Re: SNI Support from Andrei Sambra on 2011-04-29 (public-xg-webid@w3.org from April 2011)

From: Andrei Sambra <andrei@fcns.eu>
Date: Fri, 29 Apr 2011 21:39:54 +0200
To: WebID XG <public-xg-webid@w3.org>
Message-ID: <1304105994.2110.9.camel@mayu>

Forgot to add the other options of my SSL setup:

SSLVerifyClient optional_no_ca
SSLVerifyDepth 1
SSLOptions +ExportCertData

Other than these, I have the server certificate file and it's secret
key.

The server runs on a dedicated IP address, using a wildcard certificate
(*.fcns.eu) issued by AlphaSSL.

Andrei

On Fri, 2011-04-29 at 21:00 +0200, Andrei Sambra wrote:
> Hello,
> 
> I've come to the conclusion that using "SSLVerifyClient optional_no_ca"
> is mutually exclusive to having a valid CA bundle file. Some issuers
> (AlphaSSL in my case) require that websites must also provide the CA
> bundle file (the certification chain). 
> 
> If a CA bundle file is provided and the option "SSLVerifyClient
> optional_no_ca" is used (in order to authenticate WebID users by
> requiring their browser certificate), then the authentication does not
> happen anymore (the server no longer asks for a certificate).
> 
> If the CA bundle file is not used, the authentication takes place just
> fine. However, some browsers will not be able to verify the server
> certificate's issuer -> the same behavior as using self-signed server
> certificates; which makes one wonder why pay for a signed certificate in
> the first place.
> 
> I'm open to suggestions at this point...
> 
> Andrei
> 
> On Fri, 2011-04-29 at 09:39 +0200, Andrei Sambra wrote:
> > Being a wildcard certificate, it has to use the same CN: *.fcns.eu. I
> > cannot add other subdomains, since it would require issuing new
> > certificates -> me paying for them. :-)
> > 
> > Another possibility would be to switch to a different hosting provider /
> > CA. 
> > 
> > What's weird is that after a clean install of Ubuntu (w/ FF 4.0) on a
> > lab machine, I had the same warning regarding the validity of the server
> > certificate. Weird...
> > 
> > I'll try to document all these issues on the wiki somewhere, so we have
> > a starting base.
> > 
> > Andrei
> > 
> > On Fri, 2011-04-29 at 00:56 +0200, bergi wrote:
> > > Andrei, I would expect that your server doesn't use SNI, because your
> > > certificate uses the common name *.fcns.eu. I think the IE had/has
> > > problems with wildcard common names. Perhaps also safari doesn't like
> > > these certificates. You are already using the alternative name for
> > > fcns.eu. You could try to add your other subdomains to avoid problems.
> > > 
> > 
> > 
> > 
> 
> 
>

Received on Friday, 29 April 2011 19:40:27 UTC