On 14 Dec 2014 15:24, "Stuart A. Yeates" <[log in to unmask]> wrote:
>
> Some resources are only available only via HTTPS. Previously we used a
> wildcard certificate, I can't swear that it was ever tested as
> working, but we weren't getting any complaints.
>
> Recently browser security has been tightened and RFC 6125 has appeared
> and been implemented and proxing of https resources with a naive
> wildcard cert no longer works (we're getting complaints and are able
> to duplicate the issues).
Huh, had not read RFC 6125 before but "Move away from the issuance of
so-called wildcard certificates (e.g., a certificate containing an
identifier for "*.example.com")." certainly caught me by surprise. I've
purchased a few certs in the past few months (including for our EZProxy
instance) and the issuer was still using CommonName and happy to issue
wildcard certs. And we haven't run into any SSL cert warnings with current
versions of Chrome or Firefox.
Can you provide more details about what you're trying to do and where
you're getting reproducible issues?
For EZProxy, our wildcard cert has a CommonName of *.proxy.example.com ;
proxy requests look like
http://login.proxy.example.org/login?url=proxied.url.example.com ; the user
is them redirected to
https://login.proxy.example.org/login?url=proxied.url.example.com to login,
and on a successful login they are redirected to
https://proxied-url-example-com.proxy.example.org
So far, so good for us. Should we be expecting trouble?
> At
https://security.stackexchange.com/questions/10538/what-certificates-are-needed-for-multi-level-subdomains
> there is an interesting solution with multiple wildcards in the same
> cert:
>
> foo.com
> *.foo.com
> *.*.foo.com
> ...
*.*.foo.com sounds unlikely to work in practice, as the answer provider
admits. I would be worried about wasting my money trying this approach.
|