details to configure SKS https web interface

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

details to configure SKS https web interface

gabrix-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi!
I wish to in https ssl the sks web interface .
What are the directives for cert.pem and key.pem and to enable ssl ?
Thanks!

Ask to <noauth.at.autistici.org> for GOSSIP with pgp.gabrix.ath.cx 11370.

Gab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkmyjp8ACgkQ9QITQrxPlCMp9gCdFqwkZHnNnPJwbvJcSvozViVx
dMkAnj00FEs0oHizDiHe13TL1FOzHmve
=eoXT
-----END PGP SIGNATURE-----



_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

Joseph Oreste Bruni-3

On Mar 7, 2009, at 8:11 AM, Gab wrote:

> Hi!
> I wish to in https ssl the sks web interface .
> What are the directives for cert.pem and key.pem and to enable ssl ?
> Thanks!


I don't believe that the built-in web server supports SSL. However,  
you could front-end SKS with Apache configured as a proxy.




_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

Daniel Kahn Gillmor-7
On 03/07/2009 03:03 PM, Joseph Oreste Bruni wrote:
> On Mar 7, 2009, at 8:11 AM, Gab wrote:
>> I wish to in https ssl the sks web interface .
>> What are the directives for cert.pem and key.pem and to enable ssl ?
>
> I don't believe that the built-in web server supports SSL. However, you
> could front-end SKS with Apache configured as a proxy.

We're currently doing this on zimmermann with nginx providing the
front-layer proxy (still using X.509-certified TLS, unfortunately).  The
configuration snippet looks like this:

> server {
>         listen  443;
>         listen  11372;
>         server_name zimmermann.mayfirst.org;
>         ssl on;
>         ssl_certificate /etc/ssl/certs/zimmermann.mayfirst.org-cert.pem;
>         ssl_certificate_key /etc/ssl/private/zimmermann.mayfirst.org-key.pem;
>         access_log  off;
>
>         location / {
>                 proxy_pass http://localhost:11371/;
>         }
> }
We chose to listen on port 443 so people could browse to it with
https://zimmermann.mayfirst.org/  (the X.509 certificate offered here is
 signed by a private certificate authority [0], which i have also
signed, if you care to certify it)

We also are listening on port 11372 because this seems to be the choice
of gnupg maintainers for hkp-over-tls (hkps?), according to this recent
(as yet unreleased) patch to gpg:

http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924

hope this is useful, and i'm happy to explain more details if folks are
interested.

        --dkg

[0] https://support.mayfirst.org/wiki/mfpl_certificate_authority


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (908 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

David Shaw
On Mar 7, 2009, at 7:30 PM, Daniel Kahn Gillmor wrote:

> We also are listening on port 11372 because this seems to be the  
> choice
> of gnupg maintainers for hkp-over-tls (hkps?), according to this  
> recent
> (as yet unreleased) patch to gpg:
>
> http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924

I wrote that patch, and I picked 11372 simply because it was 11371+1.  
If someone feels a different port would be better, let's talk about  
it.  The code hasn't been released yet, so it's very easy to change  
(it will get harder to change once there is a release).

David



_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

Gabor Kiss
In reply to this post by Daniel Kahn Gillmor-7
On Sat, 7 Mar 2009, Daniel Kahn Gillmor wrote:
> On 03/07/2009 03:03 PM, Joseph Oreste Bruni wrote:
> > On Mar 7, 2009, at 8:11 AM, Gab wrote:
> >> I wish to in https ssl the sks web interface .
> >> What are the directives for cert.pem and key.pem and to enable ssl ?
> >
> > I don't believe that the built-in web server supports SSL. However, you
> > could front-end SKS with Apache configured as a proxy.

> We chose to listen on port 443 so people could browse to it with
> https://zimmermann.mayfirst.org/  (the X.509 certificate offered here is
>  signed by a private certificate authority [0], which i have also
> signed, if you care to certify it)

Folks,

I wonder what is the advantage of SSL in case of key servers?

The information transferred is not secret therefore no need of encryption.

It is no use to prove identity of the key server because anyone can
set up a well known key server with fake data. (BTW. Certificate
of zimmermann.mayfirst.org is signed by a CA unknown to my browser. :-)

PGP keys verifies each others' integrity. All elements of the whole system
(including DNS, communication links, key servers and users sending
in fake keys) are untrusted.

Then why?

Gabor


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

Christoph Anton Mitterer-2
Hi.

On Sun, 2009-03-08 at 08:13 +0100, Kiss Gabor (Bitman) wrote:
> I wonder what is the advantage of SSL in case of key servers?
Have a look at this:
http://www.imc.org/ietf-openpgp/mail-archive/msg30930.html


Best wishes,
Chris.

_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

Gabor Kiss
> > I wonder what is the advantage of SSL in case of key servers?
> Have a look at this:
> http://www.imc.org/ietf-openpgp/mail-archive/msg30930.html

Uhmmmm... it's interesting idea. :-)

Gabor


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

David Shaw
In reply to this post by Gabor Kiss
On Mar 8, 2009, at 3:13 AM, Kiss Gabor (Bitman) wrote:

> On Sat, 7 Mar 2009, Daniel Kahn Gillmor wrote:
>> On 03/07/2009 03:03 PM, Joseph Oreste Bruni wrote:
>>> On Mar 7, 2009, at 8:11 AM, Gab wrote:
>>>> I wish to in https ssl the sks web interface .
>>>> What are the directives for cert.pem and key.pem and to enable  
>>>> ssl ?
>>>
>>> I don't believe that the built-in web server supports SSL.  
>>> However, you
>>> could front-end SKS with Apache configured as a proxy.
>
>> We chose to listen on port 443 so people could browse to it with
>> https://zimmermann.mayfirst.org/  (the X.509 certificate offered  
>> here is
>> signed by a private certificate authority [0], which i have also
>> signed, if you care to certify it)
>
> Folks,
>
> I wonder what is the advantage of SSL in case of key servers?
>
> The information transferred is not secret therefore no need of  
> encryption.

This is true, but that does not mean it isn't private.  Without SSL,  
someone could sniff on the wire and find out what key you were  
requesting.

(There are other reasons, but simple privacy is a good one)

David



_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

Daniel Kahn Gillmor-7
In reply to this post by David Shaw
On 03/07/2009 09:37 PM, David Shaw wrote:

> On Mar 7, 2009, at 7:30 PM, Daniel Kahn Gillmor wrote:
>
>> We also are listening on port 11372 because this seems to be the choice
>> of gnupg maintainers for hkp-over-tls (hkps?), according to this recent
>> (as yet unreleased) patch to gpg:
>>
>> http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924
>
> I wrote that patch, and I picked 11372 simply because it was 11371+1.
> If someone feels a different port would be better, let's talk about it.
> The code hasn't been released yet, so it's very easy to change (it will
> get harder to change once there is a release).
I didn't mean to imply that i had any objection to it -- it seems
reasonable to me, and in keeping with what seems to be the dominant
practice in a lot of scenarios on today's network.  I couldn't find a
parallel patch in the gpg2 codebase.  Do you plan on a similar approach
there?

RFC 2817 [0] (which is ancient in itself) suggests that the practice of
direct TLS-wrapping a service on a different port should be deprecated,
and provides a mechanism for upgrading a non-TLS mechanism to use TLS
(analogous to how STARTTLS is used for IMAP and SMTP).

While i'm not suggesting that this is the only way to go, i do think
this seems like it might be a reasonable approach to consider.  What
would be needed to handle this for the interaction between SKS (which
appears to be the dominant free OpenPGP keyserver today) and gpg (which
seems to be the dominant free OpenPGP client today)?

 * SKS would need to be able to switch to TLS using the Upgrade: mechanism.

 * gpg would need to be able to initiate an upgrade, and gpg users would
need to be able to configure gpg to indicate that non-upgraded HKP
sessions should be rejected. (this would protect against MITM
session-downgrade attacks that strip out the upgrade request/response
traffic)

These seem like useful but non-trivial tasks, so i suspect that the
current (simpler) implementation is probably the right one, since it
gives us TLS-wrapped HKP relatively soon.

I'd be happy to hear other people's thoughts on this.

        --dkg

[0] http://tools.ietf.org/html/rfc2817


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (908 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

David Shaw
On Mar 8, 2009, at 3:50 PM, Daniel Kahn Gillmor wrote:

> On 03/07/2009 09:37 PM, David Shaw wrote:
>> On Mar 7, 2009, at 7:30 PM, Daniel Kahn Gillmor wrote:
>>
>>> We also are listening on port 11372 because this seems to be the  
>>> choice
>>> of gnupg maintainers for hkp-over-tls (hkps?), according to this  
>>> recent
>>> (as yet unreleased) patch to gpg:
>>>
>>> http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924
>>
>> I wrote that patch, and I picked 11372 simply because it was 11371+1.
>> If someone feels a different port would be better, let's talk about  
>> it.
>> The code hasn't been released yet, so it's very easy to change (it  
>> will
>> get harder to change once there is a release).
>
> I didn't mean to imply that i had any objection to it -- it seems
> reasonable to me, and in keeping with what seems to be the dominant
> practice in a lot of scenarios on today's network.  I couldn't find a
> parallel patch in the gpg2 codebase.  Do you plan on a similar  
> approach
> there?

Oh, no worries about objections.  I was just stating a fact: I made up  
the port number.  If you have a better one, I genuinely want to know  
so I can use it.

The same code will (more or less) apply to gpg2.  Most of the changes  
I make are for both code bases, but I usually work on gpg1 then batch  
up my changes onto gpg2.  I have to find a spare few hours and do the  
code integration.

> * SKS would need to be able to switch to TLS using the Upgrade:  
> mechanism.
>
> * gpg would need to be able to initiate an upgrade, and gpg users  
> would
> need to be able to configure gpg to indicate that non-upgraded HKP
> sessions should be rejected. (this would protect against MITM
> session-downgrade attacks that strip out the upgrade request/response
> traffic)

GPG does have the necessary concepts for this.  There is already code  
for handling such a TLS upgrade in the LDAP handler, as well as  
various levels of upgrade enforcement (don't try / try but fail  
quietly / try but fail loudly / require upgrade).  The problem is that  
RFC 2817 never really caught on for one reason or another.  Apache  
supports it, but offhand, I don't know of any clients that do,  
including libcurl which is what GPG generally uses for HKP keyserver  
support.

We may end up with "hkps" on port 11372 just for lack of support for  
doing anything else.

David



_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

Christoph Anton Mitterer-2
On Mon, 2009-03-09 at 09:52 -0400, David Shaw wrote:
> We may end up with "hkps" on port 11372 just for lack of support for  
> doing anything else.
One should not use port numbers from the registered port numbers
area,... if it's not actually registered or even used by something else.

Chris.

_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

David Shaw
On Mar 10, 2009, at 9:28 AM, Christoph Anton Mitterer wrote:

> On Mon, 2009-03-09 at 09:52 -0400, David Shaw wrote:
>> We may end up with "hkps" on port 11372 just for lack of support for
>> doing anything else.
> One should not use port numbers from the registered port numbers
> area,... if it's not actually registered or even used by something  
> else.

How do you think ports get used?

David


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

gabrix-4
In reply to this post by David Shaw
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

David Shaw wrote:

> On Mar 8, 2009, at 3:13 AM, Kiss Gabor (Bitman) wrote:
>
>> On Sat, 7 Mar 2009, Daniel Kahn Gillmor wrote:
>>> On 03/07/2009 03:03 PM, Joseph Oreste Bruni wrote:
>>>> On Mar 7, 2009, at 8:11 AM, Gab wrote:
>>>>> I wish to in https ssl the sks web interface .
>>>>> What are the directives for cert.pem and key.pem and to enable ssl ?
>>>>
>>>> I don't believe that the built-in web server supports SSL. However, you
>>>> could front-end SKS with Apache configured as a proxy.
>>
>>> We chose to listen on port 443 so people could browse to it with
>>> https://zimmermann.mayfirst.org/  (the X.509 certificate offered here is
>>> signed by a private certificate authority [0], which i have also
>>> signed, if you care to certify it)
>>
>> Folks,
>>
>> I wonder what is the advantage of SSL in case of key servers?
>>
>> The information transferred is not secret therefore no need of
>> encryption.
>
> This is true, but that does not mean it isn't private.  Without SSL,
> someone could sniff on the wire and find out what key you were requesting.
>
> (There are other reasons, but simple privacy is a good one)
>
> David
>
>
>
What gabor says is true in part , but is best to make sure no one sniff
your key activities and open the possibility of a pgpkeyspoof and as
like threats ... IMO :).
Gab

- --
sec   1024D/BC4F9423 2008-12-05
      Key fingerprint = 36C6 E257 2801 46E7 69A7  8721 F502 1342 BC4F 9423
uid                  Gabriele XXX (Mail Account Autistici)
<[hidden email]>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkm6A0oACgkQ9QITQrxPlCO/NACg5QCBIPlHYQUJUZokcOwEff2C
a0cAoIkBUESh7HtT2AldQRj2lZa0lOXf
=uZAo
-----END PGP SIGNATURE-----



_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

gabrix-4
In reply to this post by Daniel Kahn Gillmor-7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Daniel Kahn Gillmor wrote:

> On 03/07/2009 03:03 PM, Joseph Oreste Bruni wrote:
>> On Mar 7, 2009, at 8:11 AM, Gab wrote:
>>> I wish to in https ssl the sks web interface .
>>> What are the directives for cert.pem and key.pem and to enable ssl ?
>> I don't believe that the built-in web server supports SSL. However, you
>> could front-end SKS with Apache configured as a proxy.
>
> We're currently doing this on zimmermann with nginx providing the
> front-layer proxy (still using X.509-certified TLS, unfortunately).  The
> configuration snippet looks like this:
>
>> server {
>>         listen  443;
>>         listen  11372;
>>         server_name zimmermann.mayfirst.org;
>>         ssl on;
>>         ssl_certificate /etc/ssl/certs/zimmermann.mayfirst.org-cert.pem;
>>         ssl_certificate_key /etc/ssl/private/zimmermann.mayfirst.org-key.pem;
>>         access_log  off;
>>
>>         location / {
>>                 proxy_pass http://localhost:11371/;
>>         }
>> }
>
> We chose to listen on port 443 so people could browse to it with
> https://zimmermann.mayfirst.org/  (the X.509 certificate offered here is
>  signed by a private certificate authority [0], which i have also
> signed, if you care to certify it)
>
> We also are listening on port 11372 because this seems to be the choice
> of gnupg maintainers for hkp-over-tls (hkps?), according to this recent
> (as yet unreleased) patch to gpg:
>
> http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924
>
> hope this is useful, and i'm happy to explain more details if folks are
> interested.
>
> --dkg
>
> [0] https://support.mayfirst.org/wiki/mfpl_certificate_authority
>
>
What would be the procedure for apache2 ?

Gab

- --
sec   1024D/BC4F9423 2008-12-05
      Key fingerprint = 36C6 E257 2801 46E7 69A7  8721 F502 1342 BC4F 9423
uid                  Gabriele XXX (Mail Account Autistici)
<[hidden email]>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkm9HXwACgkQ9QITQrxPlCOZpgCgkGO6gB4BtqL9BEqxJ3slKZya
lwAAoJUbrohYdqoINnZKHPbG+vcXlwT+
=Vrvg
-----END PGP SIGNATURE-----



_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: details to configure SKS https web interface

Daniel Kahn Gillmor-7
On 03/15/2009 11:23 AM, Gab wrote:

> Daniel Kahn Gillmor wrote:
>> On 03/07/2009 03:03 PM, Joseph Oreste Bruni wrote:
>>> On Mar 7, 2009, at 8:11 AM, Gab wrote:
>>>> I wish to in https ssl the sks web interface .
>>>> What are the directives for cert.pem and key.pem and to enable ssl ?
>>> I don't believe that the built-in web server supports SSL. However, you
>>> could front-end SKS with Apache configured as a proxy.
>> We're currently doing this on zimmermann with nginx providing the
>> front-layer proxy (still using X.509-certified TLS, unfortunately).
> What would be the procedure for apache2 ?
I don't have any experience with using apache2 as a reverse proxy with
TLS enabled.  It would be great if someone who does use it that way
wanted to share their configuration.

        --dkg


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (908 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: details to configure SKS https web interface

gabrix-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Daniel Kahn Gillmor wrote:

> On 03/15/2009 11:23 AM, Gab wrote:
>> Daniel Kahn Gillmor wrote:
>>> On 03/07/2009 03:03 PM, Joseph Oreste Bruni wrote:
>>>> On Mar 7, 2009, at 8:11 AM, Gab wrote:
>>>>> I wish to in https ssl the sks web interface .
>>>>> What are the directives for cert.pem and key.pem and to enable ssl ?
>>>> I don't believe that the built-in web server supports SSL. However, you
>>>> could front-end SKS with Apache configured as a proxy.
>>> We're currently doing this on zimmermann with nginx providing the
>>> front-layer proxy (still using X.509-certified TLS, unfortunately).
>> What would be the procedure for apache2 ?
>
> I don't have any experience with using apache2 as a reverse proxy with
> TLS enabled.  It would be great if someone who does use it that way
> wanted to share their configuration.
>
> --dkg
>
>
I will give it a try !

- --
sec   1024D/BC4F9423 2008-12-05
      Key fingerprint = 36C6 E257 2801 46E7 69A7  8721 F502 1342 BC4F 9423
uid                  Gabriele XXX (Mail Account Autistici)
<[hidden email]>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkm9XJwACgkQ9QITQrxPlCMoegCfQi4ejRLT6vbShTshzOfm4ndl
lWAAoNeHjoiwOZjm5HH2n2A9twCjQ8N8
=J4ex
-----END PGP SIGNATURE-----



_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: details to configure SKS https web interface

Jan Kesten-3
In reply to this post by Daniel Kahn Gillmor-7
Hi Daniel,

should be something like this:

<VirtualHost foo.bar.com:443>
   ServerAdmin [hidden email]
   DocumentRoot /var/www/
   SSLEngine on
   ServerName foo.bar.com
   SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
   SSLCertificateFile /etc/apache2/ssl/apache.crt
   SSLProtocol all
   SSLCipherSuite HIGH:MEDIUM
   SSLProxyEngine On
   <Location /pks>
        ProxyPass http://127.0.0.1:11371/pks
        ProxyPassReverse http://127.0.0.1:11371/pks
   </Location>
</VirtualHost>

Of course you need mod_proxy and mod_ssl ;-)

Cheers,
Jan

2009/3/15 Daniel Kahn Gillmor <[hidden email]>:

> On 03/15/2009 11:23 AM, Gab wrote:
>> Daniel Kahn Gillmor wrote:
>>> On 03/07/2009 03:03 PM, Joseph Oreste Bruni wrote:
>>>> On Mar 7, 2009, at 8:11 AM, Gab wrote:
>>>>> I wish to in https ssl the sks web interface .
>>>>> What are the directives for cert.pem and key.pem and to enable ssl ?
>>>> I don't believe that the built-in web server supports SSL. However, you
>>>> could front-end SKS with Apache configured as a proxy.
>>> We're currently doing this on zimmermann with nginx providing the
>>> front-layer proxy (still using X.509-certified TLS, unfortunately).
>> What would be the procedure for apache2 ?
>
> I don't have any experience with using apache2 as a reverse proxy with
> TLS enabled.  It would be great if someone who does use it that way
> wanted to share their configuration.
>
>        --dkg
>
>
> _______________________________________________
> Sks-devel mailing list
> [hidden email]
> http://lists.nongnu.org/mailman/listinfo/sks-devel
>
>


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: details to configure SKS https web interface

Phil Pennock-17
On 2009-03-16 at 09:13 +0100, Jan Kesten wrote:

> Hi Daniel,
>
> should be something like this:
>
> <VirtualHost foo.bar.com:443>
>    ServerAdmin [hidden email]
>    DocumentRoot /var/www/
>    SSLEngine on
>    ServerName foo.bar.com
>    SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
>    SSLCertificateFile /etc/apache2/ssl/apache.crt
>    SSLProtocol all
>    SSLCipherSuite HIGH:MEDIUM
>    SSLProxyEngine On
>    <Location /pks>
>         ProxyPass http://127.0.0.1:11371/pks
>         ProxyPassReverse http://127.0.0.1:11371/pks
>    </Location>
> </VirtualHost>
>
> Of course you need mod_proxy and mod_ssl ;-)
And one of:

 * a dedicated IP address, to do IP-based vhosting

 * the SSLCertificateFile using subjectAltName extensions, so that the
   same certificate is used for every vhost on that IP

 * serverNameIndication support in Apache *and* every web-browser you
   care about

The SNI support will let you do true vhosting of SSL sites, without an
IP-per-vhost but it won't work with MSIE on Windows XP (requires Vista,
AIUI).  See  https://sni.velox.ch/  for a test site, which includes
links to the relevant modules.

I use both of the first two options for SSL vhosting; the former where I
can get away with IPv6-only, the latter for the rest, and just rely upon
the sites being fairly equivalent in trust status.  (I don't use
mod_proxy at the current time though, so held off on providing config
snippets).

-Phil

_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel

attachment0 (169 bytes) Download Attachment