On Nov 1, 2012, at 5:39 PM, NoOp wrote: > On 11/01/2012 10:45 AM, Andrea Pescetti wrote: >> On 25/10/2012 NoOp wrote: >>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote: >>>> The recommended way to access the OpenOffice site in HTTPS for those who >>>> prefer it over HTTP is to use: >>>> https://ooo-site.apache.org >>> Like the above, the URL should be configured to automatically redirect >>> to https://ooo-site.apache.org when an https request is received? >> >> Apparently, this won't work since Infra says "Redirect won't work, as >> the SSL handshake precedes the first opportunity to send a redirect". > > That doesn't make any sense as I've already demonstrated that the other > https links to those IP addresses do indeed redirect. > >> >> But you are welcome to weigh in directly on >> https://issues.apache.org/jira/browse/INFRA-5450 : >> registration is open to everyone. > > Thanks, but no thanks. I suppose I could provide a server trace & > wireshark session file etc., but I doubt that it will do any good to > attempt to change Daniel Shahaf's mind. You, however, might ask him > just how the other https links work on those IP's, yet the OOo link does > not, and why 443 is turned on for that URL to begin with if Apache do > not intend to support https on that link.
If 443 were turned off then another vhost for another project would answer the request and there would still be a warning. If a *.openoffice.org certificate were purchased it would be secondary to *.apache.org and older browsers would still have trouble. I've setup multiple certificates on httpd at work and know this to be so. No way the ASF will put the *.openoffice.org certificate (if purchased) first. We can do a rewrite of https traffic to http but that happens after the handshake and the security warning. I doubt that this razor fine point is worth the effort and the tradeoff of increased complexity for Infrastructure. If we had a view of what browsers are used and how much is https we can measure the impact and determine if effort here is worth it. > >> And if in the end the most sensible solution is that we acquire a >> certificate for *.openoffice.org , this is surely something the PMC and >> Infra can look into. But it would be good to see the discussion in the >> issue page converge. That discussion is there in the JIRA. You can see the bit above. It is an incremental improvement effective for modern browsers. Regards, Dave >> >> Regards, >> Andrea. >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
