Show Menu

Figuring out how to serve many SSL certificates, part 2.

I’ve been pretty happy over the last couple days with our A+ score at SSL Labs. I almost got discouraged this morning when it was discovered that LinkedIn wasn’t able to pull in the data from our HTTPS links properly when sharing articles. Their bot, `LinkedInBot/1.0 (compatible; Mozilla/5.0; Jakarta Commons-HttpClient/3.1 +http://www.linkedin.com)`, uses an end of life HTTP client that happens to also be Java based. One of our warnings in the handshake simulation area was that clients using Java Runtime Environment 6u45 did not support 2048 DH params, something that we were using. I’m not entirely sure if LinkedIn has their JRE updated to 6u45, but I’m guessing that anything…

Read more

Figuring out how to serve many SSL certificates, part 1.

In the process of figuring out how to configure SSL certificates for hundreds (maybe thousands) of domains in a single nginx configuration without a wildcard certificate, I decided it would be cool to use `server_name` as a variable in the nginx configuration: `ssl_certificate /etc/nginx/ssl/$server_name.crt;` Unfortunately, per this aptly named request on Server Fault—nginx use $server_name on ssl_certificate path—that’s not allowed. Nginx docs explain it more: Variables are evaluated in the run-time during the processing of each request, so they are rather costly compared to plain static configuration. So with that, I’m going to have to generate a bunch of `server {}` blocks that point to the correct certificate and key files…

Read more

I’m about to create a repository named something like WSUWP-P2-Common that contains all common P2 related plugins and/or themes for use throughout the WSUWP ecosystem. It’s purpose will be more of a built package rather than a development area. Development will still occur in individual repositories. When releases are pushed in those repositories, they can be deployed to the central package repository as well. I feel like I’m reinventing the wheel though and that if I understood Composer enough, I could use that. But then part of me doesn’t care if I’m reinventing the wheel because it will just work with our current deploy process without much effort. I also wonder…

Read more

#5367 WordPress Cookie Authentication Vulnerability

#5367 WordPress Cookie Authentication Vulnerability takes us back to when the modern password handling in WordPress was born, partially due to a vulnerability report at the time. More because we were ready for it.  It’s great to read through and watch decisions being made as familiarity grew. In that thread, Matt links to the changeset that brought us from plain text passwords to hashed passwords for the first time.

Read more