Domain: outoforder.cc
Stories and comments across the archive that link to outoforder.cc.
Comments · 7
-
Re:OpenSSL and what else.
-
Re:Taking a harder line on certs.
However, IF ssl established encryption, then virtual host, then authenticity (to varying degrees of confidence as configured by the user's trust settings), https wouldn't require a seperate IP per virtual host anymore.
It doesn't. There are several approaches to the problem:
- subjectAltNames and wildcard certificates. Nowadays, certificates can carry multiple site names. Just make a certificate containing all site names (not supported by all CA's, but Entrust and CaCert do)
- SNI (Server Name Indication). This allows the webserver to use a different certificate for different virtual hosts. Soon to be supported by mod_ssl, but already supported (for several years) by mod_gnutls
. Most clients (browsers) today support it out of the box, only Konqueror seems to be lagging behind, alas!
There are cases (such as a private lan to an internal server) where authentication (particularly CLIENT authentication) w/o encryption may be reasonable.
Client is almost never authenticated via SSL anyways. You're right about the private LAN. Easyest LAN-based attacks are passive eavesdropping, rather than active Mitm. But in most other cases, encryption without authentication of the peer just doesn't make sense. But in a private LAN, you're probably in a position of setting up your own CA anyways, as basically you control your browser's CA lists.
If I am contacting https://argleblargle.nu/ for the first time, I don't have any Idea who that is even if they are authenticated.
But you do know that it's argleblargle.nu, rather than somebody who managed to poison DNS or hijack your router.
-
Re:RFC 2817 support (HTTP TLS upgrade)
Apache added support for RFC 2817 to mod_ssl about a year ago, in Apache HTTPD 2.2. Admittedly, not many people are using 2.2 yet; a lot of servers are still running 1.3.
I could not find any indication that Mozilla/Firefox support RFC 2817. (I read one email archive that said it did, but bugzilla says it has not been implemented.)
I found the answer to my question regarding IE7 support: it will not support RFC 2817. It will however, support RFC 3546 (SNI) in the Vista version, which is apparently a better method of getting the same functionality. (The reply to the above Slashdot comment includes some info and links on SNI.) Mozilla does not yet support SNI. Apache does not support SNI out of the box; the mod_gnutls module does, but it's not included with Apache, and is not yet production quality. There is a patch for Apache mod_ssl.
Summary: It appears that SNI will be the way forward, but consensus and implementations still need to catch up. IE7/Vista is the second browser implementation after Opera. Apache and Mozilla do not yet support it, but are working on it. Here's a decent write-up about the situation. -
Re:cacert.org
RFC3546, section 3.1 specifies server name indication. mod_gnutls has supported it since April of 2005. mod_ssl (bug) is waiting on OpenSSL to make support possible. Opera has supported SNI since 8.0. IE7 has since beta 2. Mozilla/NSS/Firefox is ready to go with NSS 3.1.1/Gecko 1.8.1/Firefox 2.0. Konqueror will support it in 4.0 (bug). Safari is the only major browser without support (fresh bug).
-
Re:RFC 2817 SSL Upgrade
The SNI (server name indication) extention is considered to be a better solution for HTTP than SSL Upgrade and hopefully will soon be supported by browsers and servers. (Opera and mod_gnutls already do).
http://wiki.cacert.org/wiki/VhostTaskForce#head-78 b8f803f17fa69b4333aa376a641b2e843c2cb3
http://www.outoforder.cc/projects/apache/mod_gnutl s/
https://bugzilla.mozilla.org/show_bug.cgi?id=11616 8 -
Re:Can server owners add content?
Users can customize each server.. Enable and disable certain things in their neghborhood and tweak different settings in each age. And it's all about community. My website has some more information about customizing your Shard. Until URU Server Wiki
-
Re:A couple of responses
Which FTP server for Apache are you using?
mod_ftpd works great as an FTP server for Apache..