Skip to Content.
Sympa Menu

en - Re: [sympa-users] multi robots and https

Subject: The mailing list for listmasters using Sympa

List archive

Re: [sympa-users] multi robots and https

Chronological Thread  
    < Chronological >       < Thread >
  • From: address@concealed
  • To: Peter Langhans <address@concealed>
  • Cc: address@concealed
  • Subject: Re: [sympa-users] multi robots and https
  • Date: Tue, 26 Feb 2008 13:37:16 +0100
Peter Langhans wrote:
We run 1 sympa server with potentionally about 250 robots. 1 for each
department
at the University of Zurich. We do not allow users to use passwords but on
pages
reached by https. So we have to use https for the sympa robots configuration.
Reading the manuals, I had the impression that I have to maintain 1
certificate
for each robot, thats 250 in all. Am I right.

Thanks Peter
Yes that's true unless you are using a "star certificate". Star certicate can be used for multiple virtual host from the same domain (let imagine *.uzh.ch".
Some PKI guys says star certificates are heretic because the certificate must be used to authentify the server name. I don't think so because in most cases you just want to encrypt the communication and there is not identified threat based on server spoofing or if there is any, the certificate may be is not the good defence.

If you don't choose to a star certificate, you may use one certificate with 249 subject alt name (multiple name for a single certificate). The problem is that if you want to add one more server name, you will have to renew the certificate and commercial certificates with many subject alt name are very expensive.

You can also manage 250 certificates but in that case you will need also 250 IP address because of http over ssl. The server need to choose which certificate to show to the client and the choose can't be based on HTTP1.1 host dirctive for virtual hosting : this dialog start after the SSL session succeed. The only way for that is to base the detection of the host contacted by IP address...

Why not use some external authentication such a a CAS server ? This way you will have Sympa running on http without certificate and a unique identity provider requesting credential via a https session. Sympa is natively compatible with many solution such as CAS or Shibboleth that satisfy this objective.

Regards
Serge Aumont

ps : We would be glad to hear from installation with many virtual robots in Sympa. Who is using more than 50 ?

Archive powered by MHonArc 2.6.19+.

Top of Page