You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@openoffice.apache.org by Andrea Pescetti <pe...@apache.org> on 2012/11/01 18:45:51 UTC
Re: Bad site certificate
On 25/10/2012 NoOp wrote:
> On 10/25/2012 10:50 AM, Andrea Pescetti wrote:
>> The recommended way to access the OpenOffice site in HTTPS for those who
>> prefer it over HTTP is to use:
>> https://ooo-site.apache.org
> Like the above, the URL should be configured to automatically redirect
> to https://ooo-site.apache.org when an https request is received?
Apparently, this won't work since Infra says "Redirect won't work, as
the SSL handshake precedes the first opportunity to send a redirect".
But you are welcome to weigh in directly on
https://issues.apache.org/jira/browse/INFRA-5450 :
registration is open to everyone.
And if in the end the most sensible solution is that we acquire a
certificate for *.openoffice.org , this is surely something the PMC and
Infra can look into. But it would be good to see the discussion in the
issue page converge.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: Bad site certificate
Posted by Andrea Pescetti <pe...@apache.org>.
On 02/11/2012 NoOp wrote:
> On 11/01/2012 10:45 AM, Andrea Pescetti wrote:
>> But you are welcome to weigh in directly on
>> https://issues.apache.org/jira/browse/INFRA-5450 :
> Thanks, but no thanks. I suppose I could provide a server trace&
> wireshark session file etc., but I doubt that it will do any good
It would probably help more than me just reposting your messages there.
I shared your analysis on the issue page, but I cannot continue the
technical discussion there as a middle-man. Anyway, let's see if there
is a way to get rid of this security warning.
Unfortunately, a solution might be to use HTTPS on
https://ooo-site.apache.org/ only, thus switching
https://www.openoffice.org off; this is largely suboptimal but I agree
with you that random users who do not want to look at the certificate
details will interpret a security warning as something worse than having
no security, i.e., HTTP only...
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: Fwd: Bad site certificate
Posted by Andrea Pescetti <pe...@apache.org>.
On 21/11/2012 Dave Fisher wrote:
> Does the project care to have an SSL certificate on
> www.openoffice.org? Is one needed for other public assets like
> wiki.openoffice.org?
I don't have a strong preference here, but it could be nice to have,
especially if we can later apply it to sites that require
authentication, like wiki.openoffice.org and forum.openoffice.org.
Regards,
Andrea.
Fwd: Bad site certificate
Posted by Dave Fisher <da...@comcast.net>.
Hi Folks,
It is possible that we can get either a www.openoffice.org, a *.openoffice.org, or other specific <sub>.openoffice.org certificates.
There are older browsers where the apache.org certificate will take precedence for sites.
Does the project care to have an SSL certificate on www.openoffice.org? Is one needed for other public assets like wiki.openoffice.org?
Because <subproject>.openoffice.org is redirected to www.openoffice.org/<subproject>/ we will need a *.openoffice.org certificate. Do we care enough about the edge case of users in this subgroup to request a *.openoffice.org certificate that could be used on wiki.openoffice.org?
Thoughts?
Regards,
Dave
Begin forwarded message:
> From: Rob Weir <ro...@apache.org>
> Date: November 4, 2012 2:00:18 PM PST
> To: ooo-users@incubator.apache.org
> Subject: Re: Bad site certificate
> Reply-To: ooo-users@incubator.apache.org
> delivered-to: mailing list ooo-users@incubator.apache.org
>
> On Sun, Nov 4, 2012 at 12:53 PM, Dave Fisher <da...@comcast.net> wrote:
>>
>> On Nov 1, 2012, at 5:39 PM, NoOp wrote:
>>
>>> On 11/01/2012 10:45 AM, Andrea Pescetti wrote:
>>>> On 25/10/2012 NoOp wrote:
>>>>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote:
>>>>>> The recommended way to access the OpenOffice site in HTTPS for those who
>>>>>> prefer it over HTTP is to use:
>>>>>> https://ooo-site.apache.org
>>>>> Like the above, the URL should be configured to automatically redirect
>>>>> to https://ooo-site.apache.org when an https request is received?
>>>>
>>>> Apparently, this won't work since Infra says "Redirect won't work, as
>>>> the SSL handshake precedes the first opportunity to send a redirect".
>>>
>>> That doesn't make any sense as I've already demonstrated that the other
>>> https links to those IP addresses do indeed redirect.
>>>
>>>>
>>>> But you are welcome to weigh in directly on
>>>> https://issues.apache.org/jira/browse/INFRA-5450 :
>>>> registration is open to everyone.
>>>
>>> Thanks, but no thanks. I suppose I could provide a server trace &
>>> wireshark session file etc., but I doubt that it will do any good to
>>> attempt to change Daniel Shahaf's mind. You, however, might ask him
>>> just how the other https links work on those IP's, yet the OOo link does
>>> not, and why 443 is turned on for that URL to begin with if Apache do
>>> not intend to support https on that link.
>>
>> If 443 were turned off then another vhost for another project would answer the request and there would still be a warning.
>>
>> If a *.openoffice.org certificate were purchased it would be secondary to *.apache.org and older browsers would still have trouble. I've setup multiple certificates on httpd at work and know this to be so. No way the ASF will put the *.openoffice.org certificate (if purchased) first.
>>
>> We can do a rewrite of https traffic to http but that happens after the handshake and the security warning.
>>
>> I doubt that this razor fine point is worth the effort and the tradeoff of increased complexity for Infrastructure.
>>
>
> Probably no use for SSL site wide, but we do have a small number of
> pages where we would benefit, like the login/registration pages for
> the openoffice.org domain wiki and the support forums.
>
>> If we had a view of what browsers are used and how much is https we can measure the impact and determine if effort here is worth it.
>>
>>>
>>>> And if in the end the most sensible solution is that we acquire a
>>>> certificate for *.openoffice.org , this is surely something the PMC and
>>>> Infra can look into. But it would be good to see the discussion in the
>>>> issue page converge.
>>
>> That discussion is there in the JIRA. You can see the bit above. It is an incremental improvement effective for modern browsers.
>>
>> Regards,
>> Dave
>>
>>>>
>>>> Regards,
>>>> Andrea.
>>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
Re: Bad site certificate
Posted by Rob Weir <ro...@apache.org>.
On Sun, Nov 4, 2012 at 12:53 PM, Dave Fisher <da...@comcast.net> wrote:
>
> On Nov 1, 2012, at 5:39 PM, NoOp wrote:
>
>> On 11/01/2012 10:45 AM, Andrea Pescetti wrote:
>>> On 25/10/2012 NoOp wrote:
>>>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote:
>>>>> The recommended way to access the OpenOffice site in HTTPS for those who
>>>>> prefer it over HTTP is to use:
>>>>> https://ooo-site.apache.org
>>>> Like the above, the URL should be configured to automatically redirect
>>>> to https://ooo-site.apache.org when an https request is received?
>>>
>>> Apparently, this won't work since Infra says "Redirect won't work, as
>>> the SSL handshake precedes the first opportunity to send a redirect".
>>
>> That doesn't make any sense as I've already demonstrated that the other
>> https links to those IP addresses do indeed redirect.
>>
>>>
>>> But you are welcome to weigh in directly on
>>> https://issues.apache.org/jira/browse/INFRA-5450 :
>>> registration is open to everyone.
>>
>> Thanks, but no thanks. I suppose I could provide a server trace &
>> wireshark session file etc., but I doubt that it will do any good to
>> attempt to change Daniel Shahaf's mind. You, however, might ask him
>> just how the other https links work on those IP's, yet the OOo link does
>> not, and why 443 is turned on for that URL to begin with if Apache do
>> not intend to support https on that link.
>
> If 443 were turned off then another vhost for another project would answer the request and there would still be a warning.
>
> If a *.openoffice.org certificate were purchased it would be secondary to *.apache.org and older browsers would still have trouble. I've setup multiple certificates on httpd at work and know this to be so. No way the ASF will put the *.openoffice.org certificate (if purchased) first.
>
> We can do a rewrite of https traffic to http but that happens after the handshake and the security warning.
>
> I doubt that this razor fine point is worth the effort and the tradeoff of increased complexity for Infrastructure.
>
Probably no use for SSL site wide, but we do have a small number of
pages where we would benefit, like the login/registration pages for
the openoffice.org domain wiki and the support forums.
> If we had a view of what browsers are used and how much is https we can measure the impact and determine if effort here is worth it.
>
>>
>>> And if in the end the most sensible solution is that we acquire a
>>> certificate for *.openoffice.org , this is surely something the PMC and
>>> Infra can look into. But it would be good to see the discussion in the
>>> issue page converge.
>
> That discussion is there in the JIRA. You can see the bit above. It is an incremental improvement effective for modern browsers.
>
> Regards,
> Dave
>
>>>
>>> Regards,
>>> Andrea.
>>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: Bad site certificate
Posted by Dave Fisher <da...@comcast.net>.
On Nov 1, 2012, at 5:39 PM, NoOp wrote:
> On 11/01/2012 10:45 AM, Andrea Pescetti wrote:
>> On 25/10/2012 NoOp wrote:
>>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote:
>>>> The recommended way to access the OpenOffice site in HTTPS for those who
>>>> prefer it over HTTP is to use:
>>>> https://ooo-site.apache.org
>>> Like the above, the URL should be configured to automatically redirect
>>> to https://ooo-site.apache.org when an https request is received?
>>
>> Apparently, this won't work since Infra says "Redirect won't work, as
>> the SSL handshake precedes the first opportunity to send a redirect".
>
> That doesn't make any sense as I've already demonstrated that the other
> https links to those IP addresses do indeed redirect.
>
>>
>> But you are welcome to weigh in directly on
>> https://issues.apache.org/jira/browse/INFRA-5450 :
>> registration is open to everyone.
>
> Thanks, but no thanks. I suppose I could provide a server trace &
> wireshark session file etc., but I doubt that it will do any good to
> attempt to change Daniel Shahaf's mind. You, however, might ask him
> just how the other https links work on those IP's, yet the OOo link does
> not, and why 443 is turned on for that URL to begin with if Apache do
> not intend to support https on that link.
If 443 were turned off then another vhost for another project would answer the request and there would still be a warning.
If a *.openoffice.org certificate were purchased it would be secondary to *.apache.org and older browsers would still have trouble. I've setup multiple certificates on httpd at work and know this to be so. No way the ASF will put the *.openoffice.org certificate (if purchased) first.
We can do a rewrite of https traffic to http but that happens after the handshake and the security warning.
I doubt that this razor fine point is worth the effort and the tradeoff of increased complexity for Infrastructure.
If we had a view of what browsers are used and how much is https we can measure the impact and determine if effort here is worth it.
>
>> And if in the end the most sensible solution is that we acquire a
>> certificate for *.openoffice.org , this is surely something the PMC and
>> Infra can look into. But it would be good to see the discussion in the
>> issue page converge.
That discussion is there in the JIRA. You can see the bit above. It is an incremental improvement effective for modern browsers.
Regards,
Dave
>>
>> Regards,
>> Andrea.
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: Bad site certificate
Posted by NoOp <gl...@sbcglobal.net>.
On 11/01/2012 10:45 AM, Andrea Pescetti wrote:
> On 25/10/2012 NoOp wrote:
>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote:
>>> The recommended way to access the OpenOffice site in HTTPS for those who
>>> prefer it over HTTP is to use:
>>> https://ooo-site.apache.org
>> Like the above, the URL should be configured to automatically redirect
>> to https://ooo-site.apache.org when an https request is received?
>
> Apparently, this won't work since Infra says "Redirect won't work, as
> the SSL handshake precedes the first opportunity to send a redirect".
That doesn't make any sense as I've already demonstrated that the other
https links to those IP addresses do indeed redirect.
>
> But you are welcome to weigh in directly on
> https://issues.apache.org/jira/browse/INFRA-5450 :
> registration is open to everyone.
Thanks, but no thanks. I suppose I could provide a server trace &
wireshark session file etc., but I doubt that it will do any good to
attempt to change Daniel Shahaf's mind. You, however, might ask him
just how the other https links work on those IP's, yet the OOo link does
not, and why 443 is turned on for that URL to begin with if Apache do
not intend to support https on that link.
> And if in the end the most sensible solution is that we acquire a
> certificate for *.openoffice.org , this is surely something the PMC and
> Infra can look into. But it would be good to see the discussion in the
> issue page converge.
>
> Regards,
> Andrea.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org