https support?

Are you having tech problems of some sort with the boards and you need a place to report them?
Here you go.
Post Reply
William
Neophyte
Posts: 12
Joined: Sat Jun 28, 2014 12:29 am
Player name: Joel Ray Holveck
Character Name: Billy

https support?

Post by William »

In the day and age when a huge majority of browsers support SNI, would it be difficult to add https support to the board? I find myself checking the board from the same computer that I use to tunnel into work, and I tend to be somewhat more comfortable with my whole world being under SSL. (See also https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI.)

Speaking of which, while I'm perfectly comfortable with the self-signed certificate you currently use on the https side of things, StartCom (https://startssl.com/) provides free SSL certificates (each good for a single name, but that's probably okay for what you have going). That's what I usually use for my servers. It takes about an hour to set up, including things like reading the directions. I have to renew once a year or so, although I've got a shell script to help me with that.

I certainly do appreciate the work you put in to maintain the server, and the BAM community is so much richer for your efforts.

Thanks,
Joel

User avatar
administrator
Site Admin
Posts: 168
Joined: Sat Jan 05, 2008 11:27 pm

Re: https support?

Post by administrator »

This site runs on a server shared by at least 3 other games, plus a number of other services that I run personally. A non-wildcard certificate isn't actually useful in this situation, since you cannot have more than one certificate on an IP address (due to how SSL works - the certificate is exchanged before the hostname is requested). Unfortunately because of an error I made earlier this year, I cannot actually get another startcom cert for endogaming.net without paying a $30 revocation fee followed by the $60 identity verification fee to get a replacement wildcard certificate. (no, the certificate wasn't stolen - I made an error during the validation process and didn't catch it until after I'd gotten the certificate signed)

At this point in time, I'm not willing to put forth the required funds to do this. SSL, honestly, isn't that important to this site at this point in time. I'm hoping to replace the physical hardware for endogaming.net at some point in the next year or so, and I think that my funds are far more useful going to that than to an SSL cert right now. The current plan is probably something like a modified mintbox running CEntOS7 to replace the current HP running CEntOS5.
I'm only here for administrative purposes...

William
Neophyte
Posts: 12
Joined: Sat Jun 28, 2014 12:29 am
Player name: Joel Ray Holveck
Character Name: Billy

Re: https support?

Post by William »

administrator wrote:This site runs on a server shared by at least 3 other games, plus a number of other services that I run personally. A non-wildcard certificate isn't actually useful in this situation, since you cannot have more than one certificate on an IP address (due to how SSL works - the certificate is exchanged before the hostname is requested).
I hate to disagree, but that's exactly the problem that SNI (Server Name Indication, RFC6066 sec 3) is designed to address: the sends the expected hostname as part of the initial SSL handshake. It's supported by pretty much every major browser in the field these days except for MSIE on XP, and the fallback is to just act as Apache does today; see https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI.

Sorry to hear about the cert mixup. I do agree that SSL support isn't worth you sinking personal funds into, although since StartCom will give non-wildcard certs for free, and a wildcard cert isn't needed if SNI is used, then there may not be any expenses needed.

Anyway, just a thought. I know that I'm still talking about a non-trivial amount of effort, and as you say, SSL support may not be worth it. Thanks again for all your work keeping things running smoothly!

User avatar
administrator
Site Admin
Posts: 168
Joined: Sat Jan 05, 2008 11:27 pm

Re: https support?

Post by administrator »

The SNI compatible versions of openssl and apache aren't pre-packaged with CentOS 5.x. It's totally possible for me to recompile the required packages manually, but at that point I need to recompile them any time there's a security upgrade... way too lazy to keep my own manually compiled packages.

I really am hoping to get new hardware and switch us up to Cent7 soon, which would make it possible.

SNI clearly wasn't available last time I was looking into custom SSL configurations (in particular, we were running Cent5) - the options were either wildcards, UCCs, or single host per server.
I'm only here for administrative purposes...

Post Reply