Tweet
Introduction of HSTS for Open-Xchange Webservices
Open-Xchange will roll out HTTP Strict Transport Security (HSTS) for its web services at open-xchange.com on 2023-06-01. This mechanism will further improve the security of connections and mitigates potential downgrade attacks. It enforces that HTTP clients use HTTPS rather than the unencrypted and unauthenticated version of this protocol. We further intend to use HSTS-preloading, which means clients will use HTTPS straight away and will not attempt to use HTTP.
While this does not have any negative impact in general, we like to raise awareness for potential edge-cases that require your attention. As an Open-Xchange customer, you are using our software repositories at https://software.open-xchange.com/. This service will also use HSTS, and we identified potential connectivity issues in case the repository lists or mirrors on your end refer to plain HTTP. We have already updated the documentation to use HTTPS exclusively, but there may be cases where environments have been set up before that.
Please verify that all references to our software repositories, your egress network filtering and package managers are enabled to use HTTPS.
Open-Xchange will roll out HTTP Strict Transport Security (HSTS) for its web services at open-xchange.com on 2023-06-01. This mechanism will further improve the security of connections and mitigates potential downgrade attacks. It enforces that HTTP clients use HTTPS rather than the unencrypted and unauthenticated version of this protocol. We further intend to use HSTS-preloading, which means clients will use HTTPS straight away and will not attempt to use HTTP.
While this does not have any negative impact in general, we like to raise awareness for potential edge-cases that require your attention. As an Open-Xchange customer, you are using our software repositories at https://software.open-xchange.com/. This service will also use HSTS, and we identified potential connectivity issues in case the repository lists or mirrors on your end refer to plain HTTP. We have already updated the documentation to use HTTPS exclusively, but there may be cases where environments have been set up before that.
Please verify that all references to our software repositories, your egress network filtering and package managers are enabled to use HTTPS.
- For DEB based environments, make sure that the apt-transport-https package is installed and all URLs at /etc/apt/sources.list and /etc/apt/sources.list.d/ use the HTTPS URL scheme
- For RPM based environments, make sure that all URLs at /etc/yum.repos.d/ use the HTTPS URL scheme