On 10/3/07, John Hasler <[EMAIL PROTECTED]> wrote:
>
> Chris Travers writes:
> > But consider Ubuntu.  Do you *really* want us writing global options to
> > your Apache configuration file, possibly ovewriting SSL options, etc?
>
> On Debian and therefor probably on Ubuntu you just drop a file in the
> directory /etc/apache/conf.d.



The problem is that SSL is negotiated prior to the HTTP headers.  Hence the
certificate is tied to an IP address/Port combination.  Virtual servers,
directories, etc. cannot have their own SSL certificates.  Hence it really
is a global setting which may conflict with other certificates people
already have installed.


> I think the case can be made that on Linux, the responsibiloity for
> > setting up the servers beyond some basic settings, should be the
> > responsibility of the administrator.
>
> It should be possible to set up a usable default configuration with at
> most
> a few debconf quetions.



Sure.  Hence 1.3 will not touch the SSL settings but *will* restrict, by
default, access to localhost.

Note, that there is one more issue with tampering with SSL setups.  SSL
provides two major security features:
1)  It protects against eavesdropping  THis is largely what we are talking
about right now, but many deployments may also need:

2)  It protects against one server impersonating another, so as to prompt
you to enter your credentials improperly.  In this case, a certificate
authority vouches for the authentication of the server.  If we include a
certificate, we aren't vouching for anyone's identity (except maybe "This
certificate is issued to "localhost").

Best WIshes,
Chris Travers


--
> John Hasler
> [EMAIL PROTECTED]
> Elmwood, WI USA
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Ledger-smb-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Ledger-smb-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel

Reply via email to