[ofw] openfabrics.org ssl certificate
Jan Bottorff
jbottorff at xsigo.com
Tue Oct 2 01:32:24 PDT 2007
Hi,
The SSL certificate used for wiki.openfabrics.org is basically bogus.
1) the embedded name is staging.openfabrics.org (to be correct it needs
to really match what's in the url), browsers check this so then can
authenticate who is at the other end of the url (this prevents dns
spoofing, which can make www.citibank.com actually send some people to
the ip address for hackers.areus.com)
2) the certificate expired 1/19/2007
3) the certificate is self signed, not from a real certificate authority
(the thing that prevents hackers.areus.com from just self signing a
certificate that has www.citibank.com is browsers only accept
certificates that have a parent (or parents parent) that is rooted in
trusted certificates, unless you explicitly tell your browser to trust a
certificate
The lowest cost real SSL certificates I know of are at godaddy.com. The
simplest one is $20/year (for a single site certificate like
wiki.openfabrics.org). If you want a wildcard certificate (i.e.
*.openfabrics.org) its $199/year. This validates in something like 98%
of browsers. The $500 Verisign certificates validate in like 99.9% of
browsers.
The process to get a real SSL certificate basically is someone who has
appropriate access to the web server needs to generate a certificate
signing request (csr) with a private key. You keep the private key, and
you send the csr to the certificate authority (and perhaps tell them
which web server you use). They will validate your identity ($20 doesn't
get much validation, like that the owner of the domain has your email
address), sign the csr with a private key that has in it's parent chain
one of the roots sorted in web browsers, and send you back the signed
certificate. This certificate, along with the private key which you
carefully kept secret, needs to then be configured in the web server and
ssl works as intended. As I remember, the last time I used a low cost
godaddy.com certificate, I also had to add an intermediate certificate
in the chain to the web server, to be sent along with the site
certificate. This is because godaddy's certificate is the child of a
child of a validated root. The web servers all know how to configure
these intermediate certificates and are not uncommon (like a big
corporation would get a corporate subroot signed by a validated root, to
use in their corporate certificate authority, which then signs the
certificates of a department, and ssl is happy).
Jan
-----Original Message-----
From: ofw-bounces at lists.openfabrics.org
[mailto:ofw-bounces at lists.openfabrics.org] On Behalf Of Smith, Stan
Sent: Monday, October 01, 2007 10:24 AM
To: ofw at lists.openfabrics.org
Subject: [ofw] Resolution for missing header files in build
processdocumented @ openib-wiki FAQ
See https://wiki.openfabrics.org/tiki-index.php?page=Windows+FAQ
BTW, does anyone know how to correct the problem with this website's
security certificate?
It's hard to maintain a semblance of credibility when we don't even fix
our own web page...
Thanks,
Stan.
_______________________________________________
ofw mailing list
ofw at lists.openfabrics.org
http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw
More information about the ofw
mailing list