[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sudo-workers
Subject:    Re: [sudo-workers] lack of mailling list security
From:       Eygene Ryabinkin <rea-sudo () codelabs ! ru>
Date:       2008-05-02 11:24:08
Message-ID: NID4ZgulNFfipXxMKcClBQ5RSqI () 63aXx0craNz7VSkgWDumZDxFNM4
[Download RAW message or body]

Todd, good day.

Thu, May 01, 2008 at 01:22:13PM -0400, Todd C. Miller wrote:
> > Logging into the website isn't all that secure either.  The certificate
> > for the site is for a completely different hostname, but it doesn't matter
> > because even if you type in "https", the form on that page _forces_ you 
> > back to a non-SSL login.
> 
> The cert is for the "real" name of the web server.  I suppose I
> could add a separate cert for each vhost, though that won't solve
> the problem where mailman directs you to an http page.

There is no point in adding another certificates: SSL connection
is established prior to the vhost recognition.  But you can add all
your hostnames to the certificate's subjectAltName field.  They
should be in the dNSName format.  The following links can be of
interest:
  http://nils.toedtmann.net/pub/subjectAltName.txt
  http://wiki.cacert.org/wiki/VhostTaskForce

You will have to resign the certificate at the CA.
-- 
Eygene

[prev in list] [next in list] [prev in thread] [next in thread]