How to configure apache-ssl to offer the Cert to install?

Hello,

because for arround 8 weeks my whole Network with 160 servers in Germany,
France, Swiss, Morokko, Turkey and Iran was attacked and DoS'ed.

OK, without success, because my CISCO 7600 has stoped it very  effectiv,
but the DoS-Attach where possibel, because my  SSL-Certs  from  Verisign
and three others where invalided...

However, now I run my own CA and it is the own CA I trus 100%. New certs
are installed on any of my servers (apache, courier, postgresql)

Now I like to know, HOW I must configure Apache (or  my  PHP5  scripts),
that if a user connect over https, that the  server  offer  automaticaly
the cert to install.

Currently it has to be installed manualy which is realy annoying.

Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    Tamay Dogan Network
    Debian GNU/Linux Consultant

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/>                 Michelle Konzack
<http://www.can4linux.org/>                   Apt. 917
<http://www.flexray4linux.org/>               50, rue de Soultz
Jabber linux4michelle@...           67100 Strabourg/France
IRC    #Debian (irc.icq.com)                  Tel. DE: +49 177 9351947
ICQ    #328449886                             Tel. FR: +33  6  61925193

On Fri, 11 Sep 2009 11:11:57 +0200
Michelle Konzack <linux4michelle@...> wrote:

> Now I like to know, HOW I must configure Apache (or  my  PHP5
> scripts), that if a user connect over https, that the  server  offer
> automaticaly the cert to install.
I think that's not possible unless you write some browser-plugin.  Self
signed certificates are not installed automatically, which is a good
thing. Think of the following scenario: The webserver of your bank is
rooted and the fake SSL-Cert installs automatically.

If you have a recurring group of visitors on different servers you can
install your CA-Cert on these clients, so that not every certificate
signed by you has to be installed manually.

> Currently it has to be installed manualy which is realy annoying.
I suggest getting certificates from trusted CA-authorities (Geotrust,
Verisign, Thawte, Godaddy, etc). You also may be interested in wildcard
domain certificates, if you have a lot of subdomains.

Best Regards,
Benjamin


--
Freundliche Gruesse/Best Regards
Benjamin Hackl
IT/Administration

Media FOCUS Research Ges.m.b.H.
Maculangasse 8, 1220 Wien
Tel.-Nr.: +43 1 258 97 01-295
benjamin.hackl@...
http://www.focusmr.com/


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Fri, Sep 11, 2009 at 11:11:57AM +0200, Michelle Konzack wrote:
> Now I like to know, HOW I must configure Apache (or  my  PHP5  scripts),
> that if a user connect over https, that the  server  offer  automaticaly
> the cert to install.

This cannot work.  The client should have the CA certificate before
SSL/TLS handshake.  You'll have to find a way to offer the certificate
beforehand.

This can be done over HTTP by sending your CA certificate with
application/x-x509-ca-cert MIME type (grep x509 /etc/mime.types).
Decent client software should then ask the user if she wants to install
the certificate as trusted.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Am 2009-09-11 11:44:31, schrieb Benjamin Hackl:
> I think that's not possible unless you write some browser-plugin.  Self
> signed certificates are not installed automatically,

What is a self signed Certificate?  My OWN CA  use  another  Domain  and
another cert as the one from my network...

Where is the difference between THIS and Verisign or others.

The certs look EXACTLY the same...

> If you have a recurring group of visitors on different servers you can
> install your CA-Cert on these clients, so that not every certificate
> signed by you has to be installed manually.

I have 380.000 users...

> I suggest getting certificates from trusted CA-authorities (Geotrust,
> Verisign, Thawte, Godaddy, etc). You also may be interested in wildcard
> domain certificates, if you have a lot of subdomains.

NEVER!  --  My three Certs where falsified to DOS my network because the
"Neda" problem with Iran!!!!!!!!!!!!!!!!!

The french authorities have forced the Italia Telecom to shutdown my  GE
Backbone to Khoy/Iran, after 186 milion DOS attacks  where  unsuccessful
to stop my servers...

I will never trust the western world anymore... They have lost!

And since the attacks where started from FR,  GB,  DE  and  USA  I  have
already started juridical actions agains mor then 30 ISP's in Europe!

My lost are now arround 40.000 Euro per callender day and my  Enterprise
is entirely shutdown.  Now it works only internaly and for the mailusers
I have setup MX in russia, china, india and ireland.

Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    Tamay Dogan Network
    Debian GNU/Linux Consultant

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/>                 Michelle Konzack
<http://www.can4linux.org/>                   Apt. 917
<http://www.flexray4linux.org/>               50, rue de Soultz
Jabber linux4michelle@...           67100 Strabourg/France
IRC    #Debian (irc.icq.com)                  Tel. DE: +49 177 9351947
ICQ    #328449886                             Tel. FR: +33  6  61925193

Hello Bertrand,

Am 2009-09-11 13:03:09, schrieb Bertrand Yvain:
> This cannot work.  The client should have the CA certificate before
> SSL/TLS handshake.  You'll have to find a way to offer the certificate
> beforehand.
>
> This can be done over HTTP by sending your CA certificate with
> application/x-x509-ca-cert MIME type (grep x509 /etc/mime.types).
> Decent client software should then ask the user if she wants to install
> the certificate as trusted.

So, my website need a redirection?

Is there a possibility for the server to check whether a CERT is already
installed?  I mean, if a user connect to my HTTP website, a script could
check for the existence of my enterprise cert and if it is  not  already
installed open a windows which offer the download.

This is what happen to me several times on different websites...

But what me let puzzeling is, that I connected to a HTTPS website and  a
PopUp (Firefox) opened with the message that the  Website  is  encrypted
and a suitable cert is not installed on my system and that  the  website
offer to download the cert.  I accepted and a new Dialog (from  Firefox)
opened where I can check the thing and ACCEPT/DECLINE it.

This is what I like to have.

Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    Tamay Dogan Network
    Debian GNU/Linux Consultant

--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/>                 Michelle Konzack
<http://www.can4linux.org/>                   Apt. 917
<http://www.flexray4linux.org/>               50, rue de Soultz
Jabber linux4michelle@...           67100 Strabourg/France
IRC    #Debian (irc.icq.com)                  Tel. DE: +49 177 9351947
ICQ    #328449886                             Tel. FR: +33  6  61925193

> Am 2009-09-11 11:44:31, schrieb Benjamin Hackl:
> > I think that's not possible unless you write some browser-plugin.  Self
> > signed certificates are not installed automatically,

On 11.09.09 14:01, Michelle Konzack wrote:
> What is a self signed Certificate?  My OWN CA  use  another  Domain  and
> another cert as the one from my network...
>
> Where is the difference between THIS and Verisign or others.

the main difference is, that nearly everybody has verisign certificate(s)
installed.

> > I suggest getting certificates from trusted CA-authorities (Geotrust,
> > Verisign, Thawte, Godaddy, etc). You also may be interested in wildcard
> > domain certificates, if you have a lot of subdomains.
>
> NEVER!  --  My three Certs where falsified to DOS my network because the
> "Neda" problem with Iran!!!!!!!!!!!!!!!!!

falsified?

--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

> Am 2009-09-11 13:03:09, schrieb Bertrand Yvain:
> > This cannot work.  The client should have the CA certificate before
> > SSL/TLS handshake.  You'll have to find a way to offer the certificate
> > beforehand.
> >
> > This can be done over HTTP by sending your CA certificate with
> > application/x-x509-ca-cert MIME type (grep x509 /etc/mime.types).
> > Decent client software should then ask the user if she wants to install
> > the certificate as trusted.

On 11.09.09 14:09, Michelle Konzack wrote:
> So, my website need a redirection?
>
> Is there a possibility for the server to check whether a CERT is already
> installed?  I mean, if a user connect to my HTTP website, a script could
> check for the existence of my enterprise cert and if it is  not  already
> installed open a windows which offer the download.

the server can't do such thing. It's the client who requests the content
from the server and executes the scripts.  Internet is unsafe enough, we
don't need to make it more unsafe by wanting servers to execute code on
clients.

> But what me let puzzeling is, that I connected to a HTTPS website and  a
> PopUp (Firefox) opened with the message that the  Website  is  encrypted
> and a suitable cert is not installed on my system and that  the  website
> offer to download the cert.  I accepted and a new Dialog (from  Firefox)
> opened where I can check the thing and ACCEPT/DECLINE it.
>
> This is what I like to have.

you usually have something similar to this, it only says that the
certificate is not known, but you usually choose to install it.

--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Fri, Sep 11, 2009 at 02:01:56PM +0200, Michelle Konzack wrote:
> Where is the difference between THIS and Verisign or others.
>
> The certs look EXACTLY the same...

I doubt, your cert is not signed by one of the "trusted" authorities,
which have their root certs built into major browsers.

You would need to convince all your customers to trust your CA and
install your CA's root cert in their browsers. It is possible, but very
very hard to do in real world due to customers' lack of knowledge and
opposition against anything new.

If you want to try anyway, you could post a link to your CA cert file
somewhere on your main webpage and with appropriate MIME type. When a
user clicks the link he/she would be presented with an option to install
the cert into the browser. It requires some manual action and it's
unavoidable, otherwise the whole concept of https trust model would be
broken, if websites could easily install their certs without user's
action.

> > I suggest getting certificates from trusted CA-authorities (Geotrust,
> > Verisign, Thawte, Godaddy, etc). You also may be interested in wildcard
> > domain certificates, if you have a lot of subdomains.
>
> NEVER!  --  My three Certs where falsified to DOS my network because the
> "Neda" problem with Iran!!!!!!!!!!!!!!!!!

I don't get it, as others have pointed in the thread. What does DoS and
shutting down backbone links have to do with cert falsification (or
maybe you mean revocation?)? It's not related IMO.

> --
> Linux-User #280138 with the Linux Counter, http://counter.li.org/
> ##################### Debian GNU/Linux Consultant #####################
> <http://www.tamay-dogan.net/>                 Michelle Konzack
> <http://www.can4linux.org/>                   Apt. 917
> <http://www.flexray4linux.org/>               50, rue de Soultz
> Jabber linux4michelle@...           67100 Strabourg/France
> IRC    #Debian (irc.icq.com)                  Tel. DE: +49 177 9351947
> ICQ    #328449886                             Tel. FR: +33  6  61925193



--
+---------------------------------------+
|  -o)  http://wanted.eu.org/
|  /\\  Message void if penguin violated
+ _\_V  Don't mess with the penguin


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...