Chattanooga
Unix
Gnu
Android
Linux
Users
Group

 

Hot Topics:

Sponsoring:

Apache2 and SNI/SSL

From: Mike Harrison 
------------------------------------------------------

I just setup a fresh server with Apache2 and the info here:

https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

To allow it to share 1 Ip with multiple names and SSL Certs.

Basicly add NameVirtualHosts to port 443... and the rest falls into place 
on Ubuntu 12.04 Server.

In my testing, it seems to work pretty well while
knowing it won't work with WinXP and MSIE6/7 but should
work with Vista and MSIE7+

I was wondering how many Chugalugers have done this,
and have they had many issues with the WinXP Orphans or other systems 
using SNI and SSL Certs?

--Mike--





=============================================================== From: William Roush ------------------------------------------------------ I don't even consider it due to WinXP stragglers. :( William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I set it up a couple of years ago, when it was actually painful to configure and you had to dance to determine if your browser supports it. Firefox on XP supports it just fine. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTOz3gAAoJEMP+wtEOVbcd5TsH/0TSS18z2edWt5/ekkKj/iy8 GtWI8SO8yFhnkkF7ch0cFnIyWJun/y+udHRo3E8XAy5luNWjQDi6/sH/+8Po1XF3 BNjJdUZ0K0KFRspFGxa+XSXBgJgxJelnL0yLUg6QPqaAnM6pAU9JkeoqNCYhKsF8 t17wcTdkegnakBe4l7aGL6b98Ma0qtG2qhVIJucGXKA4qJsaO5LFWsH4igelJo2e 4lJ8/iMZ4n+XK3yCCnyxITeNIAreJs791rJ7G9VHuO9SUmwMZMqt4Hvcot7BXvmN 3JNAio9SS+lPhD/5HXnG/HkSpR3UUAY/49ZLtqwTQU4mmqVBEZkCKxt8tFlP5Xo= =6/iW -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am so sorry if your LCD is IE on XP. By the way, XP reaches end of support in 7 days. Sounds like the perfect opportunity to configure SNI and present a "Made for a Real Browswer" Logo on the non-SSL page. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTOz5VAAoJEMP+wtEOVbcdE1IH/3YdWzB41gTEfLiA4NpTAYqY 9rjpNPHDlI9p5SonRpoXNxCJxpThw1K3ESKvCaE7nwpsVZZH+MwIzDb3Cn7EdeeE cV+OmEY0OpB88/NYN2ULZuLedjbVP26Dvp63nvpMyyj4PhAut6TidQDdSdSJxQ/R YnJS0+5r9nNSCVt1GMBrj2yP6LYC0c1bU1tsrIQVc7mHJF63qqQLKC2KbZHtk7s7 No8JJfILf0x9bmSlSvBZDPsnX5FT6r2+xLk6O6f+mNIqJOk+gRn7JCUafxdPYfQj DYFY+H4Q0Xb8i+IYzD55cO8RKsNh3l9JGhCuKTc4yT364cF1flYVQqeD0wKn0kU= =zeTR -----END PGP SIGNATURE-----

=============================================================== From: Dan Lyke ------------------------------------------------------ I just setup a fresh server with Apache2 and the info here: I think it's time for me to break down and do this on my various sites. Even if lynx apparently doesn't yet support it. Dan

=============================================================== From: William Roush ------------------------------------------------------ Our customers still rely /heavily/ on faxes, so being modern isn't high on their priority list. William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/

=============================================================== From: Jason Brown ------------------------------------------------------ I think I have been using it for quite a while. It must be working fine ;) --Jason

=============================================================== From: Jason Brown ------------------------------------------------------ I think I have been using it for quite a while. It must be working fine ;) --Jason

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And they probably tell you it's for security reasons, never mind the technical ease to sniff to an analog line vs an encrypted TCP stream. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTO0SQAAoJEMP+wtEOVbcdiS8H/1CQF+kFuBC9TqpF1HY5C9J3 umcOI82p9ZzCDuLfI+X1nae9P7NzXeIzPBgI4r/BNMjabpkSlCxHxOMhvD1u5sQk FQgVyGkFFbyCHu9dVZOoMw3c0j8pVYd33mW9kA6jQHj0ziZGD/WfBjGtUZWYlN+3 hOT7GafBTegUtHhwmfsJA0RAvwRDQXSuUo12uncDBY41CNhuVipgERcX5iik+5/p 6si6Uw3cKlA0Uq5dC8vR7NvqfmzALM2+fB+rjza9IIK3pmfD1fE3CCrbN5qzY6J+ c5BqXyvOnVaqqYC37AzA1lIuI5vwPF/IC4mSuieTx3Uuk6aNFzvgWdGDnDnAak8= =7kR1 -----END PGP SIGNATURE-----

=============================================================== From: Mike Harrison ------------------------------------------------------ I'm going to try that position and hopefully it will stick. If not, I'm going to need a few more IP addresses. the error page says: ----------------------------------------------------- You might be here because: You probably entered the wrong address in your web browser, smart phone, tablet or crystal ball. Your web browser does not support SNI and SSL Certificates. Your web browser did not follow the meta redirect to the proper sub-directory for what you are looking for. Your web browser does not support or allow redirects, javascript or other common internet techniques that would have gotten you where you expect to be. You are using Windows XP and/or an old version of Microsoft Internet Explorer. Upgrade or use: Mozilla Firefox You are a robot or automated web crawler. You are lost.

=============================================================== From: Dan Lyke ------------------------------------------------------ I'm just gonna drop this right here: http://ask.metafilter.com/259481/Need-help-defeating-wire-fraud It'd be no harder to do a replay attack against a FAX line, but either there are more email replay attacks in the wild than FAX attacks, or the humans in the process are more skeptical of subsequent FAX PO changes.

=============================================================== From: William Roush ------------------------------------------------------ Various rules and regulations prevent us from sending this kind of material over unencrypted channels, so e-mail is obviously a no-go. Fax however is special... William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And I'm going to counter that whoever wrote that doesn't know their (security) ass from a hole in the ground. A Pen test does not a squeaky clean network make, nor indicate. It also does nothing to detect the most likely scenario, one or more machines on the network are infected, and that is how the emails are being "intercepted". Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTO0mPAAoJEMP+wtEOVbcdgxoH/1XhO2fjoYIRMCToL7AiZDcB R4MIW2XXkZLISzLwnAVcmA/mxJ72UeUdbbste4kt/PsWYvi7uuzeKdJgvjFbJzVo YUQ0CI/2ibeitw5Rs2MwRH8mBze5TUrV8nBMROmGty+Ac2wzyv+SwunOF2UsmaJM jDyrpg2DUbPaERkr50T8qKTie1WTWyfs6RnHonffVKp7Tc995MeyKSdp0doPFxCP kp7SgVGi+z4Uan2hpgLFa5YlzFwtf/pHaUtn9sGX4Un0tWR0dLPXWiyb+HYn5OzN hmKThIQ3CPeHfPyQnyFguRlJXt5+pkQemC36eNfeo+MIYUMvrrvASdV8CnfgoaA= =kJdI -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Because it's impossible to force an encrypted delivery channel between two email domains? Hell, even with opportunistic TLS, my non-encrypted email percentage has got to be less than 20%. (Not picking on you, I have the same fun with all the various auditors and their checklists). Again, FAX is about the least secure transmission media (outside open air smoke signals) that I can think of. But don't tell the regulators and auditors that. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTO0pEAAoJEMP+wtEOVbcdBSsH/Raj1ZHWpK0xRsD46l4EXGZZ /bhgEM/q2ygeQSvqCQLKIrn5dMrLphxhMKDq6PpOrlThr+FdbQmpevXAyxKA1NEi 5Dvc7woBXyKcjhMegjcPwv2nQ3ZjO/nBx+wJTEbi/JGzVHBKiEg3C/KWrtWfeFIp IM13FeYF1AJn5Bbzh//X9nSYFb+tVj/aLXO6+8tb80F4j/XdbyY2kpgsvRh7cMpJ bWECGNrHUTMPioc22lCRAotpiLuJK1iiIKdP+5v6uVDZchgiph985i5N2fi1byAw Lj3iWBeCXiH1k1tfioEz8l/f2yqeCtn4Nbld8rx9gk4Az3hE57XfyJ8g9xx+Gzo= =+9ee -----END PGP SIGNATURE-----

=============================================================== From: William Roush ------------------------------------------------------ I've done that before, but again -- when fax is as modern as some customers get, telling them to set up their SMTP transports to be TLS only is a joke. Lots of these people still have AOL accounts... I've done that for a company that sent sensitive data to Northrop Grumman before, it's easier when both businesses even /have/ an IT department to have requirements like that. William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/

=============================================================== From: Dan Lyke ------------------------------------------------------ Oh, absolutely. But the reality is that the author is going back to FAX because nobody's done that attack against that system yet. And, probably, there are subtle human differences in procedure, not technology, that make the FAX attack harder. So is FAX more secure? Apparently. That may be because it's harder to remotely monitor the analog line vs compromise a desktop machine, that humans are more skeptical of FAX change requests, or something else I'm not seeing. But the fun bit is: I bet that implementing encrypted email between those parties would have about a 10% of chance of changing the security situation at all, and that would be based on training. And if you could get that training to stick, you could fix the security situation without encrypting the email. Dan

=============================================================== From: Rod ------------------------------------------------------ Haven't trie this yet but here is thengnx way of doing it. https://www.digitalocean.com/community/articles/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-nginx-on-ubuntu-12-04

=============================================================== From: William Roush ------------------------------------------------------ Oh on this subject: also anything running Java 6 doesn't support SNI apparently... :( William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Darn! Guess I can't use it with my First Tennessee Remote Deposit App. Proudly requiring Java from 2012 and promptly breaking horribly if any updates to Java are applied. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTPBeEAAoJEMP+wtEOVbcdAkcH/3B9iQutb3XicAJSn/Ez+rrd ZAgcYT46TE01qY93sL/gnDSzzayNw5rX2th63I62lQp/G/tEDH7t5w7kKkLu8M4f KvCj0kjrd8JC1XYm4qpM7STk7yj172H+Fjq3igPAH3oX2qiIt8+qtTwsvHbqbVZ5 nGlb6HkyAlVr0snKK3FnFdChI654S5w9ics5QR7Fi5+v9e3PLNZNgfL4Fukc3zr/ MPMqJ6m3rhga3X0EDsObZ7XvT0oh/cVehyhT7KQF+O2/IxtoJLeoPavPpvNcfKIZ lPPQpZ1Q3bUOdE4GRxsj5nzievAJe6g5r6/+dE/Jb0rNwlQVkNjLqaTT+OQl3Lg= =F9gX -----END PGP SIGNATURE-----

=============================================================== From: William Roush ------------------------------------------------------ Pfft I have to support interacting with applications still written in /VB6/, I wish I could require software developed on frameworks from 2012 and above. William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VB6 isn't a framework, and that runtime will get installed on the PC within the first 2 months of average business or home use anyway. It's still a better choice than anything .NET IMHO. I'll believe .NET is the future of windows programming when MS starts writing their code in it. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTPBnMAAoJEMP+wtEOVbcd9nsH/R4IVmsw+sYLkZR/7oRZc+oU 2cg6Zk7FGNaU0TH65jUyXUa0+S+vJgLNaXt6a/8rbCmZP3GMb9iSOy/F9SESlGR/ zsfjUhgRE6GeZH9dyBVVsKtalJVBSzV2eV18AZR7WHSXsDUoSk/k+TCMPAVRBa9i eyAGsyMw73CXT4g6xlOwZz3jCllQbcpT07l7pJo/2MCD+XcZeHvnQV7llElmMvP8 g4rIx2ouI48RA7GEK2XpTbxbNEjRRLu+knBWQ6nwjOcAGXQD2VMlSDkf368AtKDE vXrTFGsq+Drc4XW+HYk7JM66Gc9rBruLvidpB6TN1X6yxdc3ItEkDN52OUwv97Q= =vkwS -----END PGP SIGNATURE-----

=============================================================== From: William Roush ------------------------------------------------------ The complaint is more about writing in a language that hasn't been touched in 16 years, and is extremely crippled in a lot of ways (though I have written a bit of software in VB6, I loathe to go back to it's limitations and inefficiencies), and results in some really poorly written software and unable to support a lot of concepts other languages and runtimes do. If I have to support VB6, you can bet I need to support Java 6. Why would you say the Visual Basic 6 runtime and the Visual Basic language is better than the Common Language Runtime and the .NET framework (including languages like C#)? Microsoft uses .NET in almost all of their core software (SQL Server [contains millions of lines of managed code], SharePoint, Office). They have even thrown around writing OSes in managed code. :\ William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If this code is anything other than an interactive event driven form, VB6 was not the tool for the job. Personally I spent more time translating and importing API calls than I spent actually coding VB, again, wrong tool for the job(s) I was trying to accomplish. Have you have had to reload an entire OS because the VB6 runtime was corrupted? You ever have to rip out and reinstall .NET 1.1-4.5 on a server, because a reload will break dozens of clients? How long does it take an application that initializes the framework to load? What is one thing you can do with the CLR/.NET that you *can't* do with APIs? Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTPEEPAAoJEMP+wtEOVbcdkfEH/j6ngFJ1S9q4/jIYRxYeue7g MoG4NKO+jCWNaKI+tafktbeMYBLAb0EL1ZGjZLKubWdSn5pBLZ2nzf+/akVIk2u7 hxC+1slA3gSHjfDjpo91rAJw9KeR1P5PHeP8RqbqdeQHECZa4dDBJe7PglDsd2Tk Bf3RtaSDFjQw3+NgOyykRTeZkKdGK59yFCUyd41wnUwarZ87BdSV5kAVZR5qjLxJ ZCMp8njcUHIamAh/YwSxNKTZcNU5AgZ0ttdE1zSNblYJlyYxR8nb/YEwwaPlnk02 JuLkBeX+pa6HlE8cWcoSenObsdjcn7Hj6B3NimtjSLcArf3HinHMp+2za3en8Dc= =9126 -----END PGP SIGNATURE-----