On Sun, Nov 4, 2012 at 12:53 PM, Dave Fisher <[email protected]> wrote: > > On Nov 1, 2012, at 5:39 PM, NoOp wrote: > >> On 11/01/2012 10:45 AM, Andrea Pescetti wrote: >>> On 25/10/2012 NoOp wrote: >>>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote: >>>>> The recommended way to access the OpenOffice site in HTTPS for those who >>>>> prefer it over HTTP is to use: >>>>> https://ooo-site.apache.org >>>> Like the above, the URL should be configured to automatically redirect >>>> to https://ooo-site.apache.org when an https request is received? >>> >>> Apparently, this won't work since Infra says "Redirect won't work, as >>> the SSL handshake precedes the first opportunity to send a redirect". >> >> That doesn't make any sense as I've already demonstrated that the other >> https links to those IP addresses do indeed redirect. >> >>> >>> But you are welcome to weigh in directly on >>> https://issues.apache.org/jira/browse/INFRA-5450 : >>> registration is open to everyone. >> >> Thanks, but no thanks. I suppose I could provide a server trace & >> wireshark session file etc., but I doubt that it will do any good to >> attempt to change Daniel Shahaf's mind. You, however, might ask him >> just how the other https links work on those IP's, yet the OOo link does >> not, and why 443 is turned on for that URL to begin with if Apache do >> not intend to support https on that link. > > If 443 were turned off then another vhost for another project would answer > the request and there would still be a warning. > > If a *.openoffice.org certificate were purchased it would be secondary to > *.apache.org and older browsers would still have trouble. I've setup multiple > certificates on httpd at work and know this to be so. No way the ASF will put > the *.openoffice.org certificate (if purchased) first. > > We can do a rewrite of https traffic to http but that happens after the > handshake and the security warning. > > I doubt that this razor fine point is worth the effort and the tradeoff of > increased complexity for Infrastructure. >
Probably no use for SSL site wide, but we do have a small number of pages where we would benefit, like the login/registration pages for the openoffice.org domain wiki and the support forums. > If we had a view of what browsers are used and how much is https we can > measure the impact and determine if effort here is worth it. > >> >>> And if in the end the most sensible solution is that we acquire a >>> certificate for *.openoffice.org , this is surely something the PMC and >>> Infra can look into. But it would be good to see the discussion in the >>> issue page converge. > > That discussion is there in the JIRA. You can see the bit above. It is an > incremental improvement effective for modern browsers. > > Regards, > Dave > >>> >>> Regards, >>> Andrea. >>> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
