[arch-dev-public] bbs.archlinux.org is now switched to https only!
I just performed the switch to https only on bbs! I also adjusted some internal URLs, so all files will be properly fetched via https directly. http is redirected automatically. Note that the navbar links on Archweb and all other sites still point to http, but that is redirected automatically. There is a catch: 1) Apache configures SSL per-vhost. That means that even though we have a wildcard certificate, the browser must support SNI for name-based vhosts to work. All clients that are not SNI-capable will be redirected to www instead. 2) wget doesn't like wildcard certificates. That means you need to use --no-check-certificate with wget. 3) Our certificate is from CACert. AFAIK, this is not included in many browsers by default. If you use Arch Linux, at least everything that uses the OpenSSL certificate store and all Mozilla browsers are CACert-enabled - on other operating systems, our certificate might show up as untrusted. Let me know if any of the above (especially 1) cause any problems.
On Fri, 16 Jul 2010 11:09:15 +0200, Thomas Bächler <thomas@archlinux.org> wrote:
I just performed the switch to https only on bbs! I also adjusted some internal URLs, so all files will be properly fetched via https directly. http is redirected automatically. Note that the navbar links on Archweb and all other sites still point to http, but that is redirected automatically.
There is a catch: 1) Apache configures SSL per-vhost. That means that even though we have a wildcard certificate, the browser must support SNI for name-based vhosts to work. All clients that are not SNI-capable will be redirected to www instead. 2) wget doesn't like wildcard certificates. That means you need to use --no-check-certificate with wget. 3) Our certificate is from CACert. AFAIK, this is not included in many browsers by default. If you use Arch Linux, at least everything that uses the OpenSSL certificate store and all Mozilla browsers are CACert-enabled - on other operating systems, our certificate might show up as untrusted.
Let me know if any of the above (especially 1) cause any problems.
Didn't we have a discussion about this soem time ago? Point 1) is simply not true. A SNI compatible client is not needed here. (at least if you haven't altered the ssl config) Point 2) is afaik a known wget bug. (I wonder if there is a patch) -- Pierre Schmitz, https://users.archlinux.de/~pierre
Am 16.07.2010 11:15, schrieb Pierre Schmitz:
Didn't we have a discussion about this soem time ago? Point 1) is simply not true. A SNI compatible client is not needed here. (at least if you haven't altered the ssl config)
If I remember correctly, it is correct. Fact is that lighttpd can do it without SNI, but Apache can't. Apache needs to know which vhost to consider before being able to set up SSL, as SSL is not a global setting, but bound to the vhost. If SNI is not needed, then there is some _undocumented_ Apache magic: Maybe, apache chooses the default vhost, then sees it is on the wrong vhost, and switches the context again ... this will work if both vhosts use the same certificate. As I said, Apache documentation explicitly states that this is not possible.
On Fri, Jul 16, 2010 at 5:09 AM, Thomas Bächler <thomas@archlinux.org>wrote:
3) Our certificate is from CACert. AFAIK, this is not included in many browsers by default. If you use Arch Linux, at least everything that uses the OpenSSL certificate store and all Mozilla browsers are CACert-enabled - on other operating systems, our certificate might show up as untrusted.
Ran into this one on Chrome on Windows. Displays a scary warning message, and even goes so far as to cross-out the "https://" in the URL bar with a big red strikethrough. :P
On Fri, 16 Jul 2010 07:37:04 -0400, Travis Willard <twillard2@gmail.com> wrote:
On Fri, Jul 16, 2010 at 5:09 AM, Thomas Bächler <thomas@archlinux.org>wrote:
3) Our certificate is from CACert. AFAIK, this is not included in many browsers by default. If you use Arch Linux, at least everything that uses the OpenSSL certificate store and all Mozilla browsers are CACert-enabled - on other operating systems, our certificate might show up as untrusted.
Ran into this one on Chrome on Windows. Displays a scary warning message, and even goes so far as to cross-out the "https://" in the URL bar with a big red strikethrough. :P
Sure, you have to install the root certs from cacert.org. Or better: Don't use Windows. :P -- Pierre Schmitz, https://users.archlinux.de/~pierre
participants (3)
-
Pierre Schmitz
-
Thomas Bächler
-
Travis Willard