Hi Folks, It is possible that we can get either a www.openoffice.org, a *.openoffice.org, or other specific <sub>.openoffice.org certificates.
There are older browsers where the apache.org certificate will take precedence for sites. Does the project care to have an SSL certificate on www.openoffice.org? Is one needed for other public assets like wiki.openoffice.org? Because <subproject>.openoffice.org is redirected to www.openoffice.org/<subproject>/ we will need a *.openoffice.org certificate. Do we care enough about the edge case of users in this subgroup to request a *.openoffice.org certificate that could be used on wiki.openoffice.org? Thoughts? Regards, Dave Begin forwarded message: > From: Rob Weir <robw...@apache.org> > Date: November 4, 2012 2:00:18 PM PST > To: ooo-us...@incubator.apache.org > Subject: Re: Bad site certificate > Reply-To: ooo-us...@incubator.apache.org > delivered-to: mailing list ooo-us...@incubator.apache.org > > On Sun, Nov 4, 2012 at 12:53 PM, Dave Fisher <dave2w...@comcast.net> wrote: >> >> On Nov 1, 2012, at 5:39 PM, NoOp wrote: >> >>> On 11/01/2012 10:45 AM, Andrea Pescetti wrote: >>>> On 25/10/2012 NoOp wrote: >>>>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote: >>>>>> The recommended way to access the OpenOffice site in HTTPS for those who >>>>>> prefer it over HTTP is to use: >>>>>> https://ooo-site.apache.org >>>>> Like the above, the URL should be configured to automatically redirect >>>>> to https://ooo-site.apache.org when an https request is received? >>>> >>>> Apparently, this won't work since Infra says "Redirect won't work, as >>>> the SSL handshake precedes the first opportunity to send a redirect". >>> >>> That doesn't make any sense as I've already demonstrated that the other >>> https links to those IP addresses do indeed redirect. >>> >>>> >>>> But you are welcome to weigh in directly on >>>> https://issues.apache.org/jira/browse/INFRA-5450 : >>>> registration is open to everyone. >>> >>> Thanks, but no thanks. I suppose I could provide a server trace & >>> wireshark session file etc., but I doubt that it will do any good to >>> attempt to change Daniel Shahaf's mind. You, however, might ask him >>> just how the other https links work on those IP's, yet the OOo link does >>> not, and why 443 is turned on for that URL to begin with if Apache do >>> not intend to support https on that link. >> >> If 443 were turned off then another vhost for another project would answer >> the request and there would still be a warning. >> >> If a *.openoffice.org certificate were purchased it would be secondary to >> *.apache.org and older browsers would still have trouble. I've setup >> multiple certificates on httpd at work and know this to be so. No way the >> ASF will put the *.openoffice.org certificate (if purchased) first. >> >> We can do a rewrite of https traffic to http but that happens after the >> handshake and the security warning. >> >> I doubt that this razor fine point is worth the effort and the tradeoff of >> increased complexity for Infrastructure. >> > > Probably no use for SSL site wide, but we do have a small number of > pages where we would benefit, like the login/registration pages for > the openoffice.org domain wiki and the support forums. > >> If we had a view of what browsers are used and how much is https we can >> measure the impact and determine if effort here is worth it. >> >>> >>>> And if in the end the most sensible solution is that we acquire a >>>> certificate for *.openoffice.org , this is surely something the PMC and >>>> Infra can look into. But it would be good to see the discussion in the >>>> issue page converge. >> >> That discussion is there in the JIRA. You can see the bit above. It is an >> incremental improvement effective for modern browsers. >> >> Regards, >> Dave >> >>>> >>>> Regards, >>>> Andrea. >>>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: ooo-users-unsubscr...@incubator.apache.org >>> For additional commands, e-mail: ooo-users-h...@incubator.apache.org >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: ooo-users-unsubscr...@incubator.apache.org >> For additional commands, e-mail: ooo-users-h...@incubator.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: ooo-users-unsubscr...@incubator.apache.org > For additional commands, e-mail: ooo-users-h...@incubator.apache.org >
