You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by Roberto Galoppini <ro...@gmail.com> on 2014/01/23 15:39:28 UTC
[Templates/Extensions] About end-users request to run sites under HTTPS
Hi,
Time by time we receive end-users' requests asking why extensions. and
templates. don't run under HTTPS.
If we want to, SourceForge would be happy to install such certificates.
Thoughts?
Re: [Templates/Extensions] About end-users request to run sites under
HTTPS
Posted by "Marcus (OOo)" <ma...@wtnet.de>.
Am 01/26/2014 06:27 PM, schrieb jan i:
> On 26 January 2014 16:54, Andrea Pescetti<pe...@apache.org> wrote:
>
>> On 23/01/2014 Roberto Galoppini wrote:
>>
>>> Time by time we receive end-users' requests asking why extensions. and
>>> templates. don't run under HTTPS.
>>> If we want to, SourceForge would be happy to install such certificates.
>>> Thoughts?
>>>
>>
>> It would make sense to have HTTPS on both those sites.
>>
>> Infra managed all of this internally so I don't know any details, but we
>> now have a certificate for *.openoffice.org that we are using on the wiki
>> and forum. Of course, the difference is that wiki/forum are hosted
>> internally, and I believe it's impossible, for security reasons, to make
>> that same certificate available for extensions and templates, which are
>> hosted externally.
>>
>> I suggest that we proceed as follows: if there is consensus that it is a
>> good feature to have HTTPS on Extensions and Templates, we will contact
>> Infra and ask what to do (maybe the project should create two separate
>> certificates covering only extensions.openoffice.org and
>> templates.openoffice.org and hand them over to SourceForge to apply them;
>> but honestly I don't know).
>>
>>
> Wearing my infra hat:
>
> *.openoffice.org can only be used for services located on apache hosts, we
> cannot give the certificate to e.g. sourceforge. However it would be
> possible to make a https: page under www.openoffice.org located on apache
> servers, that list extensions from e.g. sourceforge, meaning the extensions
> themself can be located outside apache (download will be http:// but lookup
> is https://).
When you click on the link to download the extension/template, wouldn't
this force a message in the browser like "You are requesting possibly
unsecure data from a secure webpage? Do you really want to go on?"
If so, I don't think that this would be helpful.
Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: [Templates/Extensions] About end-users request to run sites under HTTPS
Posted by jan i <ja...@apache.org>.
On 28 January 2014 23:41, Andrea Pescetti <pe...@apache.org> wrote:
> On 26/01/2014 jan i wrote:
>
>> *.openoffice.org can only be used for services located on apache hosts,
>> we
>> cannot give the certificate to e.g. sourceforge.
>>
>
> OK. So this is clear: the fact that we do have a *.openoffice.orgcertificate becomes irrelevant for this discussion since it cannot be used
> for externally hosted sites anyway. Good.
>
>
> However it would be
>> possible to make a https: page under www.openoffice.org located on apache
>> servers, that list extensions from e.g. sourceforge, meaning the
>> extensions
>> themself can be located outside apache (download will be http:// but
>> lookup
>> is https://).
>>
>
> Besides the comment by Marcus, I think that here the idea is simply to be
> able (I see it from the user's point of view) to offer login and sessions
> over HTTPS at the same URL. So just like we moved
> http://wiki.openoffice.org -> https://wiki.openoffice.org
> keeping it on the same server, the idea would be to move
> http://extensions.openoffice.org -> https://extensions.openoffice.org
> but keeping it hosted where it is, not "mirrored" on the Apache servers.
>
> Now, would this need a specific certificate covering only
> extensions.openoffice.org that can be requested (by whom? Apache?) and
> then handed over to SourceForge? I have no idea if this is a feasible
> solution, cost, effort, security considerations... Maybe there are other
> examples of domains where the DNS zone is managed by Apache, but hosting is
> external and HTTPS is available.
we have wildcard certificate,so to my best knowledge we cannot in parallel
have a specific certificate.
DNS zone is not enough,the https endpoint need to be one of our proxy
servers. Our proxy servers proxies the request to another (internal) url
which do not have the openoffice certificate. This method would do the trix
but all traffic would go through the proxy. Please remark this is not
redirect so no ugly warning.
rgds
jan i
>
>
> Regards,
> Andrea.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>
>
Re: [Templates/Extensions] About end-users request to run sites under
HTTPS
Posted by Andrea Pescetti <pe...@apache.org>.
On 26/01/2014 jan i wrote:
> *.openoffice.org can only be used for services located on apache hosts, we
> cannot give the certificate to e.g. sourceforge.
OK. So this is clear: the fact that we do have a *.openoffice.org
certificate becomes irrelevant for this discussion since it cannot be
used for externally hosted sites anyway. Good.
> However it would be
> possible to make a https: page under www.openoffice.org located on apache
> servers, that list extensions from e.g. sourceforge, meaning the extensions
> themself can be located outside apache (download will be http:// but lookup
> is https://).
Besides the comment by Marcus, I think that here the idea is simply to
be able (I see it from the user's point of view) to offer login and
sessions over HTTPS at the same URL. So just like we moved
http://wiki.openoffice.org -> https://wiki.openoffice.org
keeping it on the same server, the idea would be to move
http://extensions.openoffice.org -> https://extensions.openoffice.org
but keeping it hosted where it is, not "mirrored" on the Apache servers.
Now, would this need a specific certificate covering only
extensions.openoffice.org that can be requested (by whom? Apache?) and
then handed over to SourceForge? I have no idea if this is a feasible
solution, cost, effort, security considerations... Maybe there are other
examples of domains where the DNS zone is managed by Apache, but hosting
is external and HTTPS is available.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: [Templates/Extensions] About end-users request to run sites under HTTPS
Posted by jan i <ja...@apache.org>.
On 26 January 2014 16:54, Andrea Pescetti <pe...@apache.org> wrote:
> On 23/01/2014 Roberto Galoppini wrote:
>
>> Time by time we receive end-users' requests asking why extensions. and
>> templates. don't run under HTTPS.
>> If we want to, SourceForge would be happy to install such certificates.
>> Thoughts?
>>
>
> It would make sense to have HTTPS on both those sites.
>
> Infra managed all of this internally so I don't know any details, but we
> now have a certificate for *.openoffice.org that we are using on the wiki
> and forum. Of course, the difference is that wiki/forum are hosted
> internally, and I believe it's impossible, for security reasons, to make
> that same certificate available for extensions and templates, which are
> hosted externally.
>
> I suggest that we proceed as follows: if there is consensus that it is a
> good feature to have HTTPS on Extensions and Templates, we will contact
> Infra and ask what to do (maybe the project should create two separate
> certificates covering only extensions.openoffice.org and
> templates.openoffice.org and hand them over to SourceForge to apply them;
> but honestly I don't know).
>
>
Wearing my infra hat:
*.openoffice.org can only be used for services located on apache hosts, we
cannot give the certificate to e.g. sourceforge. However it would be
possible to make a https: page under www.openoffice.org located on apache
servers, that list extensions from e.g. sourceforge, meaning the extensions
themself can be located outside apache (download will be http:// but lookup
is https://).
I hope this helps in the discussion.
rgds
jan I.
Regards,
> Andrea.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>
>
Re: [Templates/Extensions] About end-users request to run sites under
HTTPS
Posted by Andrea Pescetti <pe...@apache.org>.
On 23/01/2014 Roberto Galoppini wrote:
> Time by time we receive end-users' requests asking why extensions. and
> templates. don't run under HTTPS.
> If we want to, SourceForge would be happy to install such certificates.
> Thoughts?
It would make sense to have HTTPS on both those sites.
Infra managed all of this internally so I don't know any details, but we
now have a certificate for *.openoffice.org that we are using on the
wiki and forum. Of course, the difference is that wiki/forum are hosted
internally, and I believe it's impossible, for security reasons, to make
that same certificate available for extensions and templates, which are
hosted externally.
I suggest that we proceed as follows: if there is consensus that it is a
good feature to have HTTPS on Extensions and Templates, we will contact
Infra and ask what to do (maybe the project should create two separate
certificates covering only extensions.openoffice.org and
templates.openoffice.org and hand them over to SourceForge to apply
them; but honestly I don't know).
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org