[appsuite-announce] Reminder: Introduction of HSTS for Open-Xchange Webservices

Open-Xchange App Suite Maintenance Announcements appsuite-announce at open-xchange.com
Wed May 3 16:17:57 CEST 2023

Dear Customers of Open-Xchange,

as announced at the end of last year, Open-Xchange will roll out HTTP Strict Transport Security (HSTS) for its web services at open-xchange.com on 2023-06-01. This mechanism will further improve the security of connections and mitigates potential downgrade attacks. It enforces that HTTP clients use HTTPS rather than the unencrypted and unauthenticated version of this protocol. We further intend to use HSTS-preloading, which means clients will use HTTPS straight away and will not attempt to use HTTP.
While this does not have any negative impact in general, we like to raise awareness for potential edge-cases that require your attention. As an Open-Xchange customer, you are using our software repositories at https://software.open-xchange.com/. This service will also use HSTS, and we identified potential connectivity issues in case the repository lists or mirrors on your end refer to plain HTTP. We have already updated the documentation to use HTTPS exclusively, but there may be cases where environments have been set up before that.
Please verify that all references to our software repositories, your egress network filtering and package managers are enabled to use HTTPS.

- For DEB based environments, make sure that the apt-transport-https package is installed and all URLs at /etc/apt/sources.list and /etc/apt/sources.list.d/ use the HTTPS URL scheme
- For RPM based environments, make sure that all URLs at /etc/yum.repos.d/ use the HTTPS URL scheme

Find more information here:

- https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- https://www.redhat.com/en/blog/secure-distribution-rpm-packages
- https://manpages.debian.org/stable/apt/apt-transport-https.1.en.html

Best regards,
Your Open-Xchange Team

Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

European Office:
Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718
Managing Director: Manuel Engel

US Office:
Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA

More information about the appsuite-announce mailing list