Archive for October, 2008
Server Name Indication being held back
Ever since we’ve had websites available over HTTPS (HTTP over SSL), there has always been the problem that the host always requires an IP per site as each site needs a new certificate. With SSL the server couldn’t just switch certificate according to the site, as SSL is negotiated before any HTTP request is sent.
Server Name Indication is a TLS extension which sends the hostname during the TLS negotiation, which means the server can switch to the appropriate certificate – allowing a web host to potentially have as many HTTPS sites as they want on a single IP address. It’s a great solution, however the only problem is that any chance of it’s currently being held back.
Firefox 2.0, Opera 8.0 and even Google Chrome supports SNI, however Safari on OS X currently doesn’t support it and Internet Explorer 7 only supports it on Windows Vista and not Windows XP. So SNI is being held back due to a lack of support from IE and Safari, these are two fairly significant browsers which many people use – admins can’t ignore either of them.
SNI is only just becoming available in Linux distributions with Apache 2.2.8 and the latest versions of OpenSSL, so it isn’t available to everyone just yet. However being unable to use it for many years due to the fact that any Internet Explorer user on Windows XP won’t be able to view any SNI sites is going to be a huge hinderance towards adopting it.
Oct17
3ware 8006-2LP RAID with CentOS 5
The Hetzner DS-8000 servers feature a 3ware RAID card (8006-2LP) for hardware RAID 1, a nice feature – although the default CentOS setup is slightly broken with SELinux. After several hours of wondering why smartd wouldn’t work, /var/log/audit/audit.log reveals the following:
type=AVC msg=audit(1223922183.059:22): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/twe0" dev=tmpfs ino=8940 scontext=user_u:system_r:fsdaemon_t:s0 tcontext=user_u:
object_r:device_t:s0 tclass=chr_file
A good administrator will probably want to add some custom SELinux policies, but the lazy admin might just want to disable SELinux. I went with the disabling of SELinux as the easier option! It’s not a recommended solution though.
Eventually I got smartd working again, so I’ve now got decent monitoring of the disks on the machine.