SSL certificate irony

I happened across Doug Munsinger’s post about refreshing WMQ SSL certificates.  On the one hand, it’s good to know someone else out there is using SSL with WMQ.  On the other hand, the certificate problem on Doug’s web site overshadows the content of the post itself.

Ironically, the post about SSL certificates (the entire site, in fact) is only available over HTTPS but when you try to go to dougmunsinger.com, the certificate presented is actually for damgoodespresso.com.  This is exactly the kind of thing that you would expect with all talk of of the DNS exploits lately and you have to wonder if this is in fact a cache poisoning problem.

In order to read the post safely, I fired up a read-only image in a VMWare player, disabled scripting and configured an exception so the browser would ignore the certificate mismatch.  By the time I got to the post itself, I had almost forgotten why I went there in the first place.

In the end, it turns out that Doug had some minor problems refreshing expired SSL certificates but ultimately got through it.  The post reminds us to use REFRESH SECURITY TYPE(SSL) instead of the plain REFRESH SECURITY command as they do completely different things.  Good advice for those of us who have been doing this long enough that we’ve stopped reading the manuals.  Done that?  You betcha.  Now if Doug can only remember how to refresh the certificates under Apache…

This entry was posted in WMQ, WMQ Security and tagged , , , , , . Bookmark the permalink.

5 Responses to SSL certificate irony

  1. Pingback: two bugs… | doug munsinger

  2. dougmunsinger says:

    Try https://dougmunsinger.com:8443. Apache proxies the original 443 request by name to port 8443, and a second and separate server presents the correct certificate for the name. Direct to 8443 gets the separate server and cert with no proxying. Looks to be tranparent, as far as I’ve been able to test. Thanks again for the heads up.
    –dsm

  3. Pingback: two bugs… | doug munsinger

  4. T.Rob says:

    I figured it was something like that but now that the DNS exploits have been weaponized and we are starting to see some in the wild, you can’t be too careful. My provider is Road Runner and, at least here in Charlotte, they haven’t patched their name servers yet. In fact, when I called to ask, the tech support person had not even heard about the DNS issues. Doesn’t give you much confidence.

  5. dougmunsinger says:

    Thanks, I’m aware of that. I hadn’t originally intended to present dougmunsinger.com over SSL. b=But Verizon FIOS blocks port 80 (morons) and work won’t allow anything but port 80 and port 443, so if I want to verify something on my site from work – it must be port 443.

    I’m buying another cheap SSL cert from GoDaddy (30.00 for 2 years, and from my experience works great). I’ll set this one up properly – the warnings from Firefox 3 alone are enough to scare a lot of people off.

    Appreciate the mention and the complaint.
    –dsm

Leave a Reply