Comments on: Most Annoying Bug Ever http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/ Living in a state of accord. Sun, 23 Nov 2008 14:24:59 +0000 http://wordpress.org/?v=2.6.3 By: Kurs http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-105524 Kurs Mon, 20 Aug 2007 23:44:02 +0000 http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-105524 can you by any chance recommend a tutorial for use with SSL and apache? can you by any chance recommend a tutorial for use with SSL and apache?

]]> By: Symphonious » Server Down-Time http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-69341 Symphonious » Server Down-Time Tue, 10 Apr 2007 10:19:18 +0000 http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-69341 [...] know. I'll probably make an attempt to upgrade to PHP5 and fiddle with the SSL set up now that the most annoying bug in the world is fixed. There's probably a bunch of other stuff I can actually do now that the [...] [...] know. I'll probably make an attempt to upgrade to PHP5 and fiddle with the SSL set up now that the most annoying bug in the world is fixed. There's probably a bunch of other stuff I can actually do now that the [...]

]]> By: Craig Ringer http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-68747 Craig Ringer Mon, 02 Apr 2007 11:58:47 +0000 http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-68747 I found the best solution to this was to run my client-cert-mandatory SSL virtual host on a non-standard high port, leaving port 443 for tasks that didn't require a client cert. Clumsy, but effective. I found the best solution to this was to run my client-cert-mandatory SSL virtual host on a non-standard high port, leaving port 443 for tasks that didn’t require a client cert. Clumsy, but effective.

]]> By: Adrian Sutton http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-68486 Adrian Sutton Wed, 28 Mar 2007 07:07:44 +0000 http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-68486 Correction, removing the name based virtual hosts, moving the SSLVerifyClient directives outside of any Location elements and disabling the potential for basic authentication seems to make it work. Yay! Now of course I have no fall back to basic authentication when I'm on a browser that doesn't have my client certificate and no way to access my blog's admin page since it's on the name based virtual host that I just disabled and it's set to require SSL. I guess that's the next piece of the puzzle to set up. Correction, removing the name based virtual hosts, moving the SSLVerifyClient directives outside of any Location elements and disabling the potential for basic authentication seems to make it work. Yay! Now of course I have no fall back to basic authentication when I’m on a browser that doesn’t have my client certificate and no way to access my blog’s admin page since it’s on the name based virtual host that I just disabled and it’s set to require SSL. I guess that’s the next piece of the puzzle to set up.

]]> By: Adrian Sutton http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-68485 Adrian Sutton Wed, 28 Mar 2007 07:00:52 +0000 http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-68485 Nope, removing the virtual hosts doesn't help either. From the comments on the bug it sounds like any time the first connection to the server has post content (like say, the stuff the subversion protocol sends) it fails. So, no client certificates for me. Oh well. Nope, removing the virtual hosts doesn’t help either. From the comments on the bug it sounds like any time the first connection to the server has post content (like say, the stuff the subversion protocol sends) it fails. So, no client certificates for me. Oh well.

]]> By: Adrian Sutton http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-68441 Adrian Sutton Wed, 28 Mar 2007 00:03:41 +0000 http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-68441 hmm, I was going to say that's what I'm doing already, but I'm actually using name based virtual hosts which is pretty stupid for SSL now that I think about it. Might have to investigate not making *:443 a name virtual host and see where that leads. hmm, I was going to say that’s what I’m doing already, but I’m actually using name based virtual hosts which is pretty stupid for SSL now that I think about it. Might have to investigate not making *:443 a name virtual host and see where that leads.

]]> By: Byron Ellacott http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-68440 Byron Ellacott Tue, 27 Mar 2007 23:57:36 +0000 http://www.symphonious.net/2007/03/27/most-annoying-bug-ever/#comment-68440 FWIW, we've been working around this bug for a long time now here at APNIC. You can resolve it by ensuring that the strongest authentication you will need is negotiated at connect time, that is, by putting your SSL directives at the outermost configuration level, or inside a level for an IP based virtual host (not name based -- the host name is part of the HTTP request headers). In your case, this would imply that you either (a) run a server on a non-standard port specifically for SVN, or (b) require client certificates for your entire https address. Of course, you probably already know this, but hey, someone else reading your blog might not. :) FWIW, we’ve been working around this bug for a long time now here at APNIC. You can resolve it by ensuring that the strongest authentication you will need is negotiated at connect time, that is, by putting your SSL directives at the outermost configuration level, or inside a level for an IP based virtual host (not name based — the host name is part of the HTTP request headers). In your case, this would imply that you either (a) run a server on a non-standard port specifically for SVN, or (b) require client certificates for your entire https address.

Of course, you probably already know this, but hey, someone else reading your blog might not. :)

]]>