W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: SNI Support

From: Andrei Sambra <andrei@fcns.eu>
Date: Fri, 29 Apr 2011 21:00:45 +0200
To: WebID XG <public-xg-webid@w3.org>
Message-ID: <1304103645.2110.7.camel@mayu>

I've come to the conclusion that using "SSLVerifyClient optional_no_ca"
is mutually exclusive to having a valid CA bundle file. Some issuers
(AlphaSSL in my case) require that websites must also provide the CA
bundle file (the certification chain). 

If a CA bundle file is provided and the option "SSLVerifyClient
optional_no_ca" is used (in order to authenticate WebID users by
requiring their browser certificate), then the authentication does not
happen anymore (the server no longer asks for a certificate).

If the CA bundle file is not used, the authentication takes place just
fine. However, some browsers will not be able to verify the server
certificate's issuer -> the same behavior as using self-signed server
certificates; which makes one wonder why pay for a signed certificate in
the first place.

I'm open to suggestions at this point...


On Fri, 2011-04-29 at 09:39 +0200, Andrei Sambra wrote:
> Being a wildcard certificate, it has to use the same CN: *.fcns.eu. I
> cannot add other subdomains, since it would require issuing new
> certificates -> me paying for them. :-)
> Another possibility would be to switch to a different hosting provider /
> CA. 
> What's weird is that after a clean install of Ubuntu (w/ FF 4.0) on a
> lab machine, I had the same warning regarding the validity of the server
> certificate. Weird...
> I'll try to document all these issues on the wiki somewhere, so we have
> a starting base.
> Andrei
> On Fri, 2011-04-29 at 00:56 +0200, bergi wrote:
> > Andrei, I would expect that your server doesn't use SNI, because your
> > certificate uses the common name *.fcns.eu. I think the IE had/has
> > problems with wildcard common names. Perhaps also safari doesn't like
> > these certificates. You are already using the alternative name for
> > fcns.eu. You could try to add your other subdomains to avoid problems.
> > 
Received on Friday, 29 April 2011 19:01:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC