Community.openproducts.com has invalid certificate

Home Forums User Contributions Uncategorized Community.openproducts.com has invalid certificate

This topic contains 4 replies, has 3 voices, and was last updated by Tor Krill Tor Krill 2 years, 10 months ago.

  • Author
    Posts
  • #545

    kivinen
    Participant

    When I first registered to the community.openproducts.com I noticed it sent me an email in clear text, so of course I wanted to change the password. I logged in and to my great surprise the site was NOT protected by TLS. I would have expected that product that is really for privacy would protect all information with TLS, so I simply edited the http -> https on the url, and noticed, yes there is TLS, but the certificate is not for this community.openproducts.com, but a wildcard cert for loopiasecure.com.

    Knowing that proper certificates trusted by browsers cost less $10 per year (for example gogetssl sells some comodo certs for $6 / year), it would be better to get proper certificate for the community.openproducts.com and make sure the forums are redirected to the TLS by default.

  • #556
    Tor Krill
    Tor Krill
    Keymaster

    Hi Kivinen,

    Thank you for your constructive feedback, It’s appreciated!

    The problem with the certificate is that the hosting-company for this site does not provide means for customer specific certificates. (God knows why they keep arguing that its not possible) You can browse this forum via https and you will be presented with the hosting-company’s certificate “*.loopiasecure.com” 🙁

    We are painfully aware of this flaw and will hopefully be able to change this in the (near?) future.

    /Tor

  • #561

    kivinen
    Participant

    Sounds like clueless hosting-company…

    The web server seems to be apache 2.2.27 running on FreeBSD, and Apache do support SNI (http://en.wikipedia.org/wiki/Server_Name_Indication), i.e. you can have virtual hosts with same IP-address served by the same host.

    Configuration should be something like:

    ‘…
    # Ensure that Apache listens on port 443
    Listen 0.0.0.0:443
    Listen [::]:443

    # Listen for virtual host requests on all IP addresses
    NameVirtualHost *:443

    # Go ahead and accept connections for these vhosts
    # from non-SNI clients
    SSLStrictSNIVHostCheck off

    <VirtualHost *:443>
    # Default virtual host when no SNI
    ServerName server1.example.com:443
    DocumentRoot /www/server1

    SSLEngine on
    SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
    SSLCipherSuite HIGH:+MEDIUM:!aNULL:!MD5:!ADH
    SSLHonorCipherOrder on
    SSLCertificateFile /www/ssl/server1.crt
    SSLCertificateKeyFile /www/ssl/server1.key
    SSLCertificateChainFile “/www/ssl/server1_intermediate.crt”
    </VirtualHost>

    <VirtualHost *:443>

    ServerName community.openproducts.com:443
    DocumentRoot /www/community-opi/

    SSLEngine on
    SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
    SSLCipherSuite HIGH:+MEDIUM:!aNULL:!MD5:!ADH
    SSLHonorCipherOrder on
    SSLCertificateFile /www/ssl/community-opi.crt
    SSLCertificateKeyFile /www/ssl/community-opi.key
    SSLCertificateChainFile “/www/ssl/community-opi_intermediate.crt”
    </VirtualHost>

    or similar. For more information see https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI or https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

  • #563

    Andrew
    Participant

    Tor,

    I suggest you check out CloudFlare, which now provides free SSL: https://blog.cloudflare.com/introducing-universal-ssl/

    Andrew

  • #565
    Tor Krill
    Tor Krill
    Keymaster

    Hi Andrew and Kivinen,

    Regarding Loopia and ssl certs. Yes i know of SNI and i actually emailed them complaining about it. (Not that i think it will matter to them)

    Regarding Cloudflare, I will add these on our list on potential alternatives.

    Thx!
    /Tor

You must be logged in to reply to this topic.

Posted in