Once upon a time, Toshio Kuratomi <a.bad...@gmail.com> said: > Note -- I made the same decision but I found out from puiterwijk that that > should be raising an error in the relying party (the website asking that you > auth with fedora's openid). The reason? We don't have SSL certificates for > all possible [username].id.fedoraproject.org domains.
https://[username].id.fp.o uses a wildcard SSL cert for *.fp.o, but in SSL wildcard matching, a "*" does not match a ".". This means that id.fp.o is matched with *.fp.o, but [username].id.fp.o is not. There would have to be an SSL cert for *.id.fp.o, which would mean DNS for *.id.fp.o couldn't CNAME to wildcard.fp.o, or the wildcard.fp.o server and all SSL-using clients trying to access *.id.fp.o would have to support TLS SNI. -- Chris Adams <cmad...@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
