What to do with ssl="authenticated sessions" + code freeze date for Bugzilla 3.6

Gregary Hendricks ghendricks at novell.com
Wed Aug 19 21:46:49 UTC 2009 

>>> On 8/19/2009 at 12:18 PM, in message <4A8C41F0.1080300 at redhat.com>,
David
Lawrence <dkl at redhat.com> wrote: 
> On 08/19/2009 02:02 PM, David Miller wrote: 
> > David Lawrence wrote on 8/19/09 10:18 AM: 
> >     
> >> On 08/18/2009 08:58 PM, Frédéric Buclin wrote: 
> >>       
> >>> At the Bugzilla meeting today, there has been some discussion
about what 
> >>> to do with the "authenticated sessions" value of the ssl
parameter now 
> >>> that you can log in from every page. It seems that it doesn't
make sense 
> >>> to keep this value anymore as all pages must be protected using
SSL as 
> >>> you can potentially use any of them to log in. Does anyone see a
valid 
> >>> reason to not kill this value? This means the ssl parameter would
become 
> >>> a single yes/no to use ssl or not, see bug 329638. 
> >>>         
> >> As mentioned in the meeting, we (Red Hat) do not utilize this
functionality 
> >> since our multiple web servers sit behind a load balancing proxy
which does 
> >> the automatic redirect to SSL for all requests. So we normally
keep the 
> >> ssl param set to 'never' now anyway. So I vote yes for this
change. 
> >>       
> > Same at Mozilla.  We'd always had it set to "never" with the https:
in 
> > the urlbase.  Looking at the config now, it looks like it's set to

> > "always" at the moment, but both urlbase and sslbase are the same.

> >     
>  
> We had it mistakenly once set to ssl == 'always' and any request to
the  
> server got stuck in 
> an endless looping redirect. 
>  

We also use a proxy that handles the SSL redirect. In our case urlbase
is set to http and the proxy handles the SSL since we don't want to
encrypt the data between the apache server and the proxy. Authentication
in our system is also handled external to Bugzilla anyway so the reasons
for using SSL are based on bug content. Since that is arbitrary, we
enforce SSL always, but again, this is all handled external to Bugzilla.
If we put https or set sslbase at all, we also see endless redirect
loops.

Greg

More information about the developers mailing list