Return-Path: X-Original-To: apmail-incubator-ooo-users-archive@minotaur.apache.org Delivered-To: apmail-incubator-ooo-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 56025D79E for ; Sun, 4 Nov 2012 22:00:24 +0000 (UTC) Received: (qmail 53611 invoked by uid 500); 4 Nov 2012 22:00:24 -0000 Delivered-To: apmail-incubator-ooo-users-archive@incubator.apache.org Received: (qmail 53579 invoked by uid 500); 4 Nov 2012 22:00:24 -0000 Mailing-List: contact ooo-users-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ooo-users@incubator.apache.org Delivered-To: mailing list ooo-users@incubator.apache.org Received: (qmail 53570 invoked by uid 99); 4 Nov 2012 22:00:23 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 04 Nov 2012 22:00:23 +0000 Received: from localhost (HELO mail-vc0-f175.google.com) (127.0.0.1) (smtp-auth username robweir, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Sun, 04 Nov 2012 22:00:23 +0000 Received: by mail-vc0-f175.google.com with SMTP id p1so5444936vcq.6 for ; Sun, 04 Nov 2012 14:00:18 -0800 (PST) MIME-Version: 1.0 Received: by 10.58.94.109 with SMTP id db13mr7996677veb.39.1352066418147; Sun, 04 Nov 2012 14:00:18 -0800 (PST) Received: by 10.220.157.77 with HTTP; Sun, 4 Nov 2012 14:00:18 -0800 (PST) In-Reply-To: <9528F28B-1594-463D-9EC9-419CEBBD3D93@comcast.net> References: <507C01DB.3040509@rogers.com> <50806E1A.4030903@apache.org> <5080A5B5.2030000@rogers.com> <5088BE78.2000608@apache.org> <50892CD9.8010108@rogers.com> <508931AC.7070704@apache.org> <5092B54F.2@apache.org> <9528F28B-1594-463D-9EC9-419CEBBD3D93@comcast.net> Date: Sun, 4 Nov 2012 17:00:18 -0500 Message-ID: Subject: Re: Bad site certificate From: Rob Weir To: ooo-users@incubator.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sun, Nov 4, 2012 at 12:53 PM, Dave Fisher wrote: > > On Nov 1, 2012, at 5:39 PM, NoOp wrote: > >> On 11/01/2012 10:45 AM, Andrea Pescetti wrote: >>> On 25/10/2012 NoOp wrote: >>>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote: >>>>> The recommended way to access the OpenOffice site in HTTPS for those = who >>>>> prefer it over HTTP is to use: >>>>> https://ooo-site.apache.org >>>> Like the above, the URL should be configured to automatically redirect >>>> to https://ooo-site.apache.org when an https request is received? >>> >>> Apparently, this won't work since Infra says "Redirect won't work, as >>> the SSL handshake precedes the first opportunity to send a redirect". >> >> That doesn't make any sense as I've already demonstrated that the other >> https links to those IP addresses do indeed redirect. >> >>> >>> But you are welcome to weigh in directly on >>> https://issues.apache.org/jira/browse/INFRA-5450 : >>> registration is open to everyone. >> >> Thanks, but no thanks. I suppose I could provide a server trace & >> wireshark session file etc., but I doubt that it will do any good to >> attempt to change Daniel Shahaf's mind. You, however, might ask him >> just how the other https links work on those IP's, yet the OOo link does >> not, and why 443 is turned on for that URL to begin with if Apache do >> not intend to support https on that link. > > If 443 were turned off then another vhost for another project would answe= r the request and there would still be a warning. > > If a *.openoffice.org certificate were purchased it would be secondary to= *.apache.org and older browsers would still have trouble. I've setup multi= ple certificates on httpd at work and know this to be so. No way the ASF wi= ll put the *.openoffice.org certificate (if purchased) first. > > We can do a rewrite of https traffic to http but that happens after the h= andshake and the security warning. > > I doubt that this razor fine point is worth the effort and the tradeoff o= f increased complexity for Infrastructure. > Probably no use for SSL site wide, but we do have a small number of pages where we would benefit, like the login/registration pages for the openoffice.org domain wiki and the support forums. > If we had a view of what browsers are used and how much is https we can m= easure the impact and determine if effort here is worth it. > >> >>> And if in the end the most sensible solution is that we acquire a >>> certificate for *.openoffice.org , this is surely something the PMC and >>> Infra can look into. But it would be good to see the discussion in the >>> issue page converge. > > That discussion is there in the JIRA. You can see the bit above. It is an= incremental improvement effective for modern browsers. > > Regards, > Dave > >>> >>> Regards, >>> Andrea. >>> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org >> For additional commands, e-mail: ooo-users-help@incubator.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org > For additional commands, e-mail: ooo-users-help@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org For additional commands, e-mail: ooo-users-help@incubator.apache.org