Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

When you say 'proper', do you mean from a true CA like Thawte?

It wouldn't be a 'proper' SSL cert in this case, but if you emerge apache with
the 'ssl' USE flag set, then add "-D SSL" to your Apache configuration file.

J. Patrick Campbell wrote:
| Does anyone have a guide for setting up a proper SSL cert for apache2
| web server?

- --
() The ASCII Ribbon Campaign - against HTML Email,
/\ vCards, and proprietary formats.
- ---------------------------------------------------
Peter A. Gordon (codergeek42)
E-Mail: admin@ramshacklestudios.com
GPG Public Key ID: 0x109DBECE
GPG Key Fingerprint (SHA1):
~ E485 E2F7 11CE F9B2 E3D9 C95D 208F B732 109D BECE
Encrypted and/or Signed correspondence preffered.
Use Mozilla Firefox and help spread the word:
~ http://www.spreadfirefox.com/
- ---------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBde2NII+3MhCdvs4RAossAKCpxpBdfiplAOXMzDSOnSvIUxx3SQCgqEn8
PzJaRzYbwPGj4rYc99ZO/XQ=
=yu7j
-----END PGP SIGNATURE-----

--
gentoo-user@gentoo.org mailing list

On Wed, October 20, 2004 12:46 am, Peter Gordon said:

>
> When you say 'proper', do you mean from a true CA like Thawte?
>
> It wouldn't be a 'proper' SSL cert in this case, but if you emerge apache
> with
> the 'ssl' USE flag set, then add "-D SSL" to your Apache configuration
> file.

that's how i was running intially, but i wanted a real ssl cert.
i got a trial now, you can check it out at https://lowmips.com
geez, these things are expensive!
what do you folks use for ssl?

thanks,

Patrick

>
> J. Patrick Campbell wrote:
> | Does anyone have a guide for setting up a proper SSL cert for apache2
> | web server?


--
http://patrickcampbell.us


--
gentoo-user@gentoo.org mailing list

On Wednesday 20 October 2004 00:49, J. Patrick Campbell wrote:
> On Wed, October 20, 2004 12:46 am, Peter Gordon said:
> > When you say 'proper', do you mean from a true CA like Thawte?
> >
> > It wouldn't be a 'proper' SSL cert in this case, but if you emerge apache
> > with
> > the 'ssl' USE flag set, then add "-D SSL" to your Apache configuration
> > file.
>
> that's how i was running intially, but i wanted a real ssl cert.
> i got a trial now, you can check it out at https://lowmips.com
> geez, these things are expensive!
> what do you folks use for ssl?
>
> thanks,
>
> Patrick

well signing ssl certificates DOES make them more complete (so to say), but it
is not entirely necessary...the point of having ssl on your http is so that
encrypts your connection...getting it signed by one of those companies is
worth if you have a company or something large like that and you provide
several internet services.

personally i just have my own ssl certificate on my server at home and it all
works fine, except giving me a warning that it isn't signed. it still
encrypts my connection, which is all i care about

-cos

>
> > J. Patrick Campbell wrote:
> > | Does anyone have a guide for setting up a proper SSL cert for apache2
> > | web server?

--
In Linux We TrUsT !

--
gentoo-user@gentoo.org mailing list

On Wednesday 20 October 2004 01:10, Casper the Friendly Ghost wrote:
> On Wednesday 20 October 2004 00:49, J. Patrick Campbell wrote:
> > On Wed, October 20, 2004 12:46 am, Peter Gordon said:
> > > When you say 'proper', do you mean from a true CA like Thawte?
> > >
> > > It wouldn't be a 'proper' SSL cert in this case, but if you emerge
> > > apache with
> > > the 'ssl' USE flag set, then add "-D SSL" to your Apache configuration
> > > file.
> >
> > that's how i was running intially, but i wanted a real ssl cert.
> > i got a trial now, you can check it out at https://lowmips.com
> > geez, these things are expensive!
> > what do you folks use for ssl?
> >
> > thanks,
> >
> > Patrick
>
> well signing ssl certificates DOES make them more complete (so to say), but
> it is not entirely necessary...the point of having ssl on your http is so
> that encrypts your connection...getting it signed by one of those companies
> is worth if you have a company or something large like that and you provide
> several internet services.
>
> personally i just have my own ssl certificate on my server at home and it
> all works fine, except giving me a warning that it isn't signed. it still
> encrypts my connection, which is all i care about
>
> -cos
>
> > > J. Patrick Campbell wrote:
> > > | Does anyone have a guide for setting up a proper SSL cert for apache2
> > > | web server?

--
In Linux We TrUsT !

oops...I missed that last question...the guide I used when I installed apache
with ssl support was

http://slacksite.com/apache/certificate.html

nite nite

-cos

--
gentoo-user@gentoo.org mailing list

You may also try http://www.cacert.org/ to get a certificate. At this
moment no browser support the CAcert root certificate yet, so users will
still get a warning. Maybe there will be browser support if they can gain
momentum.

note: I have not used their service myself

On Wed, 20 Oct 2004, J. Patrick Campbell wrote:

>
> On Wed, October 20, 2004 12:46 am, Peter Gordon said:
>
> >
> > When you say 'proper', do you mean from a true CA like Thawte?
> >
> > It wouldn't be a 'proper' SSL cert in this case, but if you emerge apache
> > with
> > the 'ssl' USE flag set, then add "-D SSL" to your Apache configuration
> > file.
>
> that's how i was running intially, but i wanted a real ssl cert.
> i got a trial now, you can check it out at https://lowmips.com
> geez, these things are expensive!
> what do you folks use for ssl?
>
> thanks,
>
> Patrick
>
> >
> > J. Patrick Campbell wrote:
> > | Does anyone have a guide for setting up a proper SSL cert for apache2
> > | web server?
>
>
> --
> http://patrickcampbell.us
>
>
> --
> gentoo-user@gentoo.org mailing list
>
>


--
gentoo-user@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Casper the Friendly Ghost wrote:
>>that's how i was running intially, but i wanted a real ssl cert.
>>i got a trial now, you can check it out at https://lowmips.com
>>geez, these things are expensive!
>>what do you folks use for ssl?

There was a thread about cheap key signing authorities on gentoo-server
these days ([gentoo-server] cannot I save this LOTS of money?). In
short, you may look at
http://www.cacert.org/ free, but not yet accepted out of the box by all
browsers, or
> freessl.com has wildcard certs and they claim a very high percentage of browsers will accept them.

> well signing ssl certificates DOES make them more complete (so to say), but it
> is not entirely necessary...the point of having ssl on your http is so that
> encrypts your connection...getting it signed by one of those companies is
> worth if you have a company or something large like that and you provide
> several internet services.

Having an unsigned or selfsigned key may be all right for private use or
within a closed user group, but it surely is a security issue on public
sites. There is a comment about that on
http://www.heise.de/security/artikel/40073 (in german only, sorry).

In short the problem is the following: an encrypted connection is _not_
secure by default - it is only secure if you are sure that the
encryption key used is owned by the server you try to connect. So with
untrusted keys you would have to check the key fingerprint _and_ you
have to know the correct fingerprint.
This may not seem worth talking about to many on this list, but while
users not knowing about the (technical) details get used to ignore the
warning messages of their browser an attack will be very easy in the future.
So for public websites you should set up encryption correctly recognized
by browsers or don't encrypt at all.

> personally i just have my own ssl certificate on my server at home and it all
> works fine, except giving me a warning that it isn't signed. it still
> encrypts my connection, which is all i care about

...but the connection still is not secure until you check the key
fingerprint - to regard it as secure just because it seems to be the
correct content is an illusion.

Just my 2 cents talking about security.

Andreas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBdjoFyMU6OiJ0xNoRAm6nAJoCbdjW5q5p0l2/LMT/yjSYEsZ0pQCfQ9V3
G1eoZIN1qHK/AEtAIAFUyLM=
=/r1n
-----END PGP SIGNATURE-----

--
gentoo-user@gentoo.org mailing list

Güray Sen wrote:
> You may also try http://www.cacert.org/ to get a certificate. At this
> moment no browser support the CAcert root certificate yet, so users will
> still get a warning. Maybe there will be browser support if they can gain
> momentum.

Stating the obvious: Of course, that warning will go away if those users
install the CAcert root certificate into their browser (which is a
matter of clicking on it). It is surely acceptable, depending on what
your SSL site is for.

--
Yoann Pannier


--
gentoo-user@gentoo.org mailing list

On Wednesday 20 October 2004 06:12, Andreas Prieß wrote:
> Casper the Friendly Ghost wrote:
> >>that's how i was running intially, but i wanted a real ssl cert.
> >>i got a trial now, you can check it out at https://lowmips.com
> >>geez, these things are expensive!
> >>what do you folks use for ssl?
>
> There was a thread about cheap key signing authorities on gentoo-server
> these days ([gentoo-server] cannot I save this LOTS of money?). In
> short, you may look at
> http://www.cacert.org/ free, but not yet accepted out of the box by all
> browsers, or
>
> > freessl.com has wildcard certs and they claim a very high percentage of
> > browsers will accept them.
> >
> > well signing ssl certificates DOES make them more complete (so to say),
> > but it is not entirely necessary...the point of having ssl on your http
> > is so that encrypts your connection...getting it signed by one of those
> > companies is worth if you have a company or something large like that and
> > you provide several internet services.
>
> Having an unsigned or selfsigned key may be all right for private use or
> within a closed user group, but it surely is a security issue on public
> sites.

My point exactly

> There is a comment about that on
> http://www.heise.de/security/artikel/40073 (in german only, sorry).
>
> In short the problem is the following: an encrypted connection is _not_
> secure by default - it is only secure if you are sure that the
> encryption key used is owned by the server you try to connect. So with
> untrusted keys you would have to check the key fingerprint _and_ you
> have to know the correct fingerprint.
> This may not seem worth talking about to many on this list, but while
> users not knowing about the (technical) details get used to ignore the
> warning messages of their browser an attack will be very easy in the
> future. So for public websites you should set up encryption correctly
> recognized by browsers or don't encrypt at all.
>
> > personally i just have my own ssl certificate on my server at home and it
> > all works fine, except giving me a warning that it isn't signed. it still
> > encrypts my connection, which is all i care about
>
> ...but the connection still is not secure until you check the key
> fingerprint - to regard it as secure just because it seems to be the
> correct content is an illusion.

well considering I am pretty much the only one using my server (and a few
buddies i guess) then having a self-signed certificate and ensuring on _my_
own that the key is correct is no biggie. What you are saying is true if we
would be talking about a widely used server which doesn't have a cert and
people would just ignore the warning.


-cos
>
> Just my 2 cents talking about security.
>
> Andreas

--
In Linux We TrUsT !

--
gentoo-user@gentoo.org mailing list