[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kfm-devel
Subject:    KIO design problem
From:       George Staikos <staikos () kde ! org>
Date:       2002-12-01 19:42:10
[Download RAW message or body]



I was investigating the problems with sourceforge and I came upon this 
behaviour:

CN for the certificate on https://*.sourceforge.net is set to 
"sourceforge.net".  Why they did this, I do not know.  Anyways, the result is 
that whenever the browser tries to do an https session with 
*.sourceforge.net, this is what it looks like:


GET / HTTP/1.1
Host: www.sourceforge.net

HTTP/1.1 302 Found
Date: Sun, 01 Dec 2002 19:34:19 GMT
Server: Apache/1.3.27 (Unix) PHP/4.1.2 mod_ssl/2.8.12 OpenSSL/0.9.6b
X-Powered-By: PHP/4.1.2
Location: https://sourceforge.net/
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

0

closed



Mozilla immediately changes the URL to http://sourceforge.net.  However, we 
verify SSL before it gets to the slave, so no protocol information is known.  
What do we do here?  I don't like the idea of trusting a remote site in SSL 
mode before we even verify its credentials, but it seems that other browsers 
actually do so (!!).  Do we have to have a call-back here so that the slave 
can decide to postpone or cancel certificate verification?  Any other 
suggestions?


-- 

George Staikos

[prev in list] [next in list] [prev in thread] [next in thread]