Bad site certificate

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Bad site certificate

James Knott
Lately I've noticed a bad certificate for the OpenOffice web site. When
I try to go to that page, I get an message "This Connection is
Untrusted".  The technical details show:

"www.openoffice.org uses an invalid security certificate.

The certificate is only valid for *.apache.org

(Error code: ssl_error_bad_cert_domain)"

So, I guess someone at Oracle/OO/Apache should get a proper certificate
for this site.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

Andrea Pescetti-2
On 15/10/2012 James Knott wrote:
> Lately I've noticed a bad certificate for the OpenOffice web site. ...
> "www.openoffice.org uses an invalid security certificate.
> The certificate is only valid for *.apache.org
> (Error code: ssl_error_bad_cert_domain)"

We never advertised https://openoffice.org (actually I had never tried
it, I've just tried it now); we advertise only http://openoffice.org 
which of course has no certificate and thus no issues.

Where did you find the HTTPS link? Are you maybe using a browser
extension that enforces HTTPS?

Regards,
   Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

James Knott
Andrea Pescetti wrote:

> On 15/10/2012 James Knott wrote:
>> Lately I've noticed a bad certificate for the OpenOffice web site. ...
>> "www.openoffice.org uses an invalid security certificate.
>> The certificate is only valid for *.apache.org
>> (Error code: ssl_error_bad_cert_domain)"
>
> We never advertised https://openoffice.org (actually I had never tried
> it, I've just tried it now); we advertise only http://openoffice.org 
> which of course has no certificate and thus no issues.
>
> Where did you find the HTTPS link? Are you maybe using a browser
> extension that enforces HTTPS?
>
>
Yes, I am using an add-on called HTTPS-Everywhere, which uses HTTPS
where possible.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

NoOp-4
On 10/18/2012 05:58 PM, James Knott wrote:

> Andrea Pescetti wrote:
>> On 15/10/2012 James Knott wrote:
>>> Lately I've noticed a bad certificate for the OpenOffice web site. ...
>>> "www.openoffice.org uses an invalid security certificate.
>>> The certificate is only valid for *.apache.org
>>> (Error code: ssl_error_bad_cert_domain)"
>>
>> We never advertised https://openoffice.org (actually I had never tried
>> it, I've just tried it now); we advertise only http://openoffice.org 
>> which of course has no certificate and thus no issues.
>>
>> Where did you find the HTTPS link? Are you maybe using a browser
>> extension that enforces HTTPS?
>>
>>
> Yes, I am using an add-on called HTTPS-Everywhere, which uses HTTPS
> where possible.
>

+1

www.openoffice.org uses an invalid security certificate.
The certificate is only valid for <a id="cert_domain_link"
title="*.apache.org">*.apache.org</a>
*.apache.org
Apache Software Foundation
Infrastructure
Forest Hill
Maryland
US




---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

Andrea Pescetti-2
NoOp wrote:
> On 10/18/2012 05:58 PM, James Knott wrote:
>> Andrea Pescetti wrote:
>>> Are you maybe using a browser extension that enforces HTTPS?
>> Yes, I am using an add-on called HTTPS-Everywhere, which uses HTTPS
>> where possible.
> www.openoffice.org uses an invalid security certificate.

OK, but in this case I would just say that HTTPS is unsupported: the
browser add-on you are using is trying to enforce HTTPS, but we never
advertise the HTTPS address. By chance, we happen to answer HTTPS
requests too, but removing it would solve the problem too. Anyway, I
agree that the optimal solution would be to fix the certificate and I
opened https://issues.apache.org/jira/browse/INFRA-5450 to track this.

Regards,
   Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

James Knott
Andrea Pescetti wrote:
> but we never advertise the HTTPS address.

It would be the same address as HTTP, but different port.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

NoOp-4
In reply to this post by Andrea Pescetti-2
On 10/24/2012 09:22 PM, Andrea Pescetti wrote:

> NoOp wrote:
>> On 10/18/2012 05:58 PM, James Knott wrote:
>>> Andrea Pescetti wrote:
>>>> Are you maybe using a browser extension that enforces HTTPS?
>>> Yes, I am using an add-on called HTTPS-Everywhere, which uses HTTPS
>>> where possible.
>> www.openoffice.org uses an invalid security certificate.
>
> OK, but in this case I would just say that HTTPS is unsupported: the
> browser add-on you are using is trying to enforce HTTPS, but we never
> advertise the HTTPS address. By chance, we happen to answer HTTPS
> requests too, but removing it would solve the problem too. Anyway, I
> agree that the optimal solution would be to fix the certificate and I
> opened https://issues.apache.org/jira/browse/INFRA-5450 to track this.
>
> Regards,
>    Andrea.
>

The interesting part is that it seems that this has just recently
started. So you might check as to what changed on the website to enable
SSL to begin with.

Note: It is easy enough to have HTTPS-Everywhere or the browser make an
exception for the openoffice.org domain. However if Apache are going to
turn on SSL access for openoffice.org, then _Apache_ need to correct
their cert for the domain.




---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

Andrea Pescetti-2
In reply to this post by James Knott
James Knott wrote:
> Andrea Pescetti wrote:
>> but we never advertise the HTTPS address.
> It would be the same address as HTTP, but different port.

Obviously. But we've never stated anywhere that
https://www.openoffice.org exists and/or works. Add-ons just guess, find
something and try to retrieve it.

The recommended way to access the OpenOffice site in HTTPS for those who
prefer it over HTTP is to use:
https://ooo-site.apache.org

This works and produces no warnings (of course, content is identical to
http://www.openoffice.org ); for more, see
https://issues.apache.org/jira/browse/INFRA-5450

Regards,
   Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

NoOp-4
On 10/25/2012 10:50 AM, Andrea Pescetti wrote:
> James Knott wrote:
>> Andrea Pescetti wrote:
>>> but we never advertise the HTTPS address.
>> It would be the same address as HTTP, but different port.
>
> Obviously. But we've never stated anywhere that
> https://www.openoffice.org exists and/or works. Add-ons just guess, find
> something and try to retrieve it.

Then close port 443. But that of course would create issues for the 11
other domains on 140.211.11.131 - https redirects/results are in parens:

  Domain Name
1 APACHE-EXTRAS.ORG.
(https://code.google.com/a/apache-extras.org/hosting/)
2 APACHE.ORG.
(https://www.apache.org/)
3 APACHECON.COM.
(http://apachecon.com/)
4 APACHEEXTRAS.ORG.
(https://code.google.com/a/apache-extras.org/hosting/)
5 APACHEXTRAS.ORG.
(https://code.google.com/a/apache-extras.org/hosting/)
6 LIBCLOUD.COM.
(https://libcloud.apache.org/)
7 LIBCLOUD.NET.
(https://libcloud.apache.org/)
8 LIBCLOUD.ORG.
(https://libcloud.apache.org/)
9 OPENOFFICE.ORG.
(www.openoffice.org uses an invalid security certificate)
10 SUBVERSION.COM.
(https://subversion.apache.org/)
11 SUBVERSION.NET.
(https://subversion.apache.org/)
12 SUBVERSION.ORG.
(https://subversion.apache.org/)

and 5 other domains on 192.87.106.229:

  Domain Name
1 APACHE-EXTRAS.ORG.
(https://code.google.com/a/apache-extras.org/hosting/)
2 APACHE.ORG.
(https://www.apache.org/)
3 APACHECON.COM.
(http://apachecon.com/)
4 APACHEEXTRAS.ORG.
(https://code.google.com/a/apache-extras.org/hosting/)
5 APACHEXTRAS.ORG.
(https://code.google.com/a/apache-extras.org/hosting/)
6 OPENOFFICE.ORG.
(www.openoffice.org uses an invalid security certificate)

HTTPS queries work without issue on all of those domains, including the
non apache named domains (libcloud.com etc) - with the exception of
openoffice.org. Openoffice.org is the odd man out... Perhaps a recent
change on the site enabled SSL but didn't configure SNI properly?

>
> The recommended way to access the OpenOffice site in HTTPS for those who
> prefer it over HTTP is to use:
> https://ooo-site.apache.org

Like the above, the URL should be configured to automatically redirect
to https://ooo-site.apache.org when an https request is received?
$ host ooo-site.apache.org
ooo-site.apache.org has address 140.211.11.131
ooo-site.apache.org has address 192.87.106.229
ooo-site.apache.org has IPv6 address 2001:610:1:80bc:192:87:106:229
>
> This works and produces no warnings (of course, content is identical to
> http://www.openoffice.org ); for more, see
> https://issues.apache.org/jira/browse/INFRA-5450
>
> Regards,
>    Andrea.
>



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

Andrea Pescetti-2
On 25/10/2012 NoOp wrote:
> On 10/25/2012 10:50 AM, Andrea Pescetti wrote:
>> The recommended way to access the OpenOffice site in HTTPS for those who
>> prefer it over HTTP is to use:
>> https://ooo-site.apache.org
> Like the above, the URL should be configured to automatically redirect
> to https://ooo-site.apache.org when an https request is received?

Apparently, this won't work since Infra says "Redirect won't work, as
the SSL handshake precedes the first opportunity to send a redirect".

But you are welcome to weigh in directly on
https://issues.apache.org/jira/browse/INFRA-5450 :
registration is open to everyone.

And if in the end the most sensible solution is that we acquire a
certificate for *.openoffice.org , this is surely something the PMC and
Infra can look into. But it would be good to see the discussion in the
issue page converge.

Regards,
   Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

NoOp-4
On 11/01/2012 10:45 AM, Andrea Pescetti wrote:

> On 25/10/2012 NoOp wrote:
>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote:
>>> The recommended way to access the OpenOffice site in HTTPS for those who
>>> prefer it over HTTP is to use:
>>> https://ooo-site.apache.org
>> Like the above, the URL should be configured to automatically redirect
>> to https://ooo-site.apache.org when an https request is received?
>
> Apparently, this won't work since Infra says "Redirect won't work, as
> the SSL handshake precedes the first opportunity to send a redirect".

That doesn't make any sense as I've already demonstrated that the other
https links to those IP addresses do indeed redirect.

>
> But you are welcome to weigh in directly on
> https://issues.apache.org/jira/browse/INFRA-5450 :
> registration is open to everyone.

Thanks, but no thanks. I suppose I could provide a server trace &
wireshark session file etc., but I doubt that it will do any good to
attempt to change Daniel Shahaf's mind.  You, however, might ask him
just how the other https links work on those IP's, yet the OOo link does
not, and why 443 is turned on for that URL to begin with if Apache do
not intend to support https on that link.

> And if in the end the most sensible solution is that we acquire a
> certificate for *.openoffice.org , this is surely something the PMC and
> Infra can look into. But it would be good to see the discussion in the
> issue page converge.
>
> Regards,
>    Andrea.
>



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

Andrea Pescetti-2
On 02/11/2012 NoOp wrote:
> On 11/01/2012 10:45 AM, Andrea Pescetti wrote:
>> But you are welcome to weigh in directly on
>> https://issues.apache.org/jira/browse/INFRA-5450 :
> Thanks, but no thanks. I suppose I could provide a server trace&
> wireshark session file etc., but I doubt that it will do any good

It would probably help more than me just reposting your messages there.
I shared your analysis on the issue page, but I cannot continue the
technical discussion there as a middle-man. Anyway, let's see if there
is a way to get rid of this security warning.

Unfortunately, a solution might be to use HTTPS on
https://ooo-site.apache.org/ only, thus switching
https://www.openoffice.org off; this is largely suboptimal but I agree
with you that random users who do not want to look at the certificate
details will interpret a security warning as something worse than having
no security, i.e., HTTP only...

Regards,
   Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

Dave Fisher
In reply to this post by NoOp-4

On Nov 1, 2012, at 5:39 PM, NoOp wrote:

> On 11/01/2012 10:45 AM, Andrea Pescetti wrote:
>> On 25/10/2012 NoOp wrote:
>>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote:
>>>> The recommended way to access the OpenOffice site in HTTPS for those who
>>>> prefer it over HTTP is to use:
>>>> https://ooo-site.apache.org
>>> Like the above, the URL should be configured to automatically redirect
>>> to https://ooo-site.apache.org when an https request is received?
>>
>> Apparently, this won't work since Infra says "Redirect won't work, as
>> the SSL handshake precedes the first opportunity to send a redirect".
>
> That doesn't make any sense as I've already demonstrated that the other
> https links to those IP addresses do indeed redirect.
>
>>
>> But you are welcome to weigh in directly on
>> https://issues.apache.org/jira/browse/INFRA-5450 :
>> registration is open to everyone.
>
> Thanks, but no thanks. I suppose I could provide a server trace &
> wireshark session file etc., but I doubt that it will do any good to
> attempt to change Daniel Shahaf's mind.  You, however, might ask him
> just how the other https links work on those IP's, yet the OOo link does
> not, and why 443 is turned on for that URL to begin with if Apache do
> not intend to support https on that link.

If 443 were turned off then another vhost for another project would answer the request and there would still be a warning.

If a *.openoffice.org certificate were purchased it would be secondary to *.apache.org and older browsers would still have trouble. I've setup multiple certificates on httpd at work and know this to be so. No way the ASF will put the *.openoffice.org certificate (if purchased) first.

We can do a rewrite of https traffic to http but that happens after the handshake and the security warning.

I doubt that this razor fine point is worth the effort and the tradeoff of increased complexity for Infrastructure.

If we had a view of what browsers are used and how much is https we can measure the impact and determine if effort here is worth it.

>
>> And if in the end the most sensible solution is that we acquire a
>> certificate for *.openoffice.org , this is surely something the PMC and
>> Infra can look into. But it would be good to see the discussion in the
>> issue page converge.

That discussion is there in the JIRA. You can see the bit above. It is an incremental improvement effective for modern browsers.

Regards,
Dave

>>
>> Regards,
>>   Andrea.
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bad site certificate

Rob Weir
On Sun, Nov 4, 2012 at 12:53 PM, Dave Fisher <[hidden email]> wrote:

>
> On Nov 1, 2012, at 5:39 PM, NoOp wrote:
>
>> On 11/01/2012 10:45 AM, Andrea Pescetti wrote:
>>> On 25/10/2012 NoOp wrote:
>>>> On 10/25/2012 10:50 AM, Andrea Pescetti wrote:
>>>>> The recommended way to access the OpenOffice site in HTTPS for those who
>>>>> prefer it over HTTP is to use:
>>>>> https://ooo-site.apache.org
>>>> Like the above, the URL should be configured to automatically redirect
>>>> to https://ooo-site.apache.org when an https request is received?
>>>
>>> Apparently, this won't work since Infra says "Redirect won't work, as
>>> the SSL handshake precedes the first opportunity to send a redirect".
>>
>> That doesn't make any sense as I've already demonstrated that the other
>> https links to those IP addresses do indeed redirect.
>>
>>>
>>> But you are welcome to weigh in directly on
>>> https://issues.apache.org/jira/browse/INFRA-5450 :
>>> registration is open to everyone.
>>
>> Thanks, but no thanks. I suppose I could provide a server trace &
>> wireshark session file etc., but I doubt that it will do any good to
>> attempt to change Daniel Shahaf's mind.  You, however, might ask him
>> just how the other https links work on those IP's, yet the OOo link does
>> not, and why 443 is turned on for that URL to begin with if Apache do
>> not intend to support https on that link.
>
> If 443 were turned off then another vhost for another project would answer the request and there would still be a warning.
>
> If a *.openoffice.org certificate were purchased it would be secondary to *.apache.org and older browsers would still have trouble. I've setup multiple certificates on httpd at work and know this to be so. No way the ASF will put the *.openoffice.org certificate (if purchased) first.
>
> We can do a rewrite of https traffic to http but that happens after the handshake and the security warning.
>
> I doubt that this razor fine point is worth the effort and the tradeoff of increased complexity for Infrastructure.
>

Probably no use for SSL site wide, but we do have a small number of
pages where we would benefit, like the login/registration pages for
the openoffice.org domain wiki and the support forums.

> If we had a view of what browsers are used and how much is https we can measure the impact and determine if effort here is worth it.
>
>>
>>> And if in the end the most sensible solution is that we acquire a
>>> certificate for *.openoffice.org , this is surely something the PMC and
>>> Infra can look into. But it would be good to see the discussion in the
>>> issue page converge.
>
> That discussion is there in the JIRA. You can see the bit above. It is an incremental improvement effective for modern browsers.
>
> Regards,
> Dave
>
>>>
>>> Regards,
>>>   Andrea.
>>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]