[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: https can;t be good for work



On Fri, 2007-09-21 at 22:50 +0800, edwardspl ita org mo wrote:
> So, what mistake about the config ?
> 
> Remark : The ssl is self-signed SSL Certificate, and the Web Server
> come with FC6 System.

A self-signed certificate is not verifiable by other people.  There's no
third-party countersigning it to say that it's not forged.  So it's
always regarded as being invalid.  To use a self-signed certificate each
user has got to make a personal decision to trust it, without anything
to bolster that decision.  Unlike how counter-signed certificates are
usually handled by the browser - if it's signed by something it's
pre-programmed to trust, like Verisign, it accepts it without
questioning the user.

Another problem is that your self-signed certificate is for the
localhost (the machine, as it sees itself, just the same as you might
refer to yourself as "me" when you look in the mirror).  This isn't the
address that other people access you by, so it is a false certificate to
them.

If you want to use a self-signed certificate, despite the prior
information about it not being verifiable, then you need to generate a
new one using the exact same fully-qualified domain name that your HTTPS
site will be accessed through.

i.e. If it's accessed as https://www.example.com then the certificate
must be for www.example.com, not just example.com, nor any other
variation.

-- 
[tim bigblack ~]$ uname -ipr
2.6.22.5-76.fc7 i686 i386

Using FC 4, 5, 6 & 7, plus CentOS 5.  Today, it's FC7.

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]