[HCoop-Discuss] SSL without warnings (ie X.509 v3)
Karl Chen
quarl at cs.berkeley.edu
Fri Mar 16 02:08:33 EDT 2007
>>>>> On 2006-09-14 05:24 PDT, Anders Petersson writes:
Anders> I've investigated the murky depths of (Open)SSL and
Anders> discovered how we can use a single SSL certificate for
Anders> all hcoop hosted domains.
Anders> X.509 version 3 allows a number of extensions, among
Anders> those the most interesting one is subjectAltName, it
Anders> allows you to specify a list of names (not only
Anders> hostnames) the certificate is valid for.
[Extremely delayed reply] I'm now successfully using a
CAcert-signed certificate with subjectAltName for multiple
virtual-hosted domains on my own apache server. Works on FireFox,
MSIE, Subversion (libapr), etc.
I think it would be reasonable for HCoop to support
subjectAltName via Domtool.
BTW, the default SSL virtual name-based host, e.g.
https://hcoop.net, https://64.20.38.170/, etc. is currently a
website for "International Human Rights Organisation"; perhaps we
should create a :443 vhost default, for unknown ServerNames,
making sure this vhost is listed in the configuration before any
other :443 vhost, with one of these options:
- same as http://hcoop.net
- redirect to http://hcoop.net
- redirect to https://members.hcoop.net
- error message or empty page
An additional option would be to also have a vhost for
https://hcoop.net that's different from the default.
--
Karl 2007-03-15 22:54
More information about the HCoop-Discuss
mailing list