Re: SNI Support from Akbar Hossain on 2011-04-28 (public-xg-webid@w3.org from April 2011)

From: Akbar Hossain <akkiehossain@gmail.com>
Date: Thu, 28 Apr 2011 22:46:50 +0100
To: Henry Story <henry.story@bblfish.net>
Cc: Andrei Sambra <andrei@fcns.eu>, WebID XG <public-xg-webid@w3.org>
Message-ID: <BANLkTim3taCLD_d1+t22cxscfjPDRWAE+w@mail.gmail.com>

Yes https://openid4.me runs an SNI configuration.

The same IP address is used to serve up another (domain) site x509.me which
is configured with a
different certificate.

If you look at the traffic you will see Safari on Macbook gets the
certificate for what it considers is the
"wrong" domain rather than the one the user requested.

ie https://openid4.me fetches the certificate for http://data.x509.me which
is a security violation.
Hence the error you see on your Safari. You dont get the same issue on
Firefox.

The other domain is higher in the apache configuration. I havent tied to
moving it.

 Thanks

On Thu, Apr 28, 2011 at 10:33 PM, Henry Story <henry.story@bblfish.net>wrote:

>
> <https://auth.fcns.eu/>
> On 28 Apr 2011, at 23:19, Akbar Hossain wrote:
>
> Following a comment from Henry about issues of connecting to an https site
> he was trying to use.
> I have performed a few basic tests on SNI support using Safari and a
> Macbook.
>
> For those of you unsure SNI [1] is an extension to TLS which can address
> the issue of hosting multiple
> https hosts on a single IP address by sending the name of the virtual
> domain as part of the TLS negotiation.
>
>
> Yes, that is very useful to know. If I understand correctly
> https://openid4.me/ runs with SNI. Andrei does https://auth.fcns.eu/
> also run SNI?
>
>
> Be warned Safari seems to be particularly sensitive on Macbook. Less so on
> my Windows PC.
> I have not seen a problem with Firefox (but I have  done extensive
> testing)
>
> Perhaps an issue we want to document on the wiki somewhere and the list of
> things browsers or OS producers
> can be clearer about.
>
>
> definitively.
> There is the
>
> http://www.w3.org/wiki/Foaf%2Bssl/HOWTO
>
> and
>
> http://www.w3.org/wiki/Foaf%2Bssl/Clients
>
> faqs where I think that would currently be useful.  I wonder if anyone
> knows the solution to this issue, or has a pointer to
> further information on the issue - a bug report or an explanation of it.
>
>
>
> Thanks
>
> 1. http://en.wikipedia.org/wiki/Server_Name_Indication
>
>
> Social Web Architect
> http://bblfish.net/
>
>

Received on Thursday, 28 April 2011 21:47:19 UTC