SSL configuration for completely broken

Discussion of all aspects of the website, wiki, and forums, including support requests and new ideas.

Moderators: Forum Moderators, Developers

Post Reply
Posts: 76
Joined: May 22nd, 2011, 5:52 am

SSL configuration for completely broken

Post by tuggyne »

So, recently I decided to see if I could access Wesnoth's forums by HTTPS. I couldn't, since apparently port 443 on that subdomain is listened to by the same virtual host as serves the regular secure site, and of course none of the forum pages can be found in the main site's DocumentRoot. That in itself is unfortunate and confusing, but guess what happened when I tried going back to HTTP.

It redirected to HTTPS and broke again!

Turns out everything at is configured to return Strict-Transport-Security: maxage=15768000 on all requests, plain-text and secure alike, error page or normal response. Since I had absolutely no desire to be blocked in Firefox for the next six months, I downloaded an addon for the sole purpose of fixing this, which has (obviously) done the job.

HTTPS Everywhere (which I had at first thought was responsible) lists the broken subdomains.

Point is, though, that this is just absolutely horrendous UX and a glaring misconfiguration. Can we please fix this ASAP?

Post Reply