Bugs item #1263239, was opened at 2005-08-18 10:25 Message generated for change (Comment added) made by msapiro You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1263239&group_id=103 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Web/CGI Group: None

Status: Closed Resolution: None Priority: 8 Submitted By: Daniel (doolyo) Assigned to: Nobody/Anonymous (nobody) Summary: Mailman on SSL sends passwords in plain text

Initial Comment: I have tried putting Mailman on a secure path of my server on an https url. It seemed to work approximately when adding the following directive in apache: RewriteCond %{HTTPS} !=on RewriteRule /mailman/(.*) https://www\.mysite\.com/mailman/$1 [R] However, I have sniffed the TCP/HTTP traffic during a list creation and I have seen that all the form is posted IN CLEAR. This is normal in fact as we send that to the http link first (see Bug Request #1263219). Therefore the whole test is sent in clear and only afterwards the client receives back the document move to https from apache to redirect to the proper page. I think that this could be solved if all links of the mailman binaries (admin, create and so forth) are taking dynamically the link specified in the mm_cfg.py, in the DEFAULT_URL_HOST tag. However maybe there is another clean way of putting that on a secure url. If so I would be interested in how to do that because I didn't find anything about that subject appart people doing all like I did. Thanks, Daniel ----------------------------------------------------------------------

Comment By: Mark Sapiro (msapiro) Date: 2005-11-06 18:16

Message: Logged In: YES user_id=1123998 I am closing this because it seems to be a misconfiguration. If you make DEFAULT_URL_PATTERN = 'https://%s/mailman/' or similar (with https) in mm_cfg.py, the create page link from the admin overview will have https as will the action= attribute of the form element on the create page. As you note, you must run fix_url.py to fix list specific URLs after making this change, but generic urls are changed without further action. Also note that DEFAULT_URL_HOST should be just the fully qualified domain name. The rest of the URL comes from substituting the host name in DEFAULT_URL_PATTERN. ---------------------------------------------------------------------- Comment By: Daniel (doolyo) Date: 2005-08-18 11:09 Message: Logged In: YES user_id=1320890 P.S.: I have seen that we can use fix_url.py to fix the URL for a specific list. However, it does not seem to fix the links of /mailman/create and the others and thus does not solve the problem, as I want to have the SSL on that page. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1263239&group_id=103