W3C home > Mailing lists > Public > public-xg-webid@w3.org > May 2011

Re: SNI Support

From: Andrei Sambra <andrei@fcns.eu>
Date: Mon, 02 May 2011 00:05:38 +0200
To: WebID XG <public-xg-webid@w3.org>
Message-ID: <1304287538.9172.9.camel@mayu>
Bergi and I have been playing with Apache over the weekend, trying to
identify possible issues related to browsers not validating CAs. So far,
we haven't concluded much, other than Safari seems not to support secure
renegotiation (Safari: "client does not support secure renegotiation"),
while Firefox 4.0 and Chrome 11 do support it. 

It could also be that under Ubuntu (my test client OS), Firefox uses
libgnutls26, instead of openssl. Bergi tested with Safari under Win7 and
it passed verification on both his endpoint and mine. Under Windows,
Safari uses the windows ssl libs (Secure Channel).

The full trace containing tests for Safari / Firefox / Chrome can be
found here: http://webid.fcns.eu/apache.log.new.txt

If any of you is strong in the art of Apache-foo, please let us know if
you can manage to spot something we might have missed.

Andrei 


On Fri, 2011-04-29 at 21:39 +0200, Andrei Sambra wrote:
> Forgot to add the other options of my SSL setup:
> 
> SSLVerifyClient optional_no_ca
> SSLVerifyDepth 1
> SSLOptions +ExportCertData
> 
> Other than these, I have the server certificate file and it's secret
> key.
> 
> The server runs on a dedicated IP address, using a wildcard certificate
> (*.fcns.eu) issued by AlphaSSL.
> 
> Andrei
> 
> On Fri, 2011-04-29 at 21:00 +0200, Andrei Sambra wrote:
> > Hello,
> > 
> > I've come to the conclusion that using "SSLVerifyClient optional_no_ca"
> > is mutually exclusive to having a valid CA bundle file. Some issuers
> > (AlphaSSL in my case) require that websites must also provide the CA
> > bundle file (the certification chain). 
> > 
> > If a CA bundle file is provided and the option "SSLVerifyClient
> > optional_no_ca" is used (in order to authenticate WebID users by
> > requiring their browser certificate), then the authentication does not
> > happen anymore (the server no longer asks for a certificate).
> > 
> > If the CA bundle file is not used, the authentication takes place just
> > fine. However, some browsers will not be able to verify the server
> > certificate's issuer -> the same behavior as using self-signed server
> > certificates; which makes one wonder why pay for a signed certificate in
> > the first place.
> > 
> > I'm open to suggestions at this point...
> > 
> > Andrei
> > 
> > On Fri, 2011-04-29 at 09:39 +0200, Andrei Sambra wrote:
> > > Being a wildcard certificate, it has to use the same CN: *.fcns.eu. I
> > > cannot add other subdomains, since it would require issuing new
> > > certificates -> me paying for them. :-)
> > > 
> > > Another possibility would be to switch to a different hosting provider /
> > > CA. 
> > > 
> > > What's weird is that after a clean install of Ubuntu (w/ FF 4.0) on a
> > > lab machine, I had the same warning regarding the validity of the server
> > > certificate. Weird...
> > > 
> > > I'll try to document all these issues on the wiki somewhere, so we have
> > > a starting base.
> > > 
> > > Andrei
> > > 
> > > On Fri, 2011-04-29 at 00:56 +0200, bergi wrote:
> > > > Andrei, I would expect that your server doesn't use SNI, because your
> > > > certificate uses the common name *.fcns.eu. I think the IE had/has
> > > > problems with wildcard common names. Perhaps also safari doesn't like
> > > > these certificates. You are already using the alternative name for
> > > > fcns.eu. You could try to add your other subdomains to avoid problems.
> > > > 
> > > 
> > > 
> > > 
> > 
> > 
> > 
> 
> 
> 
Received on Sunday, 1 May 2011 22:06:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 1 May 2011 22:06:14 GMT