Re: https://wiki.freebsd.org/ certificate error
On 2 March 2013 07:48, Jeremy Chadwick j...@koitsu.org wrote: (Please keep me CC'd as I'm not subscribed to -questions) (I'm CC'ing Simon Nielsen who maintains the FreeBSD webserver cluster, as this obviously needs to be looked at.) [...] NOW BACK TO THE ACTUAL PROBLEM REPORTED -- It appears that whoever maintains the FreeBSD webservers in the cluster **assumes** that the connecting client supports SNI. That assumption, as someone who ran a hosting organisation since 1993, is rude (some might say bad, but I would say rude). Web browsers/clients that don't support SNI are screwed -- they'll receive a certificate validation failure error. Internet Explorer 6.x through 8.x -- newer is not available on Windows XP -- do not support SNI (this is even mentioned in the above Wikipedia page). They return the error There is a problem with this website's security certificate due to lack of SNI support. Let me be clear: THIS IS NOT THE FAULT (OR AGE) OF THE OS. THIS HAS TO DO WITH THE WEB BROWSER. Why? Because Firefox 19.0 on Windows XP works just fine, as it supports SNI. AFAIR the problem is that some crypto library on Windows XP does not support SNI. IE uses it, Firefox and others probably don't. So how do you solve this problem for legacy clients? Simple: By dedicating an IP address to the SSL-based virtualhost/webserver (i.e. one IP address per SSL-based virtual host), and do away with name-based vhosting for SSL. That's the only way. I agree that SNI is suboptimal, unfortunately it was the best of bad solutions: - We just don't have enough IPv4 addresses to dedicate one per virtual hostname. - We could use IPv6 only which means excluding even more legacy clients. - Bundling all sites under www.freebsd.org creates problems with cookies, more pain in configuration, and less flexibility in moving things around. - Using SubjectAlternatName (SAN) certificates where strongly considered, but fewer CA's support them (most have no clue) and it becomes a lot more painful to add new hosts. Those are also not fully supported by all older OS'es still in use. -- Simon L. B. Nielsen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Old releases support
On 2 Mar 2013 09:47, Andrea Venturoli m...@netfence.it wrote: Just a quick question on EOL dates. According to http://www.freebsd.org/security/security.html#sup, 7.4R support should have ended two days ago. Did it? Is Feb 28 2013 date confirmed? Next, 9.0 should reach EOL at the end of this month. Is this confirmed too? Correct on both accounts. As the updates are manual nobody just got to removing 7.4 yet. I should have sent a mail out with warning a month ago but forgot. -- Simon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Sorry state of the rsync based CVS,replication
On 12 Nov 2010, at 09:47, Patrick Bihan-Faou wrote: Don't take this as flamebait, because I have no intention in starting a war on this particular issue, but as good as cvsup is, this is unfortunately a fairly isolated tool that, from my prospective (which is necessarily biaised and incomplete), does not offer any feature compelling enough to prefer it over rsync in our case. That position is by essence just a personal view, applicable to me only and not to anybody else. Also I have to admit that now that the m3 dependency is gone with csup, it becomes easier to return to it. The issue is not to remove CVS via rsync - just to remove it from the FTP collection where it doesn't belong. There is nothing which prevents mirror sites from providing access to the CVS repo via rsync, even if they get it via CVSup... If it's useful (IE, any of the primary mirrors requests it) we can probably rather easily set up rsync access via cvsup-master. That said, I think rsync access is likely not too interesting for most master mirrors as they likely provide access to the repo via CVSup already, so they have cvsup installed already. -- Simon L. B. Nielsen Hat: FreeBSD.org clusteradm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org