[arch-dev-public] bbs.archlinux.org is now switched to https only!
Pierre Schmitz
pierre at archlinux.de
Fri Jul 16 05:15:17 EDT 2010
On Fri, 16 Jul 2010 11:09:15 +0200, Thomas Bächler
<thomas at archlinux.org> wrote:
> I just performed the switch to https only on bbs! I also adjusted some
> internal URLs, so all files will be properly fetched via https directly.
> http is redirected automatically. Note that the navbar links on Archweb
> and all other sites still point to http, but that is redirected
> automatically.
>
> There is a catch:
> 1) Apache configures SSL per-vhost. That means that even though we have
> a wildcard certificate, the browser must support SNI for name-based
> vhosts to work. All clients that are not SNI-capable will be redirected
> to www instead.
> 2) wget doesn't like wildcard certificates. That means you need to use
> --no-check-certificate with wget.
> 3) Our certificate is from CACert. AFAIK, this is not included in many
> browsers by default. If you use Arch Linux, at least everything that
> uses the OpenSSL certificate store and all Mozilla browsers are
> CACert-enabled - on other operating systems, our certificate might show
> up as untrusted.
>
> Let me know if any of the above (especially 1) cause any problems.
Didn't we have a discussion about this soem time ago? Point 1) is
simply not true. A SNI compatible client is not needed here. (at least
if you haven't altered the ssl config)
Point 2) is afaik a known wget bug. (I wonder if there is a patch)
--
Pierre Schmitz, https://users.archlinux.de/~pierre
More information about the arch-dev-public
mailing list