Shaver, Michael R | 15 Dec 00:19 2010
Picon

TLS/SNI thoughts?

Adam was doing some investigating on our potential limitation of IPs at OSU and was looking into TLS/SNI (
http://en.wikipedia.org/wiki/Server_Name_Indication). Seems like it could solve our problems in
many regards, but there are a few catches, naming compatibility with Windows XP clients accessing our sites.

This seems like a tough call. The attached screenshot shows there is a significant amount of Windows XP
traffic to some of our sites: meego.com, help.meego.com, forum.meego.com,
conference2010.meego.com. But I'm not sure about bugs.meego.com, wiki.meego.com, or
developer.meego.com yet?

We could push people to a message to use another browser if they come from XP, but that might be a bit
obtrusive? The other options would be to choose a set of sites to run under TLS/SNI, but I'm not sure the
exact grouping of sites that makes sense.

Any thoughts?
_______________________________________________
MeeGo-it mailing list
MeeGo-it@...
http://lists.meego.com/listinfo/meego-it
Dean Pierce | 15 Dec 00:57 2010
Picon

Re: TLS/SNI thoughts?

I say go for it :-)

It would only really effect the the authenticated parts of the sites,
and I would imagine that only a very small portion of the meego
development community is using IE on windows xp.  Even among those
people, the number who would be UNABLE to upgrade their OS or change
browsers is likely even smaller than that.

  - DEA
Dean Pierce | 15 Dec 01:00 2010
Picon

Re: TLS/SNI thoughts?

.. not actually DEA, looks like I hit the enter key before my fingers
got to the N ..

   - DEAN
Ryan Ware | 15 Dec 02:46 2010
Picon

Re: TLS/SNI thoughts?

That's good.  I was getting worried we hired a Fed.

;-)

Ryan

On Dec 14, 2010, at 4:00 PM, Dean Pierce wrote:

> .. not actually DEA, looks like I hit the enter key before my fingers
> got to the N ..
> 
>   - DEAN
> _______________________________________________
> MeeGo-it mailing list
> MeeGo-it@...
> http://lists.meego.com/listinfo/meego-it
Stefano Mosconi | 15 Dec 09:59 2010
Picon

Re: TLS/SNI thoughts?

Well if the problem is only XP I would start to tell these guys to upgrade to a 
modern OS (or just to _an_ OS)

Stefano

On 15/12/2010 01:19, ext Shaver, Michael R wrote:
> Adam was doing some investigating on our potential limitation of IPs at OSU and was looking into TLS/SNI (
http://en.wikipedia.org/wiki/Server_Name_Indication). Seems like it could solve our problems in
many regards, but there are a few catches, naming compatibility with Windows XP clients accessing our sites.
>
> This seems like a tough call. The attached screenshot shows there is a significant amount of Windows XP
traffic to some of our sites: meego.com, help.meego.com, forum.meego.com,
conference2010.meego.com. But I'm not sure about bugs.meego.com, wiki.meego.com, or
developer.meego.com yet?
>
> We could push people to a message to use another browser if they come from XP, but that might be a bit
obtrusive? The other options would be to choose a set of sites to run under TLS/SNI, but I'm not sure the
exact grouping of sites that makes sense.
>
> Any thoughts?
>
>
>
> _______________________________________________
> MeeGo-it mailing list
> MeeGo-it@...
> http://lists.meego.com/listinfo/meego-it
Darryl Miles | 16 Dec 00:48 2010
Picon

Re: TLS/SNI thoughts?

Shaver, Michael R wrote:
> Any thoughts?

Great so long as every library and tool in the MeeGo stack is patched 
and any necessary certificates and other diddly bits are available 
through zypper so people can get their work done with as little 
configuration as possible.  MeeGo has to "Eat your own dog food" and it 
has to taste good.

Running out of IPs?  Will or does the IT infrastructure have IPv6 
support yet ?  Maybe this can be scheduled for 2011 ?

Darryl
Stefano Mosconi | 16 Dec 08:43 2010
Picon

Re: TLS/SNI thoughts?

On 16/12/2010 01:48, ext Darryl Miles wrote:
> Shaver, Michael R wrote:
>> Any thoughts?
>
> Great so long as every library and tool in the MeeGo stack is patched and any
> necessary certificates and other diddly bits are available through zypper so
> people can get their work done with as little configuration as possible. MeeGo
> has to "Eat your own dog food" and it has to taste good.

Yeah we need to make sure that the scripts support this before we go for it.

Apparently wget doesn't for instance.

> Running out of IPs? Will or does the IT infrastructure have IPv6 support yet ?
> Maybe this can be scheduled for 2011 ?

Nope, not yet supported, maybe next year.

Stefano
Ryan Ware | 16 Dec 17:43 2010
Picon

Re: TLS/SNI thoughts?


On Dec 15, 2010, at 11:43 PM, Stefano Mosconi wrote:

> On 16/12/2010 01:48, ext Darryl Miles wrote:
>> Shaver, Michael R wrote:
>>> Any thoughts?
>> 
>> Great so long as every library and tool in the MeeGo stack is patched and any
>> necessary certificates and other diddly bits are available through zypper so
>> people can get their work done with as little configuration as possible. MeeGo
>> has to "Eat your own dog food" and it has to taste good.
> 
> Yeah we need to make sure that the scripts support this before we go for it.
> 
> Apparently wget doesn't for instance.
> 

Can someone take the AR to determine what portions of the MeeGo stack aren't compliant with TLS/SNI other
than wget?  It would be good to have a complete list and then we can start to determine the effort to get this functionality.

Ryan

> 
>> Running out of IPs? Will or does the IT infrastructure have IPv6 support yet ?
>> Maybe this can be scheduled for 2011 ?
> 
> Nope, not yet supported, maybe next year.
> 
> Stefano
> _______________________________________________
(Continue reading)

stefano.mosconi | 16 Dec 21:03 2010
Picon

Re: TLS/SNI thoughts?

On 16/12/2010 18:43, "ext Ryan Ware" <ware@...> wrote:

>
>On Dec 15, 2010, at 11:43 PM, Stefano Mosconi wrote:
>
>> On 16/12/2010 01:48, ext Darryl Miles wrote:
>>> Shaver, Michael R wrote:
>>>> Any thoughts?
>>> 
>>> Great so long as every library and tool in the MeeGo stack is patched
>>>and any
>>> necessary certificates and other diddly bits are available through
>>>zypper so
>>> people can get their work done with as little configuration as
>>>possible. MeeGo
>>> has to "Eat your own dog food" and it has to taste good.
>> 
>> Yeah we need to make sure that the scripts support this before we go
>>for it.
>> 
>> Apparently wget doesn't for instance.
>> 
>
>Can someone take the AR to determine what portions of the MeeGo stack
>aren't compliant with TLS/SNI other than wget?  It would be good to have
>a complete list and then we can start to determine the effort to get this
>functionality.

Hmmm, the question is who?

(Continue reading)

Adam Gretzinger | 17 Dec 19:23 2010
Picon

nginx front end web server organization

Please take a moment to review this documentation suggestion, i think
you can make comments. This is by no means a dictation of what we're doing.

https://cbuild.meego.com:9989/superadmins/node/142

Gmane