[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)



On 10/3/07, John Hasler <..hidden..> wrote:
Chris Travers writes:
> But consider Ubuntu.  Do you *really* want us writing global options to
> your Apache configuration file, possibly ovewriting SSL options, etc?

On Debian and therefor probably on Ubuntu you just drop a file in the
directory /etc/apache/conf.d.


The problem is that SSL is negotiated prior to the HTTP headers.  Hence the certificate is tied to an IP address/Port combination.  Virtual servers, directories, etc. cannot have their own SSL certificates.  Hence it really is a global setting which may conflict with other certificates people already have installed.
 

> I think the case can be made that on Linux, the responsibiloity for
> setting up the servers beyond some basic settings, should be the
> responsibility of the administrator.

It should be possible to set up a usable default configuration with at most
a few debconf quetions.


Sure.  Hence 1.3 will not touch the SSL settings but *will* restrict, by default, access to localhost.

Note, that there is one more issue with tampering with SSL setups.  SSL provides two major security features:
1)  It protects against eavesdropping  THis is largely what we are talking about right now, but many deployments may also need:

2)  It protects against one server impersonating another, so as to prompt you to enter your credentials improperly.  In this case, a certificate authority vouches for the authentication of the server.  If we include a certificate, we aren't vouching for anyone's identity (except maybe "This certificate is issued to "localhost").

Best WIshes,
Chris Travers
 

--
John Hasler
..hidden..
Elmwood, WI USA

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Ledger-smb-devel mailing list
..hidden..
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel