Ticket #36 (closed task: fixed)

Opened 8 years ago

Last modified 8 years ago

mediatools.cs.ucl.ac.uk over SSL with unmatched self-signed certificate

Reported by: piers Owned by: socrates
Priority: minor Milestone: sumover-2Q-release
Component: CMS/Repository Version:
Keywords: SSL, certificate Cc:

Description (last modified by socrates) (diff)

(Derek Piper, <dcpiper@…> wrote the following to the ag-tech list (post  archived here), and to the sumover-tech list in response to our release announcement, see thread  archived here)

Hi Piers,

Can I ask why the site is over SSL? The self-signed certificate for your site does not match the URL so it seems strange as to why you would only allow connections over SSL but not have it configured correctly?

Derek


--
Derek Piper - dcpiper@… - (812) 856 0111
IRI 323, School of Informatics
Indiana University, Bloomington, Indiana

Change History

Changed 8 years ago by socrates

  • status changed from new to assigned
  • description modified (diff)
  • reporter changed from socrates to piers

Hi Derek,

Thanks for comments.

Good point - We thought SSL would provide a measure of protection against remote commit password compromise. Also we figured it may help somewhat against wiki-spam.

The cert is basically correct as mediatools is a CNAME for frostie.cs.ucl.ac.uk. However you're right we should create an appropriate cert for the this hostname so as save confusion. Also I have to admit I added the alias at the last minute - I thought it clearer as the nature of the site. We will fix it in May.

Thanks,

Piers.

Changed 8 years ago by socrates

  • version changed from 4.3 to 4.2.27
  • milestone changed from sumover-2Q-release to sumover-1Qb-release

Changed 8 years ago by piers

  • status changed from assigned to closed
  • version 4.2.27 deleted
  • resolution set to fixed
  • milestone changed from sumover-1Qb-release to sumover-2Q-release

It turns out that it is fundamental problem in Apache when using mod_ssl - NameBasedVirtualHosting? (NBVH) isn't possible with SSL for the reasons explained below:  http://www.mail-archive.com/modssl-users@modssl.org/msg07872.html  http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47

I have made the site accessible over http - with https access only necessary when logging into Trac.

Note: See TracTickets for help on using tickets.