- From: Andrei Sambra <andrei@fcns.eu>
- Date: Fri, 29 Apr 2011 21:00:45 +0200
- To: WebID XG <public-xg-webid@w3.org>
Hello, I've come to the conclusion that using "SSLVerifyClient optional_no_ca" is mutually exclusive to having a valid CA bundle file. Some issuers (AlphaSSL in my case) require that websites must also provide the CA bundle file (the certification chain). If a CA bundle file is provided and the option "SSLVerifyClient optional_no_ca" is used (in order to authenticate WebID users by requiring their browser certificate), then the authentication does not happen anymore (the server no longer asks for a certificate). If the CA bundle file is not used, the authentication takes place just fine. However, some browsers will not be able to verify the server certificate's issuer -> the same behavior as using self-signed server certificates; which makes one wonder why pay for a signed certificate in the first place. I'm open to suggestions at this point... Andrei On Fri, 2011-04-29 at 09:39 +0200, Andrei Sambra wrote: > Being a wildcard certificate, it has to use the same CN: *.fcns.eu. I > cannot add other subdomains, since it would require issuing new > certificates -> me paying for them. :-) > > Another possibility would be to switch to a different hosting provider / > CA. > > What's weird is that after a clean install of Ubuntu (w/ FF 4.0) on a > lab machine, I had the same warning regarding the validity of the server > certificate. Weird... > > I'll try to document all these issues on the wiki somewhere, so we have > a starting base. > > Andrei > > On Fri, 2011-04-29 at 00:56 +0200, bergi wrote: > > Andrei, I would expect that your server doesn't use SNI, because your > > certificate uses the common name *.fcns.eu. I think the IE had/has > > problems with wildcard common names. Perhaps also safari doesn't like > > these certificates. You are already using the alternative name for > > fcns.eu. You could try to add your other subdomains to avoid problems. > > > > >
Received on Friday, 29 April 2011 19:01:21 UTC