[ mailman-Patches-746728 ] ssl support for list administration

SourceForge.net noreply at sourceforge.net
Mon May 10 15:47:43 EDT 2004 

Patches item #746728, was opened at 2003-05-31 20:27
Message generated for change (Comment added) made by donnc
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=746728&group_id=103

Category: list administration
Group: Mailman 2.1
Status: Open
Resolution: None
Priority: 5
Submitted By: matze (indygena)
Assigned to: Nobody/Anonymous (nobody)
Summary: ssl support for list administration

Initial Comment:
adds ssl support for the administration interface. via
the boolean configuration parameter
DEFAULT_ADMIN_USE_SSL can be defined that the list
administration interface is accessed oven a ssl
encrypted connection

----------------------------------------------------------------------

Comment By: Donn Cave (donnc)
Date: 2004-05-10 19:47

Message:
Logged In: YES 
user_id=42839

Would it make sense to add `secure' to the authentication 
cookie?  (c[key]['secure'] = 'ok', ca. line 243 
SecurityManager.py.)

This instructs the browser to send the cookie to https only.  
Otherwise it will send it for every URL at the site, including 
but not limited to the admin pages.

I have done this at our site, for all cookie authentication.  I 
needed to modify the source a lot more, but I needed to do it 
for the sake of our single login hacks.  Even for the standard 
release version, though, I believe it's a good idea.  For one 
thing, `user' passwords will frequently be identical to the 
ones used for more sensitive authorization.

To make this work without requiring SSL even for listinfo, I 
believe you have to make Utils.py recognize whether it's 
already talking to an SSL user so that it can decide URLs (for 
example to the archives) at run-time, but also give the 
system a way to require some (like admin) to be https 
anyway.

(Sorry to chime in so late, but from here it looks like this 
hasn't gone very far anyway.)

----------------------------------------------------------------------

Comment By: Peer Heinlein (pheinlein)
Date: 2003-10-23 17:18

Message:
Logged In: YES 
user_id=581680

It work`s well and should be included into the normal Mailman as 
soon as possible. 
 
But it would be better, if Mailman produces a HTTP 301 redirect to 
https, if the admin login page is accessed via http instead of https. 
 
That would take care of having no admin password transferred to 
mailman without using an encrypted connection. 
 
And -- this patch should procude a similar 301-redirect if 
/mailman/create ist accessed via http. :-) 
 
 

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=746728&group_id=103

More information about the Mailman-coders mailing list