undefined | Better HN

0 pointspacifi3013y ago0 comments

Thank you so much. I'll change it to something obscure and for the SSL certificate I am thinking if I can use heroku's SSL certificate.

0 comments

7 comments · 3 top-level

StavrosK13y ago· 3 in thread

That's a normal HTTPS cert, I'm talking about this:

http://www.ibm.com/developerworks/lotus/library/ls-SSL_clien...

Really, though, unless you're extremely security-conscious, a hidden URL over HTTPS with a good password is sufficient for your purposes.

Also, don't serve any pages over plain HTTP, login pages even less so.

pacifi30OP13y ago

Thanks, I guess I ll explore the option that you described above. Also there is one more thing I am curious about, so heroku does gives a free SSL certificate but that only works for their domain meaning something like truffleapp.herokuapp.com, it doesn't work for the custom domain. Do you know any way where I can save money on buying SSL certificate and rather use heroku's certificate. All the certificates put atleast a 1000$ hole in the pocket but eventually in a week or so if I can't figure out how to use heroku SLL, I have to spend that money

tingletech13y ago

If you are just using ssl on your admin site; you could roll your own.

  openssl req -new -x509 -nodes \
        -out /nuxeo/certs/server.crt \
        -keyout /nuxeo/certs/server.key \
        -batch

you will get a warning about the certificate being suspect; but at least the traffic will be encrypted

tjohns13y ago

StartCom offers free SSL certificates that are recognized by most browsers: http://cert.startcom.org/

Heroku will still probably charge you a basic fee for enabling SSL, since each certificate requires a dedicated (non-shared) IP address... at least until SNI support becomes more commonplace.

Edit: Just to reiterate what others have said, this is a server-side certificate, which is primarily used for encryption. You'll also want to generate a client-side certificate for authentication purposes. That's something you'd do entirely on your own, no need to go through a third-party CA for that.

pfg13y ago· 1 in thread

Note that StavrosK is probably talking about SSL client authentication, which isn't what most people think about when talking about SSL. Basically, it enables you to allow access only to people with a certain client certificate installed in their browser (i.e., proving the clients' identity to the server, not just the other way around).

Unfortunately I have no idea how this would work on Heroku.

There's a great article about client authentication for HAProxy (might be interesting even if you're not using HAProxy): http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-...

dalore13y ago

There is a module for django to do client ssl cert authentication. I haven't used it though but it seems maintained.

https://github.com/kimvais/django-ssl-client-auth

Keyframe13y ago

you can also put up a htpasswd if you can on that directory, every bit helps.

j / k navigate · click thread line to collapse