Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99960 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 35302 invoked from network); 20 Jul 2017 05:42:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Jul 2017 05:42:11 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.219 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.219 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.219] ([81.169.146.219:23300] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A5/F2-02884-1B240795 for ; Thu, 20 Jul 2017 01:42:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1500529326; l=4518; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To: MIME-Version; bh=VQ5sTYOTkbmayPIuI2gckCyuWowrlsAs0rjPycItum8=; b=NdZLwdu2XrVc1KpIdT2t10G0B0NUgAtQugVp8qYpTSrs9UOX1yHUK0Zkt5K9W9ckjS jRZ8FY6ZSow7KWQXuDSjLAfZTsGyVyuBk37MFBmvLCkKeZHfIfBXTZwIK4q/6a2R5FJx 2F+TSiPneJyXL3j8uqZo+SHd16eUUjHNQdgBw= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNHBqXx3Q== X-RZG-CLASS-ID: mo00 Received: by mail-oi0-f49.google.com with SMTP id x187so18480418oig.3 for ; Wed, 19 Jul 2017 22:42:06 -0700 (PDT) X-Gm-Message-State: AIVw113m4TQZK/CjHza5RbkJjFW8+F2UwjPzk6H0gB35eJoOumtJVJdJ NbgKZH5p9bYcYjBl9fwua/JJVl3FXQ== X-Received: by 10.202.231.137 with SMTP id e131mr4469962oih.110.1500529325456; Wed, 19 Jul 2017 22:42:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.154.177 with HTTP; Wed, 19 Jul 2017 22:42:04 -0700 (PDT) In-Reply-To: References: Date: Thu, 20 Jul 2017 07:42:04 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Rasmus Lerdorf Cc: Sara Golemon , Mathias Grimm , "internals@lists.php.net" Content-Type: multipart/alternative; boundary="001a1140841c6b4d940554b9354d" Subject: Re: [PHP-DEV] php.net website From: me@kelunik.com (Niklas Keller) --001a1140841c6b4d940554b9354d Content-Type: text/plain; charset="UTF-8" > > I have looked at various ways of doing this, but it isn't trivial and it > has absolutely nothing to do with the actual html and slapping in some > https links instead of http. The problem here is that we have external > volunteers running all our mirrors and we do geo-dns for www.php.net to > your geographically close mirror site. Putting the private key for > www.php.net on dozens of servers around the world we don't control is a > non-starter. > I expected something like that. How does it work then that https://www.php.net and https://php.net can redirect to https://secure.php.net? I must be reaching a server with a valid certificate, otherwise that wouldn't work. If putting a private key for php.net doesn't work, then we should get rid of these mirrors ASAP IMO. > One way that I played with was to use letsencrypt and have each mirror > request an ssl cert for their local mirror, ca1.php.net, for example, and > include a CN alias for www.php.net in that request. Then we would run > domain a validation gateway/proxy on www.php.net which would validate > these > requests on behalf of the mirrors. But there are some security issues with > this approach that I haven't quite thought through. I would love to hear > suggestions for perhaps a simpler solution to this problem that doesn't > require pasting our private key all over the internet. > They can also just request them themselves, but only for their mirror domain. If you allow them to issue for www.php.net, you can as well just put the current private key there. Regards, Niklas --001a1140841c6b4d940554b9354d--