New Fedora openid provider (fas-openid) in service
Chris Adams
cmadams at hiwaay.net
Thu Mar 7 16:41:38 UTC 2013
Once upon a time, Toshio Kuratomi <a.badger at gmail.com> said:
> Note -- I made the same decision but I found out from puiterwijk that that
> should be raising an error in the relying party (the website asking that you
> auth with fedora's openid). The reason? We don't have SSL certificates for
> all possible [username].id.fedoraproject.org domains.
https://[username].id.fp.o uses a wildcard SSL cert for *.fp.o, but in
SSL wildcard matching, a "*" does not match a ".". This means that
id.fp.o is matched with *.fp.o, but [username].id.fp.o is not.
There would have to be an SSL cert for *.id.fp.o, which would mean DNS
for *.id.fp.o couldn't CNAME to wildcard.fp.o, or the wildcard.fp.o
server and all SSL-using clients trying to access *.id.fp.o would have
to support TLS SNI.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the devel
mailing list