Re: Redirect without and SSL certificate

2018-07-18 Thread Friscia, Michael 
Thanks, I had not heard of that solution so I will chase it down to see if we 
can make it work.

As for the response, I assumed that was the case and what’s the point of SSL if 
there was a way to bypass it…just wishful thinking…

___
Michael Friscia
Office of Communications
Yale School of Medicine
(203) 737-7932 - office
(203) 931-5381 - mobile
http://web.yale.edu<http://web.yale.edu/>


From: Jeff Abrahamson 
Date: Wednesday, July 18, 2018 at 11:33 AM
To: "nginx@nginx.org" , Michael Friscia 

Subject: Re: Redirect without and SSL certificate


Could you use letsencrypt to manage all those certs?

What you want can't work: the client makes an SSL request, you respond (with a 
301), the client detects that the interaction was not properly authenticated, 
and so complains to the user.  It's out of your hands, which is the whole point 
of SSL identity validation.

Jeff Abrahamson

+33 6 24 40 01 57

+44 7920 594 255



http://p27.eu/jeff/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fp27.eu%2Fjeff%2F=02%7C01%7Cmichael.friscia%40yale.edu%7C76bf97821b3641ac86b108d5ecc3c106%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C1%7C636675247868657631=tR58%2BgB0inO4qZGFCdlELdxkAfo8BchQPz9DTyV40yw%3D=0>

On 18/07/18 17:10, Friscia, Michael wrote:
We have a problem where we have a large number of vanity domain names that are 
redirected. For example we have surgery.yale.edu which redirects to 
medicine.yale.edu/surgery. This works fine until someone tries to request 
https://surgery.yale.edu<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsurgery.yale.edu=02%7C01%7Cmichael.friscia%40yale.edu%7C76bf97821b3641ac86b108d5ecc3c106%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C1%7C636675247868667639=qwDKeX5GvEA%2B5IOlcCrFU6L9ejr9CvIXOeFHiTfKyl0%3D=0>.
 For administrative reasons, I cannot get a wildcard certificate to handle 
*.yale.edu and make this simple to solve.

My question is if there is any way to redirect a request listening on port 80 
and 443 but bypass the SSL certificate warning so it will redirect? I would 
assume the order of operation with HTTPS is to first validate the certificate 
but I really want the 301 redirect to take place before the SSL cert is 
verified.

I’m open to ideas but we are limited in what we can actually do so as it stands 
the only solution we have is to request a certificate for each of the 600+ 
domains.

___
Michael Friscia
Office of Communications
Yale School of Medicine
(203) 737-7932 - office
(203) 931-5381 - mobile
http://web.yale.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fweb.yale.edu%2F=02%7C01%7Cmichael.friscia%40yale.edu%7C76bf97821b3641ac86b108d5ecc3c106%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C1%7C636675247868677641=jYnt1Oc61biVZZbwry7fosFHMPTvtKx4oeUscsuCT1Y%3D=0>





___

nginx mailing list

nginx@nginx.org<mailto:nginx@nginx.org>

http://mailman.nginx.org/mailman/listinfo/nginx<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.nginx.org%2Fmailman%2Flistinfo%2Fnginx=02%7C01%7Cmichael.friscia%40yale.edu%7C76bf97821b3641ac86b108d5ecc3c106%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C1%7C636675247868687649=1c0sCiU0cQeG5qTYTJ6%2B%2B7crlVoxGpiCT5mnz8BdJcQ%3D=0>



--



Jeff Abrahamson

+33 6 24 40 01 57

+44 7920 594 255



http://p27.eu/jeff/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fp27.eu%2Fjeff%2F=02%7C01%7Cmichael.friscia%40yale.edu%7C76bf97821b3641ac86b108d5ecc3c106%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C1%7C636675247868697669=5o%2FHq6Vh%2FVP4XgFwijJYYjh5Uey7xGiIRI7ie%2FPnzzc%3D=0>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Redirect without and SSL certificate

2018-07-18 Thread Jeff Abrahamson 
Could you use letsencrypt to manage all those certs?

What you want can't work: the client makes an SSL request, you respond
(with a 301), the client detects that the interaction was not properly
authenticated, and so complains to the user.  It's out of your hands,
which is the whole point of SSL identity validation.

Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255

http://p27.eu/jeff/


On 18/07/18 17:10, Friscia, Michael wrote:
>
> We have a problem where we have a large number of vanity domain names
> that are redirected. For example we have surgery.yale.edu which
> redirects to medicine.yale.edu/surgery. This works fine until someone
> tries to request https://surgery.yale.edu. For administrative reasons,
> I cannot get a wildcard certificate to handle *.yale.edu and make this
> simple to solve.
>
>  
>
> My question is if there is any way to redirect a request listening on
> port 80 and 443 but bypass the SSL certificate warning so it will
> redirect? I would assume the order of operation with HTTPS is to first
> validate the certificate but I really want the 301 redirect to take
> place before the SSL cert is verified.
>
>  
>
> I’m open to ideas but we are limited in what we can actually do so as
> it stands the only solution we have is to request a certificate for
> each of the 600+ domains.
>
>  
>
> ___
>
> Michael Friscia
>
> Office of Communications
>
> Yale School of Medicine
>
> (203) 737-7932 - office
>
> (203) 931-5381 - mobile
>
> http://web.yale.edu 
>
>  
>
>
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-- 

Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255

http://p27.eu/jeff/

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Redirect without and SSL certificate

2018-07-18 Thread Maxim Dounin 
Hello!

On Wed, Jul 18, 2018 at 03:10:54PM +, Friscia, Michael wrote:

> We have a problem where we have a large number of vanity domain 
> names that are redirected. For example we have surgery.yale.edu 
> which redirects to medicine.yale.edu/surgery. This works fine 
> until someone tries to request https://surgery.yale.edu. For 
> administrative reasons, I cannot get a wildcard certificate to 
> handle *.yale.edu and make this simple to solve.
> 
> My question is if there is any way to redirect a request 
> listening on port 80 and 443 but bypass the SSL certificate 
> warning so it will redirect? I would assume the order of 
> operation with HTTPS is to first validate the certificate but I 
> really want the 301 redirect to take place before the SSL cert 
> is verified.
>
> I’m open to ideas but we are limited in what we can actually do 
> so as it stands the only solution we have is to request a 
> certificate for each of the 600+ domains.

Certificate warning appears when client establishes a connection 
and cannot verify a certificate.  The connection is not 
established at this point, and a request is not sent.  You cannot 
return a redirect unless the client agrees to continue despite the 
certificate warning.

That is, if you want redirects to be returned, the only option is 
to obtain valid certificates.

Another option might be to reject https connections to domains 
when it is not configured to use https.  When using SNI, you can 
configure nginx to selectively reject connections to some names by 
using unsatisfiable ssl_ciphers (see 
https://trac.nginx.org/nginx/ticket/195#comment:6).

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Redirect without and SSL certificate

2018-07-18 Thread Friscia, Michael 
We have a problem where we have a large number of vanity domain names that are 
redirected. For example we have surgery.yale.edu which redirects to 
medicine.yale.edu/surgery. This works fine until someone tries to request 
https://surgery.yale.edu. For administrative reasons, I cannot get a wildcard 
certificate to handle *.yale.edu and make this simple to solve.

My question is if there is any way to redirect a request listening on port 80 
and 443 but bypass the SSL certificate warning so it will redirect? I would 
assume the order of operation with HTTPS is to first validate the certificate 
but I really want the 301 redirect to take place before the SSL cert is 
verified.

I’m open to ideas but we are limited in what we can actually do so as it stands 
the only solution we have is to request a certificate for each of the 600+ 
domains.

___
Michael Friscia
Office of Communications
Yale School of Medicine
(203) 737-7932 - office
(203) 931-5381 - mobile
http://web.yale.edu

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx