Tobias Ringstrom wrote:
> If you have lots of users you should probably get a real certificate,
> but if that is not an option you can create a small installer that
> modifies the servers file as in my example.
[...]
> I'll try to explaing why I think that it's more secure to use the
> ssl-authorities-file directive. If you have a real (not self-signed)
> certificate, then the client accepts it because it is signed by one of
> the CAs in the openssl list (/usr/share/ssl/cert.pem on my system). You
> will not get a warning unless something is *really* wrong.
Uh, oh, the problem is even worse than I thought. The thing is, I *do*
have a real certificate. Check for yourself: browse to
https://svn.globalmentor.com/test/ and enter:
username: bcs
password: svn
Then check the certificate information. I have a valid InstantSSL
certificate. As I mentioned in an earlier e-mail, InstantSSL has some
relationship with Baltimore Technologies that uses "a new Root CA
Certificate" that is "trusted by over 99.3% of all current browsers...,
now equal to Verisign and Thawte" according to
http://www.instantssl.com/ssl-certificate-support/ssl-certificate-browser_compatibility.html
. This also requires that I install some CA file on my web server, so
maybe neon has some problems with this extra CA step---but it works fine
with every browser I've used.
So I shouldn't even see the prompts in the first place. What's wrong?
Garret
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jul 21 02:14:49 2003