Opened 16 years ago

Closed 16 years ago

#48 closed defect (fixed)

SNI, giving certificates on * for FF 2 and IE 7

Reported by: andersk Owned by: presbrey
Priority: major Milestone:
Component: web Keywords:

Description (last modified by presbrey)

Currently gives a certificate error. We have a valid certificate for * but it is currently not used. The problem is that (modulo recent extensions) the HTTPS protocol doesn’t support sending the virtual host name before the server must decide which certificate to present.

There have been two proposed solutions. One is to use the SNI extension. This requires upgrading OpenSSL to at least 0.9.8f, patching mod_ssl, and using relatively recent browsers (old browsers will fall back to the current behavior).

The other is to move * to a separate IP from, so that the server knows which certificate to present based on the IP. This is less general (we can’t extend this to work with arbitrary vhosts), but we could probably implement it now.

Change History (9)

comment:1 Changed 16 years ago by andersk

  • Priority changed from major to critical

Blocking #17.

comment:2 Changed 16 years ago by presbrey

  • Description modified (diff)

comment:3 Changed 16 years ago by presbrey

  • Owner set to presbrey

comment:4 Changed 16 years ago by presbrey

I'm working on the SNI proposal. This solution includes the following steps:

  1. Cleanup duplicate x86/x86_64 openssl-0.9.8b library, devel, and dependent packages
  2. Convert openssl-0.9.8b.x86_64 to a compatibility package, openssl-compat-0.9.8b.x86_64
  3. Create and install a new OpenSSL 0.9.8g package, openssl-0.9.8g.x86_64
  4. Rebuild and install the mod_ssl.x86_64 package

comment:5 Changed 16 years ago by presbrey

i386/i686 packages removed during cleanup:

  • curl
  • lftp
  • libc-client2006
  • mysql-libs
  • neon
  • openssl
  • openssl-devel
  • pam_ccreds
  • postgresql-libs
  • raptor
  • raptor-devel
  • rasqal
  • redland
  • redland-devel
  • uw-imap-devel

(x86_64 package versions verified present after removal)

comment:6 Changed 16 years ago by presbrey

OpenSSL status, post phase #3:

  • openssl-0.9.8g-4.fc7.x86_64
  • openssl-compat-0.9.8b-15.fc7.x86_64
  • openssl-devel-0.9.8g-4.fc7.x86_64
  • openssl097a-0.9.7a-9.x86_64

comment:7 Changed 16 years ago by presbrey

OpenSSL status, post phase #4:

  • openssl-0.9.8g-4.fc7.x86_64
  • openssl-compat-0.9.8b-15.fc7.i686
  • openssl-compat-0.9.8b-15.fc7.x86_64
  • openssl-devel-0.9.8g-4.fc7.x86_64
  • openssl097a-0.9.7a-9.x86_64

Restored packages, post phase #4:

  • curl - 7.16.4-1.fc7.i386
  • lftp - 3.5.10-4.fc7.i386
  • libc-client2006 - 2006k-1.fc7.i386
  • mysql-libs - 5.0.45-6.fc7.i386
  • neon - 0.25.5-6.i386
  • pam_ccreds - 4-2.fc7.i386
  • postgresql-libs - 8.2.6-1.fc7.i386
  • raptor - 1.4.16-1.fc7.i386
  • rasqal - 0.9.14-2.fc7.i386
  • redland - 1.0.6-2.fc7.i386
  • uw-imap-devel - 2006k-1.fc7.i386

comment:8 Changed 16 years ago by presbrey

  • Priority changed from critical to minor

Installed SNI on b-m and o-f and briefly tested.

comment:9 Changed 16 years ago by price

  • Priority changed from minor to critical
  • Resolution set to fixed
  • Status changed from new to closed
  • Summary changed from Certificates on * to SNI, giving certificates on * for FF 2 and IE 7

This works for FF 2 and IE 7. This is probably the only solution we can support for custom vhost certs, so it will be very useful.

OTOH, it apparently does not work for IE 6 or for Safari, hence for a large fraction of our users' users. So it doesn't suffice to let us fix #17, i.e. to stop recommending the scripts/~lockername URIs, without frustrating users. I've split out the separate-IP solution, which would let us fix #17, as #55.

Note: See TracTickets for help on using tickets.