[sudo-workers] lack of mailling list security
Eygene Ryabinkin
rea-sudo at codelabs.ru
Fri May 2 07:24:08 EDT 2008
Todd, good day.
Thu, May 01, 2008 at 01:22:13PM -0400, Todd C. Miller wrote:
> > Logging into the website isn't all that secure either. The certificate
> > for the site is for a completely different hostname, but it doesn't matter
> > because even if you type in "https", the form on that page _forces_ you
> > back to a non-SSL login.
>
> The cert is for the "real" name of the web server. I suppose I
> could add a separate cert for each vhost, though that won't solve
> the problem where mailman directs you to an http page.
There is no point in adding another certificates: SSL connection
is established prior to the vhost recognition. But you can add all
your hostnames to the certificate's subjectAltName field. They
should be in the dNSName format. The following links can be of
interest:
http://nils.toedtmann.net/pub/subjectAltName.txt
http://wiki.cacert.org/wiki/VhostTaskForce
You will have to resign the certificate at the CA.
--
Eygene
More information about the sudo-workers
mailing list