[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-developers] Thawte SSL Certificates

Subject: [cobalt-developers] Thawte SSL Certificates
From: "Mark Jaggers" <mark@xxxxxxxxxxxxx>
Date: Wed Oct 25 06:52:01 2000
List-id: Mailing list for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>

We are running a RAQ4.  Can anyone tell me which choice we should make for
server software when buying a certificate.  I saw 3 possibilities:
Apache-SSL (BEN-SSL, Not Stronghold), Apache+mod_ssl, or Cobalt.  I am
assuming Cobalt would be the logical choice but I just want to make sure.

thanks

~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
Mark Jaggers - Vice President
Ascension New Media, Inc.
214.267.0900
214.267.0901 fax
mark@xxxxxxxxxxxxx
http://www.anewmedia.net

Internet Development & Multimedia Production
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
"Look.  This is a man who's got great numbers.  He talks about numbers.  I'm
beginning to think not only did he invent the Internet but he invented the
calculator.  It's fuzzy math." - Gov. George W. Bush
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
"As many of you know, I was very instrumental in the founding of the
Internet" --AL Gore to Katie Couric 3/99



-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of Michelle A.
Hoyle
Sent: Wednesday, October 25, 2000 8:29 AM
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: [cobalt-developers] Raq4: SSL main site certificate and other
SSL


Since I've upgraded from my Raq2 (using Brosoft's drop-in replacement
adminserv package) to  my Raq4, I've encountered some very
frustrating and odd problems with my Raq4 once I copied my machine
certificate from my old Raq2 to my new Raq4 (they have the same
name).  Here's a summary of the problems experienced and what I want.
Below that I'll outline things that I've tried and discovered about
the problems.

Problems:
1) I can't use Netscape anymore to administer my Raq.  It works OK
with Internet Explorer but not Netscape.

2) When someone tries to access a forbidden or non-existent page, the
Raq uses https to display those Cobalt graphics because of the
rewrite rules in the Raq4's httpd.conf (main)

3) If someone goes http://virtualsite.com/siteadmin/, the rewrite
rules give us
https://virtualsite.com:81/.cobalt/siteManage/virtualsite.com/index.html.
Which means that they can't take advantage of *my* machine-wide site
certificate for managing their account securely and they get a
certificate mismatch error in Netscape and 60 billion error messages
in Internet Explorer.



What I'd like:
1) To be able to use Netscape.

2) Forbidden/non-existent page graphics should be referred to using
the same protocol as the page that's generating them -- normally http
not https.

3) If someone goes to http://virtualsite.com/siteadmin/ they get
https://myraq.com:81/.cobalt/siteManage/virtualsite.com/index.html
which allows them to use my certificate.



What's known:

1) This is a really weird problem.  The certificate worked fine for
administration on my Raq2 with Brosoft's package.  My administration
module worked fine with Netscape on the Raq4 before I installed the
certificate.  I've been trying to hash this out with Thawte, the
certificate authority.  What we've determined is that it's something
to do with the setup on the Raq and not the certificate.  The
certificate itself works fine from the main site of my Raq using any
CGI or PHP generated output from within Netscape.  They think it
might have to do with the :81 added and then accessed via https.
Maybe Netscape gets confused?


Here's the set of rewrite rules used (by default) in the Raq4 main
httpd.conf:


>if ( ssl_cert_check("/home/sites/home/certs/") =~ /^2/ ) {
>     $proto = 'https';
>} else {
>     $proto = 'http';
>}
>
># This many seem a little tortured as a way to do this, but the
># quoting is hell.
>
>$rewrite_rules =
>'RewriteEngine On
>RewriteCond %{HTTP_HOST}                ^([^:]+)
>RewriteCond %{DOCUMENT_ROOT}            !-d
>RewriteRule .*
>proto://servername:81/.cobalt/error/forbidden.html [L,R]
>RewriteCond %{HTTP_HOST}                ^([^:]+)
>RewriteRule ^/admin/?$
>proto://servername:81/.cobalt/sysManage/index.html [L,R]
>RewriteCond %{HTTP_HOST}                ^([^:]+)
>RewriteRule ^/siteadmin/?$    proto://servername:81/.cobalt/siteManage
>/%1/index.html [L,R]
>RewriteCond %{HTTP_HOST}                ^([^:]+)
>RewriteRule ^/personal/?$
>proto://servername:81/.cobalt/personal/i
>ndex.html [L,R]
>RewriteCond %{HTTP_HOST}                ^([^:]+)
>RewriteRule ^/.cobalt/(.+)              proto://servername:81/.cobalt/$1
[L,R]
>RewriteCond %{HTTP_HOST}                ^([^:]+)
>RewriteRule ^/cgi-bin/.cobalt/(.+)
>proto://servername:81/cgi-bin/.cobalt/$1 [L,R]
>';
>
>$rewrite_rules =~ s/servername/%1/g;
>$rewrite_rules =~ s/proto/$proto/g;


You can see from the above that if it finds a site certificate, it
automatically changes the protocol to https and uses the Perl
match/regexp operator to swap http for https.   This is what causes
problem #2 with the forbidden images, etc.

3) I tried fixing this problem by changing the first rewrite rule to:
$rewrite_rules =~ s/myraq.com/%1/g;

This solved my problem in terms of everybody's administration
interface using my machine certificate.  However, if an individual
site has their own SSL certificate for things, this will break that.




What I propose to do:
1) No idea.  I'm open to suggestions as to what causes the problem
and how to fix it.  I have a sample site created
(thawte.transcena.com).  If you want to try it out via Netscape send
me mail and I'll send you the username/password for the admin
interface on that site.  I don't feel comfortable posting that to the
list.

2 & 3): Might be able to fix these both by altering the rewrite rules
to specifically check for site administration stuff AND the main site
certificate and rewrite it to the appropriate format.   Any ideas on
how to safely tinker with the above to accomplish a solution to
problems 2 & 3?


Personally, I think the method they've used here is a little
convoluted and if we can come up with a better way, particularly for
problems 1 & 2, that would be a good thing for everybody overall.

Thanks!

Michelle A. Hoyle






--

----|      TRANSCENA DESIGN  |----------------------------
Michelle A. Hoyle, VP Web Technologies, Canada
#801 T.D. Tower, Edmonton, Alberta, Canada  T5J 2Z1
N. America:  1-888-429-2363  |  UK:  020 7529 1465
International:  +1 780 429 2363
------------------|  internet design architects     |--------

_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers

References:
- [cobalt-developers] Raq4: SSL main site certificate and other SSL
  - From: Michelle A. Hoyle

Prev by Date: [cobalt-developers] Raq4: SSL main site certificate and other SSL
Next by Date: [cobalt-developers] ODBC to Win98 MS Access .MDB on RAQ2 for PHP4
Previous by thread: [cobalt-developers] Raq4: SSL main site certificate and other SSL
Next by thread: [cobalt-developers] Raq4: SSL main site certificate and other SSL

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index