RE: Wild card SSL; use on multiple Apache servers
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Wednesday, 24 October, 2012 19:11 Nor does *.domain.com work for domain.com, correct? Right. Which is why many (most?) public CAs when you request wildcard issue SubjAltNames containing two entries domain.com and *.domain.com . Many I have looked at spend 3 or 10 huge web pages explaining how this is such a wonderful feature you should be thrilled to pay for, when it costs them zero and is a trivial workaround immediately obvious to anyone with an IQ above room temperature. But then basically all consumer products nowadays are marketed that way. Just out of curiosity, do you perceive a trust constrain[t] there (for any real-world situation)? No, same reasoning -- they've checked you control domain.com . The wildcard standard just didn't include this case. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wild card SSL; use on multiple Apache servers
The wildcard is for a particular domain (* is value for any host within it) . If your other server is in a different domain, then it won't work. alan
Re: Wild card SSL; use on multiple Apache servers
On Wed, Oct 24, 2012 at 2:59 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: The wildcard is for a particular domain (* is value for any host within it) . If your other server is in a different domain, then it won't work. Don't do it. It violates the principle of least privilege. Why should a user be asked to trust the receptionist's machine in the lobby or a developer's machine with lord knows what installed? Use Server Name Indication (SNI) instead. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Wild card SSL; use on multiple Apache servers
From: owner-openssl-us...@openssl.org On Behalf Of Alan Buxey Sent: Wednesday, 24 October, 2012 03:00 To: aurfal...@gmail.com; openssl-users@openssl.org Subject: Re: Wild card SSL; use on multiple Apache servers The wildcard is for a particular domain (* is value for any host within it) . If your other server is in a different domain, then it won't work. Right. Because the CA only verified your control of the domain that it issued the cert for; if you get a cert for fredsmith.com and could use it on a server that impersonates www.amazon.com you could steal billions of dollars from millions of people. And an added point which is not obvious to some people, it's only implemented for one level. *.domain.com works for www.domain.com ftp.domain.com silly.domain.com but NOT www.foo.domain.com . Even though this wouldn't actually violate the trust constraint in any situation I can imagine. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wild card SSL; use on multiple Apache servers
On Wed, Oct 24, 2012 at 2:37 PM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of Alan Buxey Sent: Wednesday, 24 October, 2012 03:00 To: aurfal...@gmail.com; openssl-users@openssl.org Subject: Re: Wild card SSL; use on multiple Apache servers The wildcard is for a particular domain (* is value for any host within it) . If your other server is in a different domain, then it won't work. Right. Because the CA only verified your control of the domain that it issued the cert for; if you get a cert for fredsmith.com and could use it on a server that impersonates www.amazon.com you could steal billions of dollars from millions of people. I believe you can go to TrustWave and get certificates for domains outside your control (http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html). Mozilla rewarded their bad behavior by continuing their inclusion (https://bugzilla.mozilla.org/show_bug.cgi?id=724929). So much for Trust as a commodity Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Wild card SSL; use on multiple Apache servers
Nor does *.domain.com work for domain.com, correct? Just out of curiosity, do you perceive a trust constrain there (for any real-world situation)? Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Wednesday, October 24, 2012 11:38 AM To: openssl-users@openssl.org Subject: RE: Wild card SSL; use on multiple Apache servers From: owner-openssl-us...@openssl.org On Behalf Of Alan Buxey Sent: Wednesday, 24 October, 2012 03:00 To: aurfal...@gmail.com; openssl-users@openssl.org Subject: Re: Wild card SSL; use on multiple Apache servers The wildcard is for a particular domain (* is value for any host within it) . If your other server is in a different domain, then it won't work. Right. Because the CA only verified your control of the domain that it issued the cert for; if you get a cert for fredsmith.com and could use it on a server that impersonates www.amazon.com you could steal billions of dollars from millions of people. And an added point which is not obvious to some people, it's only implemented for one level. *.domain.com works for www.domain.com ftp.domain.com silly.domain.com but NOT www.foo.domain.com . Even though this wouldn't actually violate the trust constraint in any situation I can imagine. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Wild card SSL; use on multiple Apache servers
Hi, This topic is one that I am ignorant on and appreciate any guidance. I found some sources of info on web and mailing lists that say I can simply copy a wild card cert to any apache server as is. I've had a wild card cert running on one of my servers for a while now and wish to take advantage of this commercially purchased feature. When I simply copy my public and private keys (commercial.crt, commercial.key) to another server and attempt to get to it via a browser, I get an error that the key is not trusted and is for *.domain.com and domain.com. This isn't the exact error but I hope you understand whats going on. This leads me to think that I must export the key(s) from my working server and import to another server(s). Both servers are Apache servers with openssl installed so I have the command suite available to use. When viewing my cert, it looks like this; Subject:/O=*.domain.com/OU=Domain Control Validated/CN=*.domain.com Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber= Validation Days:start date - end date Subject Alternative Name: *.domain.com, domain.com I removed the serial, domain name and dates. So what is it that I must do, export a private key in a particular format? Thanks in advance, - aurf
