<div dir="ltr"><div style>Hello Daniel, </div><div style><br></div><div style>You were right in the end. After installing the Intermediate certificate and the RootCA certificate for CACert (this was the missing one) it works, but only for <a href="http://kamailio.org">kamailio.org</a> URLs not <a href="http://www.kamailio.org">www.kamailio.org</a>. </div>
<div style><br></div><div style>Great about pointing <a href="https://kamailio.org">https://kamailio.org</a> to the right page.</div><div style><br></div><div style>Cheers</div><div style>Marius</div><div><br></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Apr 1, 2013 at 9:06 PM, Daniel-Constantin Mierla <span dir="ltr"><<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hello,<div><br>
<br>
<div>On 4/1/13 9:57 PM, Marius Zbihlei
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>Comments inline<br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Apr 1, 2013 at 8:27 PM,
Daniel-Constantin Mierla <span dir="ltr"><<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> <br>
<div>On 4/1/13 9:13 PM, Marius Zbihlei wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Some ideas about improving the
security of the site:
<div><br>
</div>
<div>1. Drop http connections for authentication
pages <br>
</div>
</div>
</blockquote>
</div>
Not sure how much it will help, as the bots were able
to create accounts by solving the captcha. HTTPS is no
longer something hard to get in any application. So
far so good with the new system, no spammer got that
familiar with Kamailio modules :-), but there were few
new valid accounts.
<div><br>
<br>
</div>
</div>
</blockquote>
<div>Well, </div>
<div><br>
</div>
<div>I would be very nice for the <a href="https://www.kamailio.org" target="_blank">https://www.kamailio.org</a>
to work (at the moment it returns an 200 OK with an
empty HTML Page). Also, I consider bad security practice
to allow traffic that is uncrypted for login forms, but
I agree it has small benefits.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br></div>
You can access the login forms via https and it is recommended to
use https for logging it, as mentioned on the front page of dokuwiki
-- I just said that the https vs http does not bring benefits
against spammers.<div><br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<blockquote type="cite">
<div dir="ltr">
<div>2. Fix the <a href="http://kamailio.org" target="_blank">kamailio.org</a>
certificate. At the moment the identity of the
domain can't be established as there is no
issuer chain provided with it.</div>
<div><br>
</div>
<div>From Firefox information page:</div>
</div>
</blockquote>
<br>
</div>
You actually need to fix Firefox -- I struggled
yesterday a bit with same situation. The certificate
is actually new, generated yesterday and signed by
CACert.org. The previous one was selfsigned, from
openser times, expired for few years.<br>
<br>
I had to try other browsers to check if works, because
Firefox was displaying some error. Then I went back to
stable channel from beta channel without any success,
even removing the old certificate from firefox
preference. To solve it, I cleared the cache.<br>
<br>
</div>
</blockquote>
<div><br>
</div>
<div>I have tried with both Chrome and Firefox,
both normal and Incognito mode. Same error. I believe
the problem is with the server. <br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br></div>
It is working fine for me over https, tried both firefox and chrome.
I replaced the certificate because the previous one was expired and
mentioning openser. CACert is not a default trusted authority
anyhow, I choose that instead of another self signed certificate
because CACert has some popularity out there in the open source
space.<br>
<br>
So, you don't really get to the content via https? Or is just that
the browser does not trust it?<br>
<br>
Cheers,<br>
Daniel<div><div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>
The server provides the correct certificate (I've
downloaded it), but it must provide also an intermediate
certificate signed with CaCert RootCA. The client only
has the Root CA, so for authentication of the cert the
intermediate one is needed. </div>
<div><br>
</div>
<div>I guess <a href="https://www.globalsign.com/support/install/install_apache.php" target="_blank">https://www.globalsign.com/support/install/install_apache.php</a>
provides a solution ( Note that the root CA might not
make sense)</div>
<div><br>
</div>
<div>
<ul style="font-size:13px;font-family:Arial,Helvetica,sans-serif;list-style:none;margin:10px 0px 10px 10px;padding:0px">
<li style="padding:3px 0px;margin:3px 25px;list-style:none">
Your virtual host section will need to contain the
following directives:</li>
<li style="padding:3px 0px;margin:3px 25px;list-style:none"><code style="background-color:rgb(0,0,0);color:rgb(0,204,51);padding:3px"><strong>SSLCACertificateFile</strong></code> –
This will need to point to the appropriate
GlobalSign root CA certificate.</li>
<li style="padding:3px 0px;margin:3px 25px;list-style:none"><code style="background-color:rgb(0,0,0);color:rgb(0,204,51);padding:3px"><strong>SSLCertificateChainFile</strong></code> –
This will need to point to the appropriate
intermediate root CA certificates you previously
created in Step 1 above.</li>
<li style="padding:3px 0px;margin:3px 25px;list-style:none"><code style="background-color:rgb(0,0,0);color:rgb(0,204,51);padding:3px"><strong>SSLCertificateFile</strong></code> –
This will need to point to the end entity
certificate (the one you have called "mydomain.crt")</li>
<li style="padding:3px 0px;margin:3px 25px;list-style:none"><code style="background-color:rgb(0,0,0);color:rgb(0,204,51);padding:3px"><strong>SSLCertificateKeyFile</strong></code> –
This will need to point to the private key file
associated with your certificate.</li>
</ul>
<div><font color="#000000" face="Arial, Helvetica,
sans-serif"><span style="font-size:13px"><br>
</span></font></div>
<div><br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Let me know if
works for you in the same way.<br>
<br>
Cheers,<br>
Daniel
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>"</div>
<div>
<div><a href="http://kamailio.org" target="_blank">kamailio.org</a> uses an
invalid security certificate.</div>
<div><br>
</div>
<div>The certificate is not trusted because
no issuer chain was provided.</div>
<div><br>
</div>
<div>(Error code: sec_error_unknown_issuer)</div>
<div>"</div>
<div><br>
</div>
<div>Marius</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Apr 1, 2013
at 6:55 PM, Edson - Lists <span dir="ltr"><<a href="mailto:4lists@gmail.com" target="_blank">4lists@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Just
as a side note, I've seem anti-spambots
'captcha systems' (just see, not
implemented, nor know about a library that
implement it) that use a dual factor
approach: one that you see and one that
you know.<br>
<br>
Indeed very simple: show an image and ask
something about it.<br>
Questions can be: type just the letters,
type just the numbers, type numbers and
letters in pre-defined order
(left-to-right,up-down,etc), number of
colors, of groups, color on the booton
right, etc... The combination are limited
on the imagination. And the best: it
increment in exponential the way bots have
to work.<br>
<br>
Does anybody knows a library/system that
implement such approach not all of them,
but at least part of it?<br>
<br>
Edson.<br>
<br>
Em 01/04/2013 06:27, Daniel-Constantin
Mierla escreveu:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Hello,<br>
<br>
as of yesterday, creation of new
accounts for Kamailio's wiki site<br>
requires to answer a project related
question. Captcha was useless as<br>
spam bots were lately going through it
easily, creating accounts in a<br>
rate of approx 50 new registrations per
day.<br>
<br>
The extra question is asked just after
CAPTCHA, see it at:<br>
- <a href="https://www.kamailio.org/wiki/start?do=register" target="_blank">https://www.kamailio.org/wiki/start?do=register</a><br>
<br>
Hopefully the questions are simple
enough to allow good people to<br>
register and difficult enough for
spambots to give up. It is not a very<br>
sophisticated system, let's see if there
will be any efforts in reverse<br>
engineering to break in with bots. So
far no new spammer account. If<br>
they will succeed, at least they learn
something useful.<br>
<br>
If anyone has difficulties creating wiki
accounts, write an email to<br>
sr-dev mailing list and it will be
investigated.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
PS. This registration system will last,
is not for April 1.<br>
<br>
</blockquote>
<br>
_______________________________________________<br>
sr-dev mailing list<br>
<a href="mailto:sr-dev@lists.sip-router.org" target="_blank">sr-dev@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
<span><font color="#888888">
<pre cols="72">--
Daniel-Constantin Mierla - <a href="http://www.asipto.com" target="_blank">http://www.asipto.com</a>
<a href="http://twitter.com/#%21/miconda" target="_blank">http://twitter.com/#!/miconda</a> - <a href="http://www.linkedin.com/in/miconda" target="_blank">http://www.linkedin.com/in/miconda</a>
Kamailio World Conference, April 16-17, 2013, Berlin
- <a href="http://conference.kamailio.com" target="_blank">http://conference.kamailio.com</a> -</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Daniel-Constantin Mierla - <a href="http://www.asipto.com" target="_blank">http://www.asipto.com</a>
<a href="http://twitter.com/#!/miconda" target="_blank">http://twitter.com/#!/miconda</a> - <a href="http://www.linkedin.com/in/miconda" target="_blank">http://www.linkedin.com/in/miconda</a>
Kamailio World Conference, April 16-17, 2013, Berlin
- <a href="http://conference.kamailio.com" target="_blank">http://conference.kamailio.com</a> -</pre>
</div></div></div>
</blockquote></div><br></div></div>