cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Daniel Black <daniel AT cacert.org>
- To: jandd AT cacert.org, cacert-sysadm AT lists.cacert.org
- Subject: Apache / Debain packaging / SSL Regnegiotation
- Date: Fri, 26 Mar 2010 14:30:24 +1100
- Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
- Organization: CAcert
Jan and others,
I need some help. With the of browsers to fix the CVE-2009-3555 and Safari
abnormal responses to optional client certificate authentication is seems the
approach is to move from Directory/Location based certificate authentication
to domain based certificate authentication[1]. There are two ways to achieve
this:
1. SNI
2. An IP separated domains like typical SSL services
#1
SNI has the advantage that is uses fewer IP addresses. SubjectAltNames as
I've
tested on {nocert,cert,}.lists.cacert.org works quite well on the client side.
It has the disadvantage that Debian Lenny doesn't have an apache or lighttpd
package of sufficient version to support SNI. There is no backport available.
It is however in the debian testing (squeeze) repository
http://packages.debian.org/squeeze/apache2.2-common
The lack of SNI support in IE(Windows XP) isn't a major issue as all sites
will be serving the same content. There will be a default page probably on
the
SSLVerifyClient optional which IE(XP) handles nicely from what I can tell
(and
the lack of objections/problems).
#2
Though our provider has offered more IPs however i'm avoiding this option
slightly just for the time being.
I estimate the following IP requirements
3 - { ,nocert. ,cert.}lists.cacert.org (nocert is needed to avoid automatic
cert login - needed by
2 - {,cert. }wiki.cacert.org
2 - {,cert. }blog.cacert.org
2 - {,cert. }bugs.cacert.org
2 - {,cert. }test.cacert.org (some test infrastructure???)
2 - {,cert. }issue.cacert.org
2 - {,cert. }community.cacert.org
3 - { , nocert. ,cert. }svn.cacert.org (??)
2 - {,cert. }ldap.cacert.org
(others/corrections ?)
As you can see our IP requirements double quite quickly
{domain} will be optional client certificate related
cert.{domain} will be required client certificate relate
nocert.{domain} won't ask for a client cert
So my question is - how to go for Bern infrastructure?
1. squeeze
2. lenny and create/maintain backported apache2
3. more IPs
4. something else?
[1] https://lists.cacert.org/wws/arc/cacert-sysadm/2010-03/msg00000.html
--
Daniel Black
Infrastructure Team Lead
CAcert
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Apache / Debain packaging / SSL Regnegiotation, Daniel Black, 03/26/2010
- Re: Apache / Debain packaging / SSL Regnegiotation, Jan Dittberner, 03/26/2010
- Re: Apache / Debain packaging / SSL Regnegiotation, Daniel Black, 03/26/2010
- Re: Apache / Debain packaging / SSL Regnegiotation, Ian G, 03/26/2010
- Re: Apache / Debain packaging / SSL Regnegiotation, Jan Dittberner, 03/26/2010
Archive powered by MHonArc 2.6.16.