TR Forums

bitvector · Mon Dec 24, 2007 3:45 pm

titan wrote:
Do I need to get a certificate from a CA to make this happen? I know how to make my own certificate, I just want to make the SSL connection happen without waiting for a user to accept the certificate.

Your browser comes with a specific set of CA root certificates that it trusts by default. This can vary slightly from browser to browser, too. Ultimately, you need a cert signed by one of these CAs or a chained certificate -- a cert signed by a cert signed by a trusted root CA (or more levels of signing, as long as the chain terminates at a trusted CA).

Don't get conned into paying for a "premium" SSL cert. Some of the big name companies want to charge insane prices for that stuff (e.g. $1500 a year). A cheap chained certificate will be just fine, just make sure the chain terminates at a trusted CA (some scammer companies sell chained certs where the root of the chain is some random CA that isn't trusted by browsers, so it's not really worth anything more than you signing it yourself).

titan · Mon Dec 24, 2007 4:52 pm

I have seen certs go that high. I'm definitely not capable of going for something like that. I have seen some certs for as little as $10 too. How do I find out if the certs are trusted by default?

bitvector · Tue Dec 25, 2007 3:44 am

titan wrote:
How do I find out if the certs are trusted by default?

Just dig into it a little bit and find a reputable reseller. I've never bought a cert so I can't give any specific recommendations, but any reputable reseller is going to sell something where the chain of trust ends in something like Thawte, Verisign, GeoTrust, etc. which are trusted by pretty much all browsers. Many of them list browser compatibility and things like that. You can also look at a browser's trusted certs in the security info.

There is a comparison site run by Comodo (a cert seller themselves, so of course it may be biased):
http://www.whichssl.com/comparisons/index.html

UberGerbil · Tue Dec 25, 2007 2:15 pm

Check your ISP, or whoever hosts your domain -- any companies that offer ecommerce hosting include certs, so you may be able to get a discounted one through them (or just move up to a hosting package that includes a cert, if the other benefits are worth it). Here's pair.com's page for example, and here's GoDaddy's.

titan · Wed Jan 02, 2008 12:11 pm

So I've been fiddling around with the server a bit more trying to get things working for SSL. The problem I've been having is getting the server to automatically figure out that secure.example.com is supposed to be SSL/socket 443. I couldn't really figure it out when I suddenly realized, "Hey, I can setup another virtual host at secure.example.com:80 with a redirect page pointing to secure.example.com:443!"

httpd.conf

<VirtualHost>
 ServerName secure.example.com
 DocumentRoot /home/media/www/example.com/public
 DirectoryIndex redirect.php
   
 <Directory>
  Order Deny,Allow
  Allow from All
 </Directory>
</VirtualHost>

redirect.php

<?php
 header( 'Location: https://secure.example.com/' ) ;
?>

I'm also pretty sure that a redirect page in the SSL portion of the site could determine which website the client is meaning to go to since a PHP script could get that information after the SSL negotiation.

Wed Jan 02, 2008 9:24 pm

SSL normally uses an https:// URL instead of http://. The client (web browser) connects on socket 443 when the URL starts with https.

titan · Wed Jan 02, 2008 11:30 pm

just brew it! wrote:
SSL normally uses an https:// URL instead of http://. The client (web browser) connects on socket 443 when the URL starts with https.

I know that. My problem was that if a person just typed "secure.example.com" instead of "https://secure.example.com" for the URL, it would pull up another one of my sites on the machine. That's the purpose of the redirect page.

titan · Sat Jan 05, 2008 2:08 am

So, I have syslog-ng and PHP-Syslog-NG installed on my system, but nobody has any documentation, that I could find, on making it work with Apache. I did find a guide on getting syslog-ng to log to MySQL on the Gentoo Wiki, though, so I'm ready on that end. No I just need to get the data flowing through the pipe.

titan · Fri Feb 15, 2008 5:23 pm

titan wrote:
...So, you can't have name based hosting with SSL...

Guess what I found out? You can have SSL enabled name based virtual hosting. I even wrote up a little HOWTO.

TR Forums

Home Web Server

Re:

Who is online