On 27 December 2013 09:14, Andrea Pescetti <pesce...@apache.org> wrote: > On 26/12/2013 Andrea Pescetti wrote: >> >> On one browser where I can reproduce the amusing pattern "wiki works" / >> "forum doesn't", the certificate manager contains the >> *.apache.org certificate for openoffice.org:443 > > > We now have the final answer from the Apache Infrastructure team: it all > depends on the client (the browser and operating system you are using). > > If you don't have SNI support (most common problematic case: Internet > Explorer 8 on Windows XP) you will get the warning. This is due to how the > certificate is configured and apparently can't be changed. See > https://issues.apache.org/jira/browse/INFRA-7131 > > So (but this is a personal remark, not checked with Infra) also the fact > that on some systems the issue appears intermittently could be due to broken > SNI support (like: your client uses the first certificate it sees, and if it > is the right one everything is OK, while if it is the wrong one you get the > warning).
AIUI the problem is that the same physical host (IP address) is used for www.apache.org and wiki.openoffice.org. The HTTP server has to decide which certificate to serve to the browser; it does this based on the SNI (server name indication) provided by the client. Given that SNI was invented, I assume there is no other way for the server to know the target host name without it, i.e. it needs to happen before the Host: header is sent. AFAIK the server does not return multiple certificates. This would suggest that the behaviour should be predictable - WinXP+IE does not work, just about every other browser does work. I've certainly not noticed a variation. > This probably closes the conversation. Well, it might be worth documenting this on the Wiki somewhere so people can be directed to it if they ask. > > Regards, > Andrea. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
