incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Bad site certificate
Date Sun, 04 Nov 2012 22:00:18 GMT
On Sun, Nov 4, 2012 at 12:53 PM, Dave Fisher <dave2wave@comcast.net> wrote:
>
> On Nov 1, 2012, at 5:39 PM, NoOp wrote:
>
>> On 11/01/2012 10:45 AM, Andrea Pescetti wrote:
>>> On 25/10/2012 NoOp wrote:
>>>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote:
>>>>> The recommended way to access the OpenOffice site in HTTPS for those
who
>>>>> prefer it over HTTP is to use:
>>>>> https://ooo-site.apache.org
>>>> Like the above, the URL should be configured to automatically redirect
>>>> to https://ooo-site.apache.org when an https request is received?
>>>
>>> Apparently, this won't work since Infra says "Redirect won't work, as
>>> the SSL handshake precedes the first opportunity to send a redirect".
>>
>> That doesn't make any sense as I've already demonstrated that the other
>> https links to those IP addresses do indeed redirect.
>>
>>>
>>> But you are welcome to weigh in directly on
>>> https://issues.apache.org/jira/browse/INFRA-5450 :
>>> registration is open to everyone.
>>
>> Thanks, but no thanks. I suppose I could provide a server trace &
>> wireshark session file etc., but I doubt that it will do any good to
>> attempt to change Daniel Shahaf's mind.  You, however, might ask him
>> just how the other https links work on those IP's, yet the OOo link does
>> not, and why 443 is turned on for that URL to begin with if Apache do
>> not intend to support https on that link.
>
> If 443 were turned off then another vhost for another project would answer the request
and there would still be a warning.
>
> If a *.openoffice.org certificate were purchased it would be secondary to *.apache.org
and older browsers would still have trouble. I've setup multiple certificates on httpd at
work and know this to be so. No way the ASF will put the *.openoffice.org certificate (if
purchased) first.
>
> We can do a rewrite of https traffic to http but that happens after the handshake and
the security warning.
>
> I doubt that this razor fine point is worth the effort and the tradeoff of increased
complexity for Infrastructure.
>

Probably no use for SSL site wide, but we do have a small number of
pages where we would benefit, like the login/registration pages for
the openoffice.org domain wiki and the support forums.

> If we had a view of what browsers are used and how much is https we can measure the impact
and determine if effort here is worth it.
>
>>
>>> And if in the end the most sensible solution is that we acquire a
>>> certificate for *.openoffice.org , this is surely something the PMC and
>>> Infra can look into. But it would be good to see the discussion in the
>>> issue page converge.
>
> That discussion is there in the JIRA. You can see the bit above. It is an incremental
improvement effective for modern browsers.
>
> Regards,
> Dave
>
>>>
>>> Regards,
>>>   Andrea.
>>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message