You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Richard Whittaker <ri...@avits.ca> on 2013/03/06 02:59:41 UTC
SSL question.
Hi.
I have an issue because I am cheap. lol
I have taken advantage of GoDaddy's ultra cheap SSL cert offer, and have
obtained 3 SSL certs. Unfortunately, the offer didn't extend to wildcard
certs.
I only have one IP address, is it still possible to bind these certs to
that one interface, or will that not work?
I.E. I have one IP, and I would like to serve https://site1.domain.com,
and https://site2.domain.com from that IP through traffic server. Do I
need to move the SSL certs inside, and just share the re-direction from
TS?...
Thanks,
Richard.
--
Alberni Valley IT Services
Re: SSL question.
Posted by Leif Hedstrom <zw...@apache.org>.
On 3/6/13 8:03 AM, Reindl Harald wrote:
>
> Am 06.03.2013 15:52, schrieb Igor Galić:
>> ----- Original Message -----
>>>
>>> Am 06.03.2013 03:06, schrieb Leif Hedstrom:
>>>> This will work, but only with browsers that supports SNI. This
>>>> particularly excludes all versions of IE on
>>>> Windows/XP. If you can live with that, then it will work fine,
>>>> since most other modern browsers
>>> wrong - no browser on Windows XP supports SNI
>>> because the OS libraries does not support it
>> https://en.wikipedia.org/wiki/Server_Name_Indication#No_support
>>
>> Only browsers on XP that *actually* *use* Microsoft's SSL libs do
>> not have support for SNI.
>>
>> Chrome and Firefox use NSS, Opera uses their own SSL engine
> fine, Java <= 1.7, Safari.....
Not to start a war, but that this is basically what I said. Considering that
he's getting cheap certificates already, SNI might be an option for him. I
never said it was a generally acceptable solution, I'm well aware that
roughly 25% of the OS's today are Windows/XP, and presumably a large portion
of those use IE on this platform.
-- Leif
Re: SSL question.
Posted by Reindl Harald <h....@thelounge.net>.
Am 06.03.2013 15:52, schrieb Igor Galić:
> ----- Original Message -----
>>
>>
>> Am 06.03.2013 03:06, schrieb Leif Hedstrom:
>>> This will work, but only with browsers that supports SNI. This
>>> particularly excludes all versions of IE on
>>> Windows/XP. If you can live with that, then it will work fine,
>>> since most other modern browsers
>>
>> wrong - no browser on Windows XP supports SNI
>> because the OS libraries does not support it
>
> https://en.wikipedia.org/wiki/Server_Name_Indication#No_support
>
> Only browsers on XP that *actually* *use* Microsoft's SSL libs do
> not have support for SNI.
>
> Chrome and Firefox use NSS, Opera uses their own SSL engine
fine, Java <= 1.7, Safari.....
finally you CAN NOT use SNI these days if you have a
publci server with any business on it, details does
not matter, WinXP is supported and heavily in use
in companies and any application based on MS technology
will fail too on WinXP
i am a 100% linux user but that is it
Re: SSL question.
Posted by Igor Galić <i....@brainsware.org>.
----- Original Message -----
>
>
> Am 06.03.2013 03:06, schrieb Leif Hedstrom:
> > This will work, but only with browsers that supports SNI. This
> > particularly excludes all versions of IE on
> > Windows/XP. If you can live with that, then it will work fine,
> > since most other modern browsers
>
> wrong - no browser on Windows XP supports SNI
> because the OS libraries does not support it
https://en.wikipedia.org/wiki/Server_Name_Indication#No_support
Only browsers on XP that *actually* *use* Microsoft's SSL libs do
not have support for SNI.
Chrome and Firefox use NSS, Opera uses their own SSL engine.
-- i
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
Re: SSL question.
Posted by Reindl Harald <h....@thelounge.net>.
Am 06.03.2013 03:06, schrieb Leif Hedstrom:
> This will work, but only with browsers that supports SNI. This particularly excludes all versions of IE on
> Windows/XP. If you can live with that, then it will work fine, since most other modern browsers
wrong - no browser on Windows XP supports SNI
because the OS libraries does not support it
Re: SSL question.
Posted by Reindl Harald <h....@thelounge.net>.
Am 08.03.2013 08:51, schrieb Igor Galić:
>> SNI seems to work very well, and for those people that insist on
>> using
>> IE and XP, they will just have to go on without SSL..
>
> Those who insist on XP+IE probably don't really care about SSL
> or the security it provides anyway ;)
as user you are not in the position to care in most cases
fact is if you are hosting a website and redirect to https://
you will lock out any user which have not the chice and most
of these are business users
> But that reminds me: There are still a number of low level APIs
> and libraries that do not support SNI: Off the top of my head
> JDK6 comes to my mind...
and that is why you can SNI only use for your pet's website but
nut if you hosting anything which is business relevant
Re: SSL question.
Posted by Igor Galić <i....@brainsware.org>.
> SNI seems to work very well, and for those people that insist on
> using
> IE and XP, they will just have to go on without SSL..
Those who insist on XP+IE probably don't really care about SSL
or the security it provides anyway ;)
But that reminds me: There are still a number of low level APIs
and libraries that do not support SNI: Off the top of my head
JDK6 comes to my mind...
> Thanks everyone for the assistance, and lively discussion.
>
> Regards,
> Richard.
>
> --
> Alberni Valley IT Services
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
Re: SSL question.
Posted by Richard Whittaker <ri...@avits.ca>.
On 05/03/2013 6:06 PM, Leif Hedstrom wrote:
> This will work, but only with browsers that supports SNI. This
> particularly excludes all versions of IE on Windows/XP. If you can
> live with that, then it will work fine, since most other modern
> browsers / OS's handles SNI just fine. I'm not sure exactly which
> version of ATS supports SNI, but I'm guessing v3.2.4 is what you
> should deploy.
SNI seems to work very well, and for those people that insist on using
IE and XP, they will just have to go on without SSL..
Thanks everyone for the assistance, and lively discussion.
Regards,
Richard.
--
Alberni Valley IT Services
Re: SSL question.
Posted by Leif Hedstrom <zw...@apache.org>.
On 3/5/13 6:59 PM, Richard Whittaker wrote:
> Hi.
>
> I have an issue because I am cheap. lol
>
> I have taken advantage of GoDaddy's ultra cheap SSL cert offer, and have
> obtained 3 SSL certs. Unfortunately, the offer didn't extend to wildcard
> certs.
Odd that they didn't let you put all 3 names into one cert, they certainly
supports that.
>
> I only have one IP address, is it still possible to bind these certs to
> that one interface, or will that not work?
This will work, but only with browsers that supports SNI. This particularly
excludes all versions of IE on Windows/XP. If you can live with that, then
it will work fine, since most other modern browsers / OS's handles SNI just
fine. I'm not sure exactly which version of ATS supports SNI, but I'm
guessing v3.2.4 is what you should deploy.
Cheers,
-- Leif
RE: SSL question.
Posted by Aleksandrs Andrijekno <in...@eurohosting.lv>.
Hi,
You can really cheap wildcard SSL from this guys:
http://www.gogetssl.com/wildcard-ssl-certificates/comodo-positive-ssl-wildca
rd/
-----Original Message-----
From: Richard Whittaker [mailto:richard@avits.ca]
Sent: woensdag 6 maart 2013 3:00
To: users@trafficserver.apache.org
Subject: SSL question.
Hi.
I have an issue because I am cheap. lol
I have taken advantage of GoDaddy's ultra cheap SSL cert offer, and have
obtained 3 SSL certs. Unfortunately, the offer didn't extend to wildcard
certs.
I only have one IP address, is it still possible to bind these certs to that
one interface, or will that not work?
I.E. I have one IP, and I would like to serve https://site1.domain.com, and
https://site2.domain.com from that IP through traffic server. Do I need to
move the SSL certs inside, and just share the re-direction from TS?...
Thanks,
Richard.
--
Alberni Valley IT Services