On 10/3/07, John Hasler <[EMAIL PROTECTED]> wrote:
>
> Chris Travers writes:
> > But consider Ubuntu. Do you *really* want us writing global options to
> > your Apache configuration file, possibly ovewriting SSL options, etc?
>
> On Debian and therefor probably on Ubuntu you just drop a file in the
> directory /etc/apache/conf.d.
The problem is that SSL is negotiated prior to the HTTP headers. Hence the
certificate is tied to an IP address/Port combination. Virtual servers,
directories, etc. cannot have their own SSL certificates. Hence it really
is a global setting which may conflict with other certificates people
already have installed.
> I think the case can be made that on Linux, the responsibiloity for
> > setting up the servers beyond some basic settings, should be the
> > responsibility of the administrator.
>
> It should be possible to set up a usable default configuration with at
> most
> a few debconf quetions.
Sure. Hence 1.3 will not touch the SSL settings but *will* restrict, by
default, access to localhost.
Note, that there is one more issue with tampering with SSL setups. SSL
provides two major security features:
1) It protects against eavesdropping THis is largely what we are talking
about right now, but many deployments may also need:
2) It protects against one server impersonating another, so as to prompt
you to enter your credentials improperly. In this case, a certificate
authority vouches for the authentication of the server. If we include a
certificate, we aren't vouching for anyone's identity (except maybe "This
certificate is issued to "localhost").
Best WIshes,
Chris Travers
--
> John Hasler
> [EMAIL PROTECTED]
> Elmwood, WI USA
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Ledger-smb-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Ledger-smb-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel