Re: [CentOS] Testing "dark" SSL sites
On 10/21/2014 04:57 PM, li...@benjamindsmith.com wrote: > So, with all the hubbub around POODLE and ssl, we're preparing a new load > balancer using HAProxy. > > So we have a set of unit tests written using PHPUnit, having trouble > validating certificates. How do you test/validate an SSL cert for a prototype > "foo.com" server if it's not actually active at the IP address that matches > DNS for foo.com? > > For non-ssl sites, I can specify the url like http://1.2.3.4/path and pass an > explicit "host: foo.com" http header but that fails for SSL certificate > validation. > > You can also set a hosts file entry, but that's also rather painful. Is there > a > better option? > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I just disabled SSLv3 altogether on my server and just use TLS. On my site I only use TLS 1.2 and not earlier versions or SSL so I was never affected by POODLE. -- Travis Kendrick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Testing "dark" SSL sites
On 10/21/2014 06:24 PM, li...@benjamindsmith.com wrote: > On Tuesday, October 21, 2014 05:02:53 PM Travis Kendrick wrote: >> On 10/21/2014 04:57 PM, li...@benjamindsmith.com wrote: >>> So, with all the hubbub around POODLE and ssl, we're preparing a new load >>> balancer using HAProxy. >>> >>> So we have a set of unit tests written using PHPUnit, having trouble >>> validating certificates. How do you test/validate an SSL cert for a >>> prototype "foo.com" server if it's not actually active at the IP address >>> that matches DNS for foo.com? >>> >>> For non-ssl sites, I can specify the url like http://1.2.3.4/path and pass >>> an explicit "host: foo.com" http header but that fails for SSL >>> certificate validation. >>> >>> You can also set a hosts file entry, but that's also rather painful. Is >>> there a better option? >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> http://lists.centos.org/mailman/listinfo/centos >> I just disabled SSLv3 altogether on my server and just use TLS. On my >> site I only use TLS 1.2 and not earlier versions or SSL so I was never >> affected by POODLE. > As far as I can tell, this comment is not related to the question I asked... > at all. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I thought you were talking about dealing with POODLE. Maybe I misunderstood. -- Travis Kendrick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Testing "dark" SSL sites
On 10/21/2014 06:24 PM, li...@benjamindsmith.com wrote: > On Tuesday, October 21, 2014 05:02:53 PM Travis Kendrick wrote: >> On 10/21/2014 04:57 PM, li...@benjamindsmith.com wrote: >>> So, with all the hubbub around POODLE and ssl, we're preparing a new load >>> balancer using HAProxy. >>> >>> So we have a set of unit tests written using PHPUnit, having trouble >>> validating certificates. How do you test/validate an SSL cert for a >>> prototype "foo.com" server if it's not actually active at the IP address >>> that matches DNS for foo.com? >>> >>> For non-ssl sites, I can specify the url like http://1.2.3.4/path and pass >>> an explicit "host: foo.com" http header but that fails for SSL >>> certificate validation. >>> >>> You can also set a hosts file entry, but that's also rather painful. Is >>> there a better option? >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> http://lists.centos.org/mailman/listinfo/centos >> I just disabled SSLv3 altogether on my server and just use TLS. On my >> site I only use TLS 1.2 and not earlier versions or SSL so I was never >> affected by POODLE. > As far as I can tell, this comment is not related to the question I asked... > at all. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Maybe I did misunderstood, in which case ignore my post and/or remove it as it didn't help. -- Travis Kendrick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
