[Boost][website] SSL certificate
I recently switched from Firefox to Chromium, and I've been having issues accessing [1]https://svn.boost.org. It seems that the SSL certificate used for [2]svn.boost.org is either not properly configured, or not issued by one of the major SSL certificate providers (e.g. VeriSign, GoDaddy). Examination of the certificate indicates that it's issued by the Computer Science Department of Indiana University, and the certificate doesn't have a chain that leads back to a well known CA (the chain is just '[3]svn.boost.org => [4]cs.indiana.edu', and most browsers I've tried don't recognize [5]cs.indiana.edu as a legitimate CA by default). If this isn't just a matter of improper configuration (or, for that matter, just a matter of my browsers being screwy), I'd be happy to offer my own SSL certificate to Boost. The certificate is a standard SSL certificate issued by GoDaddy (domain controlled validation, certificate signing algorithm is RSA 2048 bits), and it's paid through 02/20/2011. I'm currently using my cert for my Debian mirror, so I would have to revoke the current certificate, and then submit a CSR from [6]boost.org's server. Ideally, then I would generate a CSR request, and the boost server would sign it; I'd end up with a cert chain of 'mysite => [7]boost.org => GoDaddy'. [8]boost.org and subdomains would have a cert signed directly by GoDaddy, so the [9]svn.boost.org cert would be verify by most browsers automatically. If there's any interest in this, please let me know. - Bryce Lelbach References 1. https://svn.boost.org/ 2. http://svn.boost.org/ 3. http://svn.boost.org/ 4. http://cs.indiana.edu/ 5. http://cs.indiana.edu/ 6. http://boost.org/ 7. http://boost.org/ 8. http://boost.org/ 9. http://svn.boost.org/
[Sorry for the long quote, but this all looks like relevant info and the thread has been dead a while...] At Mon, 14 Jun 2010 09:55:17 -0700, admin@thefireflyproject.us wrote:
I recently switched from Firefox to Chromium, and I've been having issues accessing [1]https://svn.boost.org. It seems that the SSL certificate used for [2]svn.boost.org is either not properly configured, or not issued by one of the major SSL certificate providers (e.g. VeriSign, GoDaddy). Examination of the certificate indicates that it's issued by the Computer Science Department of Indiana University, and the certificate doesn't have a chain that leads back to a well known CA (the chain is just '[3]svn.boost.org => [4]cs.indiana.edu', and most browsers I've tried don't recognize [5]cs.indiana.edu as a legitimate CA by default).
If this isn't just a matter of improper configuration (or, for that matter, just a matter of my browsers being screwy), I'd be happy to offer my own SSL certificate to Boost. The certificate is a standard SSL certificate issued by GoDaddy (domain controlled validation, certificate signing algorithm is RSA 2048 bits), and it's paid through 02/20/2011.
I'm currently using my cert for my Debian mirror, so I would have to revoke the current certificate, and then submit a CSR from [6]boost.org's server. Ideally, then I would generate a CSR request, and the boost server would sign it; I'd end up with a cert chain of 'mysite => [7]boost.org => GoDaddy'. [8]boost.org and subdomains would have a cert signed directly by GoDaddy, so the [9]svn.boost.org cert would be verify by most browsers automatically.
If there's any interest in this, please let me know.
- Bryce Lelbach
References
1. https://svn.boost.org/ 2. http://svn.boost.org/ 3. http://svn.boost.org/ 4. http://cs.indiana.edu/ 5. http://cs.indiana.edu/ 6. http://boost.org/ 7. http://boost.org/ 8. http://boost.org/ 9. http://svn.boost.org/
If we still don't have a valid cert, we should cert-ainly (sorry) consider taking Bryce up on his offer. Bryce, is this a wildcard cert? If not, how can it work for our subdomains? -- Dave Abrahams BoostPro Computing http://www.boostpro.com
On 8/16/2010 12:54 AM, David Abrahams wrote:
At Mon, 14 Jun 2010 09:55:17 -0700, admin@thefireflyproject.us wrote:
I recently switched from Firefox to Chromium, and I've been having issues accessing [1]https://svn.boost.org. It seems that the SSL certificate used for [2]svn.boost.org is ... not issued by one of the major SSL certificate providers (e.g. VeriSign, GoDaddy)
If we still don't have a valid cert, we should cert-ainly (sorry) consider taking Bryce up on his offer. Bryce, is this a wildcard cert? If not, how can it work for our subdomains?
Just because a cert is not signed by a built-in CA doesn't make it invalid. Having either self signed certs or locally signed certs is a common occurrence (I do it for most of my own HTTPS/SSH sites). So I don't see a real reason to start paying a major CA for them to sign a cert. -- -- Grafik - Don't Assume Anything -- Redshift Software, Inc. - http://redshift-software.com -- rrivera/acm.org (msn) - grafik/redshift-software.com -- 102708583/icq - grafikrobot/aim,yahoo,skype,efnet,gmail
On 8/16/2010 8:33 AM, Rene Rivera wrote:
On 8/16/2010 12:54 AM, David Abrahams wrote:
At Mon, 14 Jun 2010 09:55:17 -0700, admin@thefireflyproject.us wrote:
I recently switched from Firefox to Chromium, and I've been having issues accessing [1]https://svn.boost.org. It seems that the SSL certificate used for [2]svn.boost.org is ... not issued by one of the major SSL certificate providers (e.g. VeriSign, GoDaddy)
If we still don't have a valid cert, we should cert-ainly (sorry) consider taking Bryce up on his offer. Bryce, is this a wildcard cert? If not, how can it work for our subdomains?
Just because a cert is not signed by a built-in CA doesn't make it invalid. Having either self signed certs or locally signed certs is a common occurrence (I do it for most of my own HTTPS/SSH sites). So I don't see a real reason to start paying a major CA for them to sign a cert.
Firefox users are presented with a "Get Me Out Of Here!" page and must click through a bunch of dialogs to add an exception for the cert. I think this is a real reason for getting an officially signed cert. -- Eric Niebler BoostPro Computing http://www.boostpro.com
At Mon, 16 Aug 2010 07:33:04 -0500, Rene Rivera wrote:
Just because a cert is not signed by a built-in CA doesn't make it invalid. Having either self signed certs or locally signed certs is a common occurrence (I do it for most of my own HTTPS/SSH sites). So I don't see a real reason to start paying a major CA for them to sign a cert.
I know that, but a lot of people don't. And web browsers are making untrusted CA signatures look increasingly alarming---it makes people nervous and degrades trust in Boost. I suppose, pretty soon, we may not need to have any https stuff on our own domain anyway, but as long as we do have to do that, it would be good to have a cert that doesn't raise any alarms. -- Dave Abrahams BoostPro Computing http://www.boostpro.com
On 8/16/2010 11:39 AM, David Abrahams wrote:
I suppose, pretty soon, we may not need to have any https stuff on our own domain anyway, but as long as we do have to do that, it would be good to have a cert that doesn't raise any alarms.
Hm.. I guess this is a pertinent question.. Do we really need HTTPS stuff even now? I mean.. <http://svn.boost.org/svn currently> works. So it's just a matter of turning on <http://svn.boost.org/trac>. -- -- Grafik - Don't Assume Anything -- Redshift Software, Inc. - http://redshift-software.com -- rrivera/acm.org (msn) - grafik/redshift-software.com -- 102708583/icq - grafikrobot/aim,yahoo,skype,efnet,gmail
Rene Rivera wrote:
On 8/16/2010 11:39 AM, David Abrahams wrote:
I suppose, pretty soon, we may not need to have any https stuff on our own domain anyway, but as long as we do have to do that, it would be good to have a cert that doesn't raise any alarms.
Hm.. I guess this is a pertinent question.. Do we really need HTTPS stuff even now? I mean.. <http://svn.boost.org/svn currently> works. So it's just a matter of turning on <http://svn.boost.org/trac>.
The problem is sending usernames and password unencrypted. Which would be the case when turning of SSL.
On 8/16/2010 11:53 AM, Thomas Heller wrote:
Rene Rivera wrote:
On 8/16/2010 11:39 AM, David Abrahams wrote:
I suppose, pretty soon, we may not need to have any https stuff on our own domain anyway, but as long as we do have to do that, it would be good to have a cert that doesn't raise any alarms.
Hm.. I guess this is a pertinent question.. Do we really need HTTPS stuff even now? I mean..<http://svn.boost.org/svn currently> works. So it's just a matter of turning on<http://svn.boost.org/trac>.
The problem is sending usernames and password unencrypted. Which would be the case when turning of SSL.
Even for HTTP svn doesn't send passwords in the clear, IIRC. And I'm fairly sure neither does Trac. -- -- Grafik - Don't Assume Anything -- Redshift Software, Inc. - http://redshift-software.com -- rrivera/acm.org (msn) - grafik/redshift-software.com -- 102708583/icq - grafikrobot/aim,yahoo,skype,efnet,gmail
At Mon, 16 Aug 2010 12:14:04 -0500, Rene Rivera wrote:
On 8/16/2010 11:53 AM, Thomas Heller wrote:
Rene Rivera wrote:
On 8/16/2010 11:39 AM, David Abrahams wrote:
I suppose, pretty soon, we may not need to have any https stuff on our own domain anyway, but as long as we do have to do that, it would be good to have a cert that doesn't raise any alarms.
Hm.. I guess this is a pertinent question.. Do we really need HTTPS stuff even now? I mean..<http://svn.boost.org/svn currently> works. So it's just a matter of turning on<http://svn.boost.org/trac>.
The problem is sending usernames and password unencrypted. Which would be the case when turning of SSL.
Even for HTTP svn doesn't send passwords in the clear, IIRC. And I'm fairly sure neither does Trac.
News to me. Again, this is (at least) a matter of perception: people don't know that. -- Dave Abrahams BoostPro Computing http://www.boostpro.com
AMDG Thomas Heller wrote:
Rene Rivera wrote:
On 8/16/2010 11:39 AM, David Abrahams wrote:
I suppose, pretty soon, we may not need to have any https stuff on our own domain anyway, but as long as we do have to do that, it would be good to have a cert that doesn't raise any alarms.
Hm.. I guess this is a pertinent question.. Do we really need HTTPS stuff even now? I mean.. <http://svn.boost.org/svn currently> works. So it's just a matter of turning on <http://svn.boost.org/trac>.
The problem is sending usernames and password unencrypted. Which would be the case when turning of SSL.
I would assume that those with user accounts could still log in using HTTPS. Most of them should know about the certificate already. The people to worry about are the ones who are just browsing the wiki or submitting a bug report. HTTP should be fine for this. In Christ, Steven Watanabe
On Mon, Aug 16, 2010 at 10:24 AM, Steven Watanabe <watanabesj@gmail.com> wrote:
AMDG
Thomas Heller wrote:
Rene Rivera wrote:
On 8/16/2010 11:39 AM, David Abrahams wrote:
I suppose, pretty soon, we may not need to have any https stuff on our own domain anyway, but as long as we do have to do that, it would be good to have a cert that doesn't raise any alarms.
Hm.. I guess this is a pertinent question.. Do we really need HTTPS stuff even now? I mean.. <http://svn.boost.org/svn currently> works. So it's just a matter of turning on <http://svn.boost.org/trac>.
The problem is sending usernames and password unencrypted. Which would be the case when turning of SSL.
I would assume that those with user accounts could still log in using HTTPS. Most of them should know about the certificate already. The people to worry about are the ones who are just browsing the wiki or submitting a bug report. HTTP should be fine for this.
Should be, but sometimes they connect via HTTPS anyway. This causes hiccups. It's not a huge problem worth spending lots of resources on solving but it might be worth spending enough to get the cert from Bryce (which is probably less than this thread has already consumed). -- Dave Abrahams BoostPro Computing http://www.boostpro.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/16/2010 01:54 AM, David Abrahams wrote:
If we still don't have a valid cert, we should cert-ainly (sorry) consider taking Bryce up on his offer. Bryce, is this a wildcard cert? If not, how can it work for our subdomains?
GoDaddy is now offering open source projects free SSL certificates for a year (there may be fine print or flags attached, but it's worth investigating. http://www.godaddy.com/gdshop/ssl/ssl_opensource.asp?ci=21422). Boost would certainly qualify. I'm not sure if they're offering wildcard or UCC certificates, but at the least, it would be nice to have a certificate signed by a more commonly recognized CA for SVN. - - Bryce -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxpmZgACgkQO/fqqIuE2t6ANwCeOJeRoVYzYo7KCdnrKyUiLtIb ruQAn34ktUm6swxtJkw9k2H1FmkfTLVT =MnPI -----END PGP SIGNATURE-----
On Mon, Aug 16, 2010 at 2:03 PM, Bryce Lelbach aka wash <admin@thefireflyproject.us> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/16/2010 01:54 AM, David Abrahams wrote:
If we still don't have a valid cert, we should cert-ainly (sorry) consider taking Bryce up on his offer. Bryce, is this a wildcard cert? If not, how can it work for our subdomains?
GoDaddy is now offering open source projects free SSL certificates for a year (there may be fine print or flags attached, but it's worth investigating. http://www.godaddy.com/gdshop/ssl/ssl_opensource.asp?ci=21422). Boost would certainly qualify. I'm not sure if they're offering wildcard or UCC certificates, but at the least, it would be nice to have a certificate signed by a more commonly recognized CA for SVN.
As I recall, http://www.startssl.com/ offers free free certificates and this CA (StartCom) is recognized by IE, Firefox, Chrome, and others.
participants (9)
-
admin@thefireflyproject.us -
Bryce Lelbach aka wash
-
Dave Abrahams -
David Abrahams
-
Eric Niebler -
OvermindDL1 -
Rene Rivera -
Steven Watanabe -
Thomas Heller