Forum / Devolutions Password Server - Support

Password Server: Connection is not Secure

  • Create an Issue
  • Cancel

Just installed our Password Server; upon enabling SSL my browser reports that the connection is not secure after logging in (the logon page is delivered 100% secure).

image


Looking at the Network logs in the browser it appears that one of the Devolutions Avatar's is being delivered over an HTTP connection:

http://i1.wp.com/webdevolutions.blob.core.windows.net/images/avatar/Devolutions-Avatar-128x128.png
image

Not sure where the HTTP image is being pulled from code wise but I'd like to get this fixed up before I roll this out to my end users.

Thanks!

Clock3 mths

Hello,

What version of Devolutions Password Server are you using? Is it the latest release (5.1.1.0) or the latest beta version 5.9.6.0?

Best regards,



Érica Poirier
Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 25th, 2018, to January 1, 2019, inclusively.

signaturesignature

Clock3 mths

I'm on the latest release 5.1.1.0 -

Joel

Clock3 mths

Hello,

Thank you for the information.

What browser are you using?

Here is a screen shot of what I get in Google Chrome.

image

Could you please send us your DPS configuration with the Send Diagnostic to Support dialog from the DPS Console?

Best regards,



Érica Poirier
Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 25th, 2018, to January 1, 2019, inclusively.

signaturesignature

Clock3 mths

Diagnostic report sent. I've tried in Chrome, FireFox, and Edge - all get the same HTTP image.


imageimage

Clock3 mths

Hello,

Thank you for the screen shot. But the diagnostic report is empty. You need to connect on the server with a user account that has enough permission on the SQL database to read the DPS settings.

Do you have the same settings in the IIS tab of your DPS instance?

image

And what bindings are set in your IIS Manager? Do you only have the one for the HTTPS protocol or the HTTP protocol is still available?

image

Beat regards,



Érica Poirier
Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 25th, 2018, to January 1, 2019, inclusively.

signaturesignature

Clock3 mths

The HTTP binding is still available for the site - I'm rolling through a load balancer that intercepts on port 80 and does a 301 redirect to SSL/443 to ensure all connections are using SSL...on the server itself I'm re-writing any HTTP connection to be HTTPS via URL Rewrite (more friendly to the users if they forget to type https:// - the server and the load balancer both move them over to SSL).

Clock3 mths

Hello,

Thank you for the information. I will test this by the end of the week if this configuration could interfere with the DPS web interface. With the standard installation using a SSL certificate, I do not see any security issue with the avatar.

I will check with an engineer too what he thinks about that and will get back to you.

Best regards,



Érica Poirier
Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 25th, 2018, to January 1, 2019, inclusively.

signaturesignature

Clock3 mths

Hello,

I made few tests but cannot get the exact same structure as the one you use.

I know that this could be more friendly user having the HTTP protocol still available wink But is it possible for you to test the DPS web interface without having the HTTP binding available?

Best regards,



Érica Poirier
Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 25th, 2018, to January 1, 2019, inclusively.

signaturesignature

Clock3 mths

I will give disabling HTTP a try;

I think this has to do with the image being delivered from a CDN somewhere - maybe one of the .NET libraries being used is configured to optimize by using a CDN and the CDN isn't configured to deliver the image securely?

Clock3 mths

Hello,

Thank you for the information. I will check this with the engineering department.

I forgot to ask what kind of load balancer are you using to intercept communication on port 80?
I want to reproduce that behavior internally so the engineers could see if they can fix this issue.

Best regards,



Érica Poirier
Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 25th, 2018, to January 1, 2019, inclusively.

signaturesignature

Clock3 mths

Sorry for the delay - have been out of the office!

Using HAProxy for the load balancing.

No change in behavior if I bypass the load balancer altogether either.

Clock2 mths