[cp-global] cryptoparty.in and SSL
Kai Engert
kaie at kuix.de
Mon Mar 10 21:59:56 GMT 2014
On So, 2014-03-09 at 01:10 +0100, ml at enteig.net wrote:
> there are reports that https://cryptoparty.in does not load in some
> configurations of browsers.
>
> If you cannot reach https://cryptoparty.in please report this to – I
> don't know, I guess I can collect and sort it before forwarding to the
> admins – me <ml at enteig.net>.
It seems the cryptoparty.in domain has been configured to use HSTS.
That's a server side mechanism, that requests the client to remember
that a site is able to use https, and refuse any attempt to load
plaintext http.
Accessing https://cryptoparty.in triggers a redirect to the plaintext
address http://www.cryptoparty.in
You can see it yourself e.g. using
$ curl --head https://cryptoparty.in
HTTP/1.1 301 Moved Permanently
...
Location: http://www.cryptoparty.in/
You should change the configuration to redirect to
https://www.cryptoparty.in/ in order to avoid problems with HSTS [1].
It's possible the above combination of server side configuration is
causing the problems. Don't redirect from https to http.
Another potential issue, the server uses the SNI [2] feature.
That's a modern variation of the SSL/TLS handshake, that allows to host
multiple domains on a single TLS server port.
SNI requires a modern browser.
In addition, SNI is incompatible with SSL v2. Most browsers should have
SSL v2 disabled by default.
If you experience a server error, mentioning the certificate being valid
only for *.informatick.net, did you reenable SSL v2? (Don't do that, SSL
v2 is broken.)
Kai
[1] HSTS: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
[2] SNI: http://en.wikipedia.org/wiki/Server_Name_Indication
More information about the global
mailing list