From owner-freebsd-questions@FreeBSD.ORG Sat Mar 9 14:48:26 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 384633FB for ; Sat, 9 Mar 2013 14:48:26 +0000 (UTC) (envelope-from simon@qxnitro.org) Received: from mail-oa0-f45.google.com (mail-oa0-f45.google.com [209.85.219.45]) by mx1.freebsd.org (Postfix) with ESMTP id 055706D4 for ; Sat, 9 Mar 2013 14:48:25 +0000 (UTC) Received: by mail-oa0-f45.google.com with SMTP id o6so3080488oag.4 for ; Sat, 09 Mar 2013 06:48:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=Hf3QmQ/PTkLXDPvtAn7nSJxIjxJZM7IysfSks+OpPi8=; b=Wdw+3MZb0XnR676Z3tE8kv6oIa68rWYV/2XyLqr8FUjl9kDO5t2kD+sZ4bmByc/AY1 PQNUONsMJ5umX5N63+JyAunccfC8SqwzhZ9WzlG3lOWz2whBsk9gbAqTqjVt0yyQ6Eqs Qr7qqRoWHAo73uzpVoY93WQnTlYs4WGJQWsG8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=Hf3QmQ/PTkLXDPvtAn7nSJxIjxJZM7IysfSks+OpPi8=; b=KTUIzorTmXE75e0v6Q/IlAg3YKLI3eK6Sjk9HDaPAFY/ct3sn5fHh6Lp15r5ZVdbp5 h1lWUYRl+AVZ9pZdH+Bw8gCQTxy+KcjXnzCrgfSQ/cOxQvlfoxYo9tt5GZnnDrzDO7cJ 6R2gysuk9INi34t3vCYaoEk6rXwLJItPqbPtZ85m+O6gcESi3nPbqwP42Nyr8ULeSXE8 j4CXXp5deIiVmNyycQlBh1FLjsMsTtIBzRITdMFGUSHqiLTdPfAzdyMXFqlcBOMvP6NN mz8U+nQQicm+ECx2Tc4vBozkeZBc/jjvc9yljn5p5YRgFeqTkcoOsP1hhn5PJf592uTo +jDA== MIME-Version: 1.0 X-Received: by 10.60.10.226 with SMTP id l2mr4797454oeb.67.1362840504938; Sat, 09 Mar 2013 06:48:24 -0800 (PST) Received: by 10.76.168.129 with HTTP; Sat, 9 Mar 2013 06:48:24 -0800 (PST) X-Originating-IP: [89.100.2.69] In-Reply-To: <20130302074816.GA61133@icarus.home.lan> References: <20130302074816.GA61133@icarus.home.lan> Date: Sat, 9 Mar 2013 14:48:24 +0000 Message-ID: Subject: Re: https://wiki.freebsd.org/ certificate error From: "Simon L. B. Nielsen" To: Jeremy Chadwick Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQkc/jo+eVgFMIqTybvDkTpOsGbHi58UnHejZ7/q9DOhDcOoFSrZCCfuXn9PPjOivAJj/HvI Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Mar 2013 14:48:26 -0000 On 2 March 2013 07:48, Jeremy Chadwick wrote: > (Please keep me CC'd as I'm not subscribed to -questions) > > (I'm CC'ing Simon Nielsen who maintains the FreeBSD webserver cluster, as > this obviously needs to be looked at.) > [...] > NOW BACK TO THE ACTUAL PROBLEM REPORTED -- > > It appears that whoever maintains the FreeBSD webservers in the cluster > **assumes** that the connecting client supports SNI. That assumption, > as someone who ran a hosting organisation since 1993, is rude (some > might say "bad", but I would say rude). > > Web browsers/clients that don't support SNI are screwed -- they'll > receive a "certificate validation failure" error. > > Internet Explorer 6.x through 8.x -- newer is not available on Windows > XP -- do not support SNI (this is even mentioned in the above Wikipedia > page). They return the error "There is a problem with this website's > security certificate" due to lack of SNI support. > > Let me be clear: THIS IS NOT THE FAULT (OR AGE) OF THE OS. THIS HAS TO > DO WITH THE WEB BROWSER. Why? > > Because Firefox 19.0 on Windows XP works just fine, as it supports SNI. AFAIR the problem is that some crypto library on Windows XP does not support SNI. IE uses it, Firefox and others probably don't. > So how do you solve this problem for "legacy" clients? Simple: > > By dedicating an IP address to the SSL-based virtualhost/webserver (i.e. > one IP address per SSL-based virtual host), and do away with name-based > vhosting for SSL. That's the only way. I agree that SNI is suboptimal, unfortunately it was the best of bad solutions: - We just don't have enough IPv4 addresses to dedicate one per virtual hostname. - We could use IPv6 only which means excluding even more "legacy" clients. - Bundling all sites under www.freebsd.org creates problems with cookies, more pain in configuration, and less flexibility in moving things around. - Using SubjectAlternatName (SAN) certificates where strongly considered, but fewer CA's support them (most have no clue) and it becomes a lot more painful to add new hosts. Those are also not fully supported by all older OS'es still in use. -- Simon L. B. Nielsen