[ietf78-tech] Fwd: Certificates for the IETF
John Kemp
kemp at network-services.uoregon.edu
Wed Jul 14 12:07:42 PDT 2010
Just an educated guess... I'm going by what I read in the
iptables manpage for REDIRECT, and by the fact that we will
have more than one bridge interface, each having a different
IP address. Seems like we are stuck with having to target
the IP on the bridge interface. Which ties to SSL, which
ties to NAME... :(
/jgk
On 07/14/2010 11:53 AM, Jim Martin wrote:
> Folks,
> Could you guys sanity check this for John and I? I can't imagine you
> would really need a separate cert per van. John, no offense intended,
> but I want to be really sure before I go back to Russ for yet something
> else.
>
> -Jim
>
> Sent from my iPhone
>
> Begin forwarded message:
>
>> *From:* John Kemp <kemp at network-services.uoregon.edu
>> <mailto:kemp at network-services.uoregon.edu>>
>> *Date:* July 14, 2010 10:17:03 AM PDT
>> *To:* Jim Martin <jim at daedelus.com <mailto:jim at daedelus.com>>
>> *Subject:* *Re: Certificates for the IETF*
>> *Reply-To:*
>> <mailto:kemp at network-services.uoregon.edu>kemp at network-services.uoregon.edu
>> <mailto:kemp at network-services.uoregon.edu>
>>
>> On 07/13/2010 09:36 AM, Jim Martin wrote:
>>> Ray,
>>> The cert for portal.meeting.ietf.org
>>> <http://portal.meeting.ietf.org> should go to John, since he's the
>>> guy actually building the boxes.
>>>
>>> Thanks!
>>>
>>> - Jim
>>>
>>
>> Gah.
>>
>> I just realized that we require one more certificate for the 2nd vlan.
>> Hopefully, that should do it. I believe we only have "ietf-portal" and
>> "ipef-a-portal". So maybe: https://portal-a.meeting.ietf.org/ as well???
>>
>> Should I just generate the csr and ask for 1 more?
>>
>> /jgk
>>
>>
>> --> here's the sequence. Upshot is that we need to hand the
>> user: https://NAME/, otherwise, they will get a match error at
>> the point the SSL starts to check. And we can't hand them a
>> NAME on a vlan outside of the redirect to local bridge ip so...
>>
>> Iptables redirects user to br_int_ip.
>> br_int_ip is an IP Virtual Host in apache.
>> http -> https/NAME/index.pl?redir=...
>> Apache also does rewrite of any https URL to a NAME/index.pl
>>
>> index.pl/Apache processes "index.pl" looks at the client IP.
>> index.pl determines the vlan.
>> index.pl uses br_int_name as POST action
>> Configured br_int_name is then filled in as the POST action
>>
>> -----------------------------
>
>
> _______________________________________________
> ietf78-tech mailing list
> ietf78-tech at daedelus.com
> http://www.daedelus.com/mailman/listinfo/ietf78-tech
More information about the ietf78-tech
mailing list