httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jorge Schrauwen" <jorge.schrau...@gmail.com>
Subject Re: 2.2.4 windows binary w/ssl?
Date Wed, 10 Jan 2007 22:24:35 GMT
On 1/10/07, William A. Rowe, Jr. <wrowe@rowe-clan.net> wrote:
>
> Jorge Schrauwen wrote:
> > Do note that not all users that will chose the SSL package will know how
> > to correctly fill in the fields.
>
> s/not all/a small minority of/


Do not underestimate user stupidity ;) ok maybe the number won't be overly
to large but I can sure see the post flooding in on the Apache BB's!

They can't figure out what Domain Name means, let's be serious :)
>
> > On 1/10/07, *Issac Goldstand* <margol@beamartyr.net
> > <mailto:margol@beamartyr.net>> wrote:
> >
> >     I think the MSI should autogenerate a self-signed cert at least
> (last
> >     thing we need is for people to deploy a static pre-distributed cert
> >     which would make it that much easier to do man-in-the-middle
> attacks).
>
> I agree, static keys are only for pure localhost-style examples, just a
> bad
> idea for something this flexible.  As far as a default selfsigned cert,
> I was thinking of using the server name they filled in already as it
> stands,
> and let them replace it with a worthwhile one.
>
> >     Would be great if the MSI had a choice to use an existing cert, or
> >     generate a new one with a user supplied DN (fill-in fields for CN,
> OU, O
> >     , L, ST, C), and generated a self-signed cert with that + a .csr for
> >     sending to a Trusted Third-Party for signing.
> >
> >     Would also be great if there was some GUI for importing a signed
> cert
> >     post-install, similar to the IIS wizard, but that's probably pushing
> it.
>
> Well, there are dozens of utilities out there that do that, I'm not
> compelled
> in the least to add it to the httpd package.
>
> Justin Erenkrantz wrote:
> >
> > I'd prefer to just point them at the instructions for generating their
> > own key rather than us distributing a 'fake' one.  -- justin
>
> ./configure; make; make install
>
> We don't deposit a certificate today for Unix.  After considering this a
> bit
> more, I agree with jerenkrantz.


True... if you don't enable mod_ssl by default and add a note in the conf
file It should be rather safe to not include a cert. Pointing them to a docs
or wiki guide/how to would be a good idea.


At least, initially.  I'd rather see something out the door, with all the
> appropriate comments in the user community of the best way (in their
> opinion)
> to proceed.
>
> Then if we really believe the server install should do something to either
> help deposit a cert/key for their server, or a post-install command should
> be provided for this purpose, then we should ensure win and unix are
> offering
> the exact same facility.
>
> Does this sound sane?
>
>
Yes  it does sound sane ;)


-- 
~Jorge

Mime
View raw message