Print

Print


---------- Forwarded message ---------
From: Marty Wise <[log in to unmask]>
Date: Thu, Sep 27, 2018 at 10:18 AM
Subject: hpsweb reconfiguration
To: [log in to unmask] <[log in to unmask]>


Jeremy,

 

The federal government is aggressively moving toward an https-only policy for all web servers. We have been working on getting this done on many of our servers at a slow rate for several months, but due to a recent increase in the interest in this issue, it would be nice if the lab could claim compliance with this requirement in time for a report to DOE that is due next week. To meet this requirement, I need to make some small configuration changes on hpsweb, and restart it to get those changes to take effect.

 

Note that I do not expect this to create any problems, indeed it should not have any visible impact ? it just enforces more strongly something we already do.

 

What this accomplishes

Currently, most of our servers ?encourage? connection via https? if users connect via http, they are redirected automatically to use https instead. The federal requirement  strengthens this, _requiring_ https for all connections at all times using a mechanism known as ?HSTS? ? ?HTTP Strict Transport Security?..

 

On some servers (maybe yours), specific URLs are excepted from https for one reason or another. Such exceptions will no longer be possible. A common reason for such exceptions, though is that client scripts, etc. need to connect without configuring our enterprise root certificate to establish trust. This will no longer be an issue since we are using a trusted by default certificate.

 

Summary of changes

1.       All servers must have a publicly trusted certificate ? Your server had its certificate replaced with a commercial, publicly trusted by default certificate from Network Solutions.

2.       A directive was put in place to redirect all http connections to https.

3.       A specific, deprecated encryption cipher (?3DES?) was disabled in the SSL config.

4.       A special header was configured on the server to be delivered to browsers that connect. This header tells the browser that, in the future, connections to this web server must only use https.

 

I made these changes on hpsweb and restarted it early this morning to get the change to take effect.

 

Marty Wise ([log in to unmask])
JLab IT/CNI

 


Use REPLY-ALL to reply to list

To unsubscribe from the HPS-SOFTWARE list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=HPS-SOFTWARE&A=1