475771.n2.nabble.com/https-and-iframe-tp7602807.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.

Re: [xwiki-users] https issue with XWiki and installing extensions

2017-01-11 Thread Ludovic Dubost 
Hi Craig,

This looks like a possible bug, so reporting it on jira.xwiki.org might be
a good idea

You could try a workaround using xwiki.url.protocol=https in xwiki.cfg

Ludovic


Le 12 janv. 2017 08:46, "Craig Wright"  a écrit :

> Howdy,
>
> Whenever I try to install extensions I get the following error in my
> Chrome Javascript Console:
>
> 
> Mixed Content: The page at 'https://[REDACTED]/xwiki/bin/
> distribution/XWiki/Distribution?xredirect=%2Fxwiki%2Fbin%2Fview%2FXWiki%2Fcrw#Attachments
>  2Fxwiki%2Fbin%2Fview%2FXWiki%2Fcrw#Attachments>' was loaded over HTTPS,
> but requested an insecure XMLHttpRequest endpoint 'http://
> [REDACTED]/xwiki/bin/distribution/XWiki/Distribution?extensio…n%
> 2FXWiki%2FDistribution%3Fxredirect%3D%2Fxwiki%2Fbin%2Fview%2FXWiki%2Fcrw
>  2FXWiki%2FDistribution%3Fxredirect%3D%2Fxwiki%2Fbin%2Fview%2FXWiki%2Fcrw>'.
> This request has been blocked; the content must be served over HTTPS.
> ——
>
> Does anyone know what is going on? I thought I had setup the wiki to be
> https-only, is this a bug on my config or in the code? This is now
> happening on the 8.4.4 upgrade, and I am scared this is going to have
> negative repercussions down the line.
>
> Thanks,
> Craig

Re: [xwiki-users] https

2010-03-31 Thread Caleb James DeLisle 
I think you can check to see if the connection is https using the
HttpServletRequest ($request) in velocity then send a redirect or simply
refuse to display the page.

Caleb

stefan bachert wrote:
 Hi,
 
 My wiki has public and protected pages.
 The public page may be access with http
 However, logon and protected page should access with https only.
 
 Is there a way to config xwiki this way?
 Or do I have to run xwiki totally under https?
 
 Stefan Bachert
 
 
 __
 Do You Yahoo!?
 Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz 
 gegen Massenmails. 
 http://mail.yahoo.com 
 ___
 users mailing list
 users@xwiki.org
 http://lists.xwiki.org/mailman/listinfo/users
 

___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users

Re: [xwiki-users] https

2010-03-31 Thread 2smart4u 
Hi Stefan,

IMHO that's nothing to be configured within XWiki but within the
deployment-dscriptor (web.xml) within your servlet-container.

Example (snippet):

  security-constraint
 web-resource-collection
web-resource-nameProtected Context/web-resource-name
  url-pattern/*/url-pattern
  /web-resource-collection
  !-- auth-constraint goes here if you requre authentication --
  user-data-constraint
 transport-guaranteeCONFIDENTIAL/transport-guarantee
  /user-data-constraint
   /security-constraint

Cheers

Gregor
-- 
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users