headers
Julian Mehnle | 11 Feb 01:27

HTTPS + Basic Auth access to the website


Hi Frank,

I have configured the website to support HTTPS + Basic Auth access.  If you 
go to <https://www.openspf.org/auth>, it will use Basic Auth instead of 
Digest Auth.

<https://www.openspf.org> uses an SSL certificate signed by our newly 
created "openspf.org" CA (see my following message to spf-council).

I am having trouble accessing <https://www.openspf.org> with Internet 
Explorer, however it works fine with Firefox and Opera.  Scott reported 
that it works with Konqueror, too.  I think the IE problem might have 
something to do with an incompatibility of the SSL certificate, however I 
totally lack the impetus to debug it.  You're going to use some 
other "Mozilla 3.0" browser anyway.  Let me know if you have any problems.

Your password is the same as the one I had originally sent you for the 
Subversion repository on 2006-09-21 (ask if you don't have it anymore).  
You can change it by clicking on the "Change Password" link in the toolbar 
at the top of the website.

--

-- 

Note to self:  This is a gross hack in the webserver configuration, 
essentially duplicating both /etc/thingy/instances/spf/httpd.conf and
/etc/apache2/sites-available/spf (thus causing redundancy).  The hack 
should eventually be undone, as soon as Frank gets a new web browser that 
supports HTTP Digest Auth (hint, hint).
(Continue reading)

Permalink | Reply |
Permalink | Reply |
headers
Julian Mehnle | 11 Feb 16:11

Re: HTTPS + Basic Auth access to the website


I don't think all of this belongs on spf-webmasters, so I'm replying only 
to the most relevant parts here (+ on spf-council), and to the rest 
privately.

Frank Ellermann wrote:
> Julian Mehnle wrote on spf.council:
> > I am having trouble accessing <https://www.openspf.org> with Internet
> > Explorer, however it works fine with Firefox and Opera.
>
> AFAIK IE doesn't like self-signed certificates, but I can't test it
> at the moment.  Depending on the configuration it could also check
> revoked certificates, but I forgot how that works, is it some "well-
> known location" magic ?

The certificate isn't self-signed.  It is signed by the new "openspf.org" 
CA (which is of course unknown to IE, but that shouldn't stop it).

> [...]  I could even install openspf as CA if you publish the root
> certificate.

I did.  Look for my message on spf-council about the new CA.

> When I tried it I found that "mozilla 3" won't like more than 1024 at
> some point of the openssl procedure, but obviously you avoided that trap.

Lucky you!  I've recently heard recommendations to start using 2048+ bits 
certificates, but I decided to hold off on that one more time...  Next 
year things are probably going to look different.
(Continue reading)

Permalink | Reply |
headers
Frank Ellermann | 11 Feb 17:33

Re: HTTPS + Basic Auth access to the website

Julian Mehnle wrote:

> The certificate isn't self-signed.  It is signed by the new "openspf.org"
> CA (which is of course unknown to IE, but that shouldn't stop it).

So far I haven't tested "accept new CA" with IE, but it should certainly
be possible, after all my vintage '98 "mozilla-3" already can do this ;-)

> Look for my message on spf-council about the new CA.

Sorry, I missed the http://www.openspf.org/blobs/openspf.org-ca.pem URL
in this article.  It doesn't work with my browser, wrong format, maybe
Content-Type: text/plain is (a part of) the problem.

For a working example see http://noxa.de/ca.crt - they send Content-Type
application/x-509-ca-cert starting with ----BEGIN CERTIFICATE-----

My browser isn't impressed if I extract the file:///g%3A/tmp/openspf.crt
from your PEM, it still happily displays it as text/plain, grumble...
probably I miss a clue.

>> When I tried it I found that "mozilla 3" won't like more than 1024 at
>> some point of the openssl procedure, but obviously you avoided that
>> trap.

> Lucky you!

Sharing this luck with amazon, paypal, postbank, yes.  As soon as the
SPF site needs more security than banking accounts don't hesitate to
upgrade the certificates...
(Continue reading)

Permalink | Reply |
headers
Julian Mehnle | 11 Feb 18:18

Re: HTTPS + Basic Auth access to the website


Frank Ellermann wrote:
> Sorry, I missed the http://www.openspf.org/blobs/openspf.org-ca.pem URL
> [...].  It doesn't work with my browser, wrong format, maybe
> Content-Type: text/plain is (a part of) the problem.

I renamed the cert file to *.crt, which should fix the content type.

> > The "(website) preferences" admin password is a shared password that
> > gives you extra privileges for administering the website.  You don't
> > usually need it.
>
> What's it good for ?  I've no clue what happened when it said "removed",

Oh, now I get what you meant.  You are wondering about the _regular_ 
password (which authenticated users cannot enter, see below), not about 
the _admin_ password.

Authentication used to work via a password stored in a cookie with UseMod 
Wiki.  The Thingy software (which is a UseMod derivative) uses HTTP 
authentication instead, but it still has a wart that makes it look for the 
password form field when the preferences form is submitted, and thus 
always says "password removed" because it cannot find the form field.  
Consider it an oversight.

> is something important now unprotected ?

No.
(Continue reading)

Permalink | Reply |
headers
Frank Ellermann | 11 Feb 19:29

Re: HTTPS + Basic Auth access to the website

Julian Mehnle wrote:

> I renamed the cert file to *.crt, which should fix the content type.

Thanks, works.  OpenSPF accepted until 2011 as CA by my "mozilla-3" :-)

Don't forget to mention this CRT URL if you intend to announce the new
https support on the "announce list" (IMO it's unnecessary but YMMV):
http://www.openspf.org/blobs/openspf.org-ca.crt

Together with an MD5 and SHA-1, I lost the code to determine the MD5,
but it was the expected result (= same as determined by openssl.exe,
concatenate B64, decode B64 to get DER, get MD5 of DER, encode MD5 as
hex., insert colons, ready).

 [obscure "admin" password on the preferences page]
> Oh, now I get what you meant.  You are wondering about the _regular_
> password (which authenticated users cannot enter, see below), not about
> the _admin_ password.

I tested it again, now inserting the login password, now I get this:

| UserName mumble foobar saved.
| Password removed.
| Administrator password changed.
| User does not have administrative abilities. (Password does not match
| administrative password(s).)

There's only one "admin password" field on the "editprefs" page, it's
the form parameter p_adminpw with default value "*", you can't miss it.
(Continue reading)

Permalink | Reply |
headers
Julian Mehnle | 11 Feb 22:15

Re: HTTPS + Basic Auth access to the website


Frank Ellermann wrote:
> Don't forget to mention this CRT URL if you intend to announce the new
> https support on the "announce list" (IMO it's unnecessary but YMMV):

There aren't a lot of reasons why anyone would care about accessing the SPF 
website via SSL.

> [obscure "admin" password on the preferences page]
> I tested it again, now inserting the login password, now I get this:
> 
> | UserName mumble foobar saved.
> | Password removed.
> | Administrator password changed.
> | User does not have administrative abilities. (Password does not match
> | administrative password(s).)
>
> There's only one "admin password" field on the "editprefs" page, it's
> the form parameter p_adminpw with default value "*", you can't miss it.

Just forget about all the "preferences" password stuff, will ya?  It 
doesn't really matter.

> [back to the login PW]
> [...]
> If what you're saying somehow means that I can't get the usual "remember
> me on this PC" cookie effect I'm really forced to change it to something
> I can remember.

The website's authentication system has nothing to do with cookies.  It's
(Continue reading)

Permalink | Reply |
headers
Frank Ellermann | 12 Feb 01:54

Re: HTTPS + Basic Auth access to the website

Julian Mehnle wrote:

> Just forget about all the "preferences" password stuff, will ya?
> It doesn't really matter.

Setting the size of the edit box is essential for some browsers...
some defaults (wikipedia or similar) are apparently designed for
fullscreen windows on a screen better than 1024*768.

> Your browser should offer you the option to remember your password
> for you.

It doesn't, that's why many sites offer an optional cookie login.

Scott wrote about IE:

| I suspect they neglected to implement the encryption algorithm
| that Julian picked.  It wouldn't be the first time something like
| that happened with MS products.

Unlikely, if they don't have Auth: Digest (for http) they must at
least support Auth: Basic (for https).  And the latter is anyway
better if you're damned sure that the certificate is for the site
in question - IMHO Auth: Digest is an interoperability nightmare.

For starters I've added a fresh [[Council Meeting/2007-02-09]] :-)

Frank
(Continue reading)

Permalink | Reply |
headers
Julian Mehnle | 12 Feb 10:43

Re: HTTPS + Basic Auth access to the website


Frank Ellermann wrote:
> Julian Mehnle wrote:
> > Your browser should offer you the option to remember your password for
> > you.
>
> It doesn't, that's why many sites offer an optional cookie login.

The SPF website never did.

Besides, I don't think this is why many sites offer an optional cookie 
login.  In most cases that's because either they just don't have a clue 
about HTTP authentication, their PHP CMS doesn't support it, or they want 
the login form to blend in with their website's layout.  All not very 
legitimate reasons.  But this is getting off-topic very quickly now.

> Scott wrote about IE:
> | I suspect they neglected to implement the encryption algorithm that
> | Julian picked.  It wouldn't be the first time something like that
> | happened with MS products.
>
> Unlikely, if they don't have Auth: Digest (for http) they must at least
> support Auth: Basic (for https).

Scott was talking about the SSL cert's encryption algorithm.  It's RSA, 
which I don't think IE should have a problem with.

> For starters I've added a fresh [[Council Meeting/2007-02-09]] :-)

Cool!  I'm sure Stuart will be grateful. :-)
(Continue reading)

Permalink | Reply |
headers
Steve Yates | 12 Feb 16:14
Favicon

RE: Re: HTTPS + Basic Auth access to the website

Frank Ellermann <mailto:nobody <at> xyzzy.claranet.de> wrote on Sunday,
February 11, 2007 6:55 PM:

> some defaults (wikipedia or similar) are apparently designed for
> fullscreen windows on a screen better than 1024*768.

	Incidentally so are the column div's on openspf.org.  :)

 - Steve Yates
 - ITS, Inc.
 - An unbreakable toy is only useful for breaking other toys.

~ Taglines by Taglinator - www.srtware.com ~
Permalink | Reply |
headers
Steve Yates | 12 Feb 16:19
Favicon

RE: Re: HTTPS + Basic Auth access to the website

Steve Yates <mailto:steve <at> teamITS.com> wrote on Monday, February 12,
2007 9:14 AM:

>> some defaults (wikipedia or similar) are apparently designed for
>> fullscreen windows on a screen better than 1024*768.
> 
> 	Incidentally so are the column div's on openspf.org.  :)

	Sorry I missed "better than"...the SPF site shows the two left
columns as one column at 800x600.

 - Steve Yates
 - ITS, Inc.
 - Command Not Understood... Now Erasing Hard Drive.

~ Taglines by Taglinator - www.srtware.com ~
Permalink | Reply |
headers
Koen Martens | 12 Feb 09:58

Re: Re: HTTPS + Basic Auth access to the website

Julian Mehnle wrote:
> Frank Ellermann wrote:
>> Don't forget to mention this CRT URL if you intend to announce the new
>> https support on the "announce list" (IMO it's unnecessary but YMMV):
> 
> There aren't a lot of reasons why anyone would care about accessing the SPF 
> website via SSL.

FWIW, i prefer to do everything over SSL or other encrypted
channels, what with the snoopy governments lately..

Gr,

Koen
Permalink | Reply |
headers
Scott Kitterman | 11 Feb 19:59

Re: Re: HTTPS + Basic Auth access to the website

On Sunday 11 February 2007 11:33, you wrote:
> Julian Mehnle wrote:
> > The certificate isn't self-signed.  It is signed by the new "openspf.org"
> > CA (which is of course unknown to IE, but that shouldn't stop it).
>
> So far I haven't tested "accept new CA" with IE, but it should certainly
> be possible, after all my vintage '98 "mozilla-3" already can do this ;-)
>
Yes.  IE deals with certs signed by unknown CAs just fine and importing new CA 
certs is just fine too.

I'm not sure what the IE problem is, but it's not that.  I suspect they 
neglected to implement the encryption algorithm that Julian picked.  It 
wouldn't be the first time something like that happened with MS products.

Scott K
Permalink | Reply |
headers
Steve Yates | 11 Feb 21:01
Favicon

RE: Re: HTTPS + Basic Auth access to the website

> I am having trouble accessing <https://www.openspf.org> with Internet
> Explorer, however it works fine with Firefox and Opera.

	It works fine for me with IE 7.  I get the certificate warning
and then the red address bar, of course.  IE 7 shows the warning as a
"web page" within the browser instead of a popup dialog box.

 - Steve Yates
 - ITS, Inc.
 - If brute force isn't working, then you're not using enough.

~ Taglines by Taglinator - www.srtware.com ~
Permalink | Reply |

Gmane