Improved SSL support + IPv6

As of today, gitorious.org has vastly improved SSL support. You are now free to surf gitorious.org through https only, should you wish to do so. Previously, our SSL support has been restricted to a few select actions, and there has been redirects from https to http.

With today’s deployment, gitorious.org will never redirect you away from https (if it does, report a bug to support@gitorious.org). You will also be forced to use https as long as you’re logged in, and when posting forms (i.e. logging in).

For those of you who maintain your own Gitorious setups, this change is pretty straight forward. The new SSL feature is enabled by default, and can be controlled through the gitorious.yml setting use_ssl. When this setting is set to true, Gitorious will enforce SSL where appropriate. When it is false, Gitorious will actively ensure http.

We will follow up this change by adding HSTS shortly.

In other news, gitorious.org is also available on IPv6, thanks to our awesome hosting partner, Linpro. We’re still having some issues with the backend for git:// and http:// Git access, so for now they are IPv4 only. We are working to resolve this issue.

12 Comments

  1. Posted March 26, 2011 at 1:08 pm | Permalink

    Great News!
    I have just one little note: The Gravatar images are loaded via standard http and thus showing a warning in chrome that this page contains unsecure contents. (gravatar can be used with https using this domain: https://secure.gravatar.com)

  2. Christian Johansen
    Posted March 27, 2011 at 8:07 pm | Permalink

    Thanks for the heads up, Philip. I’ve just deployed a minor fix to serve secure gravatars :)

  3. Noname
    Posted March 29, 2011 at 2:57 pm | Permalink

    When are you going to buy a SSL cert for gitorious.no ?

  4. Christian Johansen
    Posted March 29, 2011 at 6:52 pm | Permalink

    As .no (and .net and others) is just a shortcut, I don’t think we will. But I have enabled redirects from other tlds to gitorious.org. You’ll still see a warning if entering https://gitorious.no, but you’ll be promptly redirected to https://gitorious.org, which has a valid certificate.

    Thanks for the heads up!

  5. Posted April 12, 2011 at 1:19 pm | Permalink

    If i access this blogin https, it gives me the certificate from wordpress.com. Therefore some warning…

  6. Marius Mathiesen
    Posted April 13, 2011 at 11:10 am | Permalink

    @Markus: We don’t have SSL support for the blog (yet). The blog is hosted at wordpress.com, mainly in order to stay alive even if gitorious.org goes down.

  7. Posted April 19, 2011 at 6:26 am | Permalink

    I am not able to view your RSS feed URL. Can you please help me?

  8. xinity
    Posted April 22, 2011 at 12:09 pm | Permalink

    i’ve activate the full ssl option, works perfectly :-)

  9. Jens
    Posted May 30, 2011 at 11:14 am | Permalink

    Looks like this blog haven’t got an AAAA record for it’s own. Perhaps this was by intention?

  10. Marius Mathiesen
    Posted May 31, 2011 at 7:39 am | Permalink

    @Jens: This site runs WordPress on wordpress.com, I haven’t been able to find out whether they support IPv6 yet. If anyone knows how this can be done, we’d love to set up the AAAA records for it!

  11. Ryan
    Posted December 12, 2011 at 5:44 pm | Permalink

    Do the backend git:// and http:// servers have IPv6 enabled yet?

  12. Carlos Ralli Ucendo
    Posted April 2, 2014 at 4:22 pm | Permalink

    In the end do the backend git:// and http:// servers have IPv6 enabled yet?

    Maybe it was done for Gitorious 3.0 ?

    Thanks!


Post a Comment

Required fields are marked *

*
*

Follow

Get every new post delivered to your Inbox.

Join 719 other followers

%d bloggers like this: