Home Web Server

Where Penguins and Daemons chill together in the warmth of the Sun.

Moderators: SecretSquirrel, notfred

Postposted on Mon Dec 24, 2007 2:45 pm

titan wrote:Do I need to get a certificate from a CA to make this happen? I know how to make my own certificate, I just want to make the SSL connection happen without waiting for a user to accept the certificate.

Your browser comes with a specific set of CA root certificates that it trusts by default. This can vary slightly from browser to browser, too. Ultimately, you need a cert signed by one of these CAs or a chained certificate -- a cert signed by a cert signed by a trusted root CA (or more levels of signing, as long as the chain terminates at a trusted CA).

Don't get conned into paying for a "premium" SSL cert. Some of the big name companies want to charge insane prices for that stuff (e.g. $1500 a year). A cheap chained certificate will be just fine, just make sure the chain terminates at a trusted CA (some scammer companies sell chained certs where the root of the chain is some random CA that isn't trusted by browsers, so it's not really worth anything more than you signing it yourself).
bitvector
Grand Gerbil Poohbah
 
Posts: 3234
Joined: Wed Jun 22, 2005 3:39 pm
Location: Mountain View, CA

Postposted on Mon Dec 24, 2007 3:52 pm

I have seen certs go that high. I'm definitely not capable of going for something like that. I have seen some certs for as little as $10 too. How do I find out if the certs are trusted by default?
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 6:00 pm
Location: Great Smoky Mountains

Postposted on Tue Dec 25, 2007 2:44 am

titan wrote:How do I find out if the certs are trusted by default?

Just dig into it a little bit and find a reputable reseller. I've never bought a cert so I can't give any specific recommendations, but any reputable reseller is going to sell something where the chain of trust ends in something like Thawte, Verisign, GeoTrust, etc. which are trusted by pretty much all browsers. Many of them list browser compatibility and things like that. You can also look at a browser's trusted certs in the security info.

There is a comparison site run by Comodo (a cert seller themselves, so of course it may be biased):
http://www.whichssl.com/comparisons/index.html
bitvector
Grand Gerbil Poohbah
 
Posts: 3234
Joined: Wed Jun 22, 2005 3:39 pm
Location: Mountain View, CA

Postposted on Tue Dec 25, 2007 1:15 pm

Check your ISP, or whoever hosts your domain -- any companies that offer ecommerce hosting include certs, so you may be able to get a discounted one through them (or just move up to a hosting package that includes a cert, if the other benefits are worth it). Here's pair.com's page for example, and here's GoDaddy's.
UberGerbil
Gerbil Khan
 
Posts: 9927
Joined: Thu Jun 19, 2003 2:11 pm

Postposted on Wed Jan 02, 2008 11:11 am

So I've been fiddling around with the server a bit more trying to get things working for SSL. The problem I've been having is getting the server to automatically figure out that secure.example.com is supposed to be SSL/socket 443. I couldn't really figure it out when I suddenly realized, "Hey, I can setup another virtual host at secure.example.com:80 with a redirect page pointing to secure.example.com:443!"

httpd.conf
Code: Select all
<VirtualHost>
 ServerName secure.example.com
 DocumentRoot /home/media/www/example.com/public
 DirectoryIndex redirect.php
   
 <Directory>
  Order Deny,Allow
  Allow from All
 </Directory>
</VirtualHost>


redirect.php
Code: Select all
<?php
 header( 'Location: https://secure.example.com/' ) ;
?>


I'm also pretty sure that a redirect page in the SSL portion of the site could determine which website the client is meaning to go to since a PHP script could get that information after the SSL negotiation.
Last edited by titan on Wed Mar 05, 2008 10:32 am, edited 1 time in total.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 6:00 pm
Location: Great Smoky Mountains

Postposted on Wed Jan 02, 2008 8:24 pm

SSL normally uses an https:// URL instead of http://. The client (web browser) connects on socket 443 when the URL starts with https.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 36917
Joined: Tue Aug 20, 2002 9:51 pm
Location: Somewhere, having a beer

Postposted on Wed Jan 02, 2008 10:30 pm

just brew it! wrote:SSL normally uses an https:// URL instead of http://. The client (web browser) connects on socket 443 when the URL starts with https.


I know that. My problem was that if a person just typed "secure.example.com" instead of "https://secure.example.com" for the URL, it would pull up another one of my sites on the machine. That's the purpose of the redirect page.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 6:00 pm
Location: Great Smoky Mountains

Postposted on Sat Jan 05, 2008 1:08 am

So, I have syslog-ng and PHP-Syslog-NG installed on my system, but nobody has any documentation, that I could find, on making it work with Apache. I did find a guide on getting syslog-ng to log to MySQL on the Gentoo Wiki, though, so I'm ready on that end. No I just need to get the data flowing through the pipe.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 6:00 pm
Location: Great Smoky Mountains

Re:

Postposted on Fri Feb 15, 2008 4:23 pm

titan wrote:...So, you can't have name based hosting with SSL...


Guess what I found out? You can have SSL enabled name based virtual hosting. I even wrote up a little HOWTO.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 6:00 pm
Location: Great Smoky Mountains

Previous

Return to Linux, Unix, and Assorted Madness

Who is online

Users browsing this forum: No registered users and 3 guests