[LogAnalysis] Details on the Certificate Problems

• Previous message: Tina Bird: "[LogAnalysis] Details on the cert issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Since so many people have asked, here's a description of the errors you
generate when you try to connect to the account management pages for the
VPN and Log Analysis lists.

A bit of background: mail.iocaine.com and lists.shmoo.com are Apache
virtual hosts on the same physical platform and IP address; one can't
issue multiple certificates for the same IP address (that's exactly the
sort of attack they're meant to defend against, right?); the Shmoo Group
lists are all being migrated to lists.shmoo.com but the migration's not
complete.

As soon as I have more information on these issues from the system
administrator I'll send out an update.  Thanks to you all for your
patience.  It's days like these that I wonder whether it really is worth
the effort to >not< run my own list-servers...

t.

---------- Forwarded message ----------
Date: Mon, 12 Aug 2002 09:39:56 -0700
From: Rodney Thayer <rodneyat_private>
To: Tina Bird <tbird@precision-guesswork.com>
Subject: Re: [logs] List migration (fwd)

He did the following "wrong" (where "wrong" is defined as "produces
some amount of rough edge".)  I'll try to list these as politely as possible
so you can cut/paste my list and not worry about ventage blowthrough.

-- he put a crl pointer in the root that doesn't point to anything.
he should put a null CRL at that target.
-- the subject name of the root is vague so if you try to manage your root
list you'll see just this generic thing "Class 1 Certification Authority" with
no reference to shmoo in it
-- the cert you see is issued to mail.iocaine.com, not lists.shmoo.com.  so you
get the nasty "not the correct host" warning.  he's using apache, which means
he's got apache virtual hosts -- lists.shmoo.com and only the one
certificate for
the base host -- mail.iocaine.com.  He should do something different,
either move
the cert to lists.shmoo.com and make the mail.iocaine.com users cope with
the pki
peccadillos of Apache or make a separate virtual IP via his base OS and
tell Apache
it has two IP addresses to use, then Apache would allow two certs to be issued.


_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
https://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Tina Bird: "[LogAnalysis] List migration"
• Previous message: Tina Bird: "[LogAnalysis] Details on the cert issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 15 2002 - 17:46:19 PDT