Am 17.09.2015 um 21:05 schrieb Jeffrey Walton: > > > On Thursday, September 17, 2015 at 2:34:41 PM UTC-4, > jean-pierre.muench wrote: > > Yay, a well-trusted certificate :) > > May I ask if it's by design that there's no CN for the > certificate? (Didn't even know this is possible :O ) > > > Yeah, that one was new to me, too. I tried to recall if a CN was > optional in PKIX or CA/B Baseline Requirements, but I'm getting old, > and factoids like that have faded away. I'll have to look it up when I > get back into RFC 5280 or the CA/B BR. > > The CSR included "Crypto++ Project" as the CN. I always use a friendly > name when possible because tools like certificate.msc and other > viewers display it for the user. > > I think what happened was I asked to avoid DNS names in the CN (both > PKIX and CA/B BR deprecate the practice), and that may have gotten > translated into no CN. I suspect its due to a technical limitation in > the workflows because some hand tuning occurred. Or maybe it was the > double plus sign, and fear of breaking user agents and shell scripts > that parse the name. Wouldn't that be a cool little research > project... You might get invited to give a talk at BlackHat for that one. Interesting idea that this may break things. I may come back to this when I have the spare time to analyze the various clients needed for this kind of thing (NSS, openssl, libressl, boringssl, s2n, gnutls, ...) and would need to find such scripts parsing the CNs. > > May I also ask for default-forward to HTTPS when visiting > cryptopp.com <http://cryptopp.com>? > > > How do we set that up? > > If its Apache, then I should be able to make the change. If its DNS, > then I probably can't make the change because of account access > limitations. It's an apache thing.
You basically define the virtual HTTP host to *only* forward the user to the HTTPS site. This *may* even ease maintenance as you can basically "forget" about the HTTP virtualhost. In the same run we may also want to use HSTS, because it's the more "standard" solution for this... Here's how to on apache for HSTS: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html If you refuse to use HSTS, there are some ways to do the redirect: https://stackoverflow.com/questions/16200501/http-to-https-apache-redirection https://www.sslshopper.com/apache-redirect-http-to-https.html https://stackoverflow.com/questions/11621053/redirect-http-to-https-on-default-virtual-host-without-servername https://wiki.apache.org/httpd/RedirectSSL https://wiki.apache.org/httpd/RewriteHTTPToHTTPS Sorry for the link-spam ;) > > Also, a low priority item is to get the visitor counter GIF working > under HTTPS. Its only served over HTTP (from www.histats.com), so its > a mixed content item. I was thinking we could just host the script or > CGI ourselves. Do the following links help? https://webmasters.stackexchange.com/questions/43678/is-it-possible-to-count-the-number-of-hits-or-loads-of-a-webpage-without-anythin https://serverfault.com/questions/77888/server-visitor-count BR JPM > > Jeff > -- > -- > You received this message because you are subscribed to the "Crypto++ > Users" Google Group. > To unsubscribe, send an email to > [email protected]. > More information about Crypto++ and this group is available at > http://www.cryptopp.com. > --- > You received this message because you are subscribed to the Google > Groups "Crypto++ Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
