[Systems] [Fwd: Re: Server Name Indication - Wikipedia, the free encyclopedia]

Sascha Silbe sascha-ml-reply-to-2010-2 at silbe.org
Sun Aug 22 15:13:30 EDT 2010

Previous message: [Systems] [Fwd: Re: Server Name Indication - Wikipedia, the free encyclopedia]
Next message: [Systems] [Fwd: Re: Server Name Indication - Wikipedia, the free encyclopedia]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Excerpts from Bernie Innocenti's message of Sun Aug 22 18:14:31 +0200 2010:

> Raul just made me realize that we can't use many SSL keys for the
> services hosted on sunjammer.
> 
> Unless, of course, we assign multiple IPs to the same box just for this
> purpose. Shan't.

If you want to
a) support most browsers, including IE < 7 / WinXP and
b) not get users scared by SSL warnings and
c) not pay lots of money,

then you need one IP address per virtual host you'd like to use SSL with.
In combination with IPv4 address scarcity this means we can't offer SSL
for most virtual hosts for all users.

So while we unfortunately can't use https for links to more than one
(or a few) of our "outward facing" services, we can
a) use it for our "internal" services (and tell our users to use
   a browser that is SNI capable and/or includes the CAcert root
   cert, like Iceweasel/Firefox or Browse, and
b) maybe even do an automatic upgrade to https if the User-Agent
   indicates a browser version that should have SNI support. This
   would especially be useful for password-based login pages (i.e.
   wiki and Trac).


On a related note, would it be possible to get a single additional
IPv4 address on sunjammer for SSO usage (see other thread)? Unlike
SNI, enabling client certificate requests on the server will have
an impact on some browsers (pops up a certificate selection dialog)
so we can't do it on the main https server. As many brain-dead
firewalls block everything other than port 80 and 443, we can't just
use a different port either.
If we can't get another IPv4 address for sunjammer, we'd need to
move Trac (and later the wiki) to housetree or treehouse (where we
should have a spare IPv4 address AFAICT).

Sascha

--
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
Url : http://lists.sugarlabs.org/private/systems/attachments/20100822/d1193ce2/attachment.pgp

Previous message: [Systems] [Fwd: Re: Server Name Indication - Wikipedia, the free encyclopedia]
Next message: [Systems] [Fwd: Re: Server Name Indication - Wikipedia, the free encyclopedia]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Systems mailing list