[ https://ovirt-jira.atlassian.net/browse/OVIRT-1231?page=com.atlassian.jir... ] Marc Dequènes (Duck) commented on OVIRT-1231: --------------------------------------------- So, the only place using it is the new ML3 server, which is on production only for redirects. We're currently using the 'httpd' Ansible role to deploy the configuration, which activates it. The role also activates 'includeSubDomains'; this is a desired setting but only when all the vhosts on the domain are able to do HTTPS. This is not the case on all oVirt infra yet so it was deactivated manually at some point IIRC. So, this solution is not perfect but avoiding protocol downgrade is already a very important protection and we should use it. We should also use 'includeSubDomains' too when all our vhosts are ready. And we must not create new vhosts without HTTPS support even for testing. Here are my recommendations. -- This message was sent by Atlassian JIRA (v1000.1092.0#100053)