incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <>
Subject Re: Bad site certificate
Date Sun, 04 Nov 2012 17:53:14 GMT

On Nov 1, 2012, at 5:39 PM, NoOp wrote:

> On 11/01/2012 10:45 AM, Andrea Pescetti wrote:
>> On 25/10/2012 NoOp wrote:
>>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote:
>>>> The recommended way to access the OpenOffice site in HTTPS for those who
>>>> prefer it over HTTP is to use:
>>> Like the above, the URL should be configured to automatically redirect
>>> to when an https request is received?
>> Apparently, this won't work since Infra says "Redirect won't work, as 
>> the SSL handshake precedes the first opportunity to send a redirect".
> That doesn't make any sense as I've already demonstrated that the other
> https links to those IP addresses do indeed redirect.
>> But you are welcome to weigh in directly on
>> :
>> registration is open to everyone.
> Thanks, but no thanks. I suppose I could provide a server trace &
> wireshark session file etc., but I doubt that it will do any good to
> attempt to change Daniel Shahaf's mind.  You, however, might ask him
> just how the other https links work on those IP's, yet the OOo link does
> not, and why 443 is turned on for that URL to begin with if Apache do
> not intend to support https on that link.

If 443 were turned off then another vhost for another project would answer the request and
there would still be a warning.

If a * certificate were purchased it would be secondary to * and
older browsers would still have trouble. I've setup multiple certificates on httpd at work
and know this to be so. No way the ASF will put the * certificate (if purchased)

We can do a rewrite of https traffic to http but that happens after the handshake and the
security warning.

I doubt that this razor fine point is worth the effort and the tradeoff of increased complexity
for Infrastructure.

If we had a view of what browsers are used and how much is https we can measure the impact
and determine if effort here is worth it.

>> And if in the end the most sensible solution is that we acquire a 
>> certificate for * , this is surely something the PMC and 
>> Infra can look into. But it would be good to see the discussion in the 
>> issue page converge.

That discussion is there in the JIRA. You can see the bit above. It is an incremental improvement
effective for modern browsers.


>> Regards,
>>   Andrea.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message