Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id A542E200C1E for ; Fri, 3 Feb 2017 01:31:01 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id A0EA1160B61; Fri, 3 Feb 2017 00:31:01 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C269C160B57 for ; Fri, 3 Feb 2017 01:31:00 +0100 (CET) Received: (qmail 44518 invoked by uid 500); 3 Feb 2017 00:30:59 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 44508 invoked by uid 99); 3 Feb 2017 00:30:59 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Feb 2017 00:30:59 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id E2801C149E for ; Fri, 3 Feb 2017 00:30:58 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -3.801 X-Spam-Level: X-Spam-Status: No, score=-3.801 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.999, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=hushmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id jzghh9VrPwhm for ; Fri, 3 Feb 2017 00:30:56 +0000 (UTC) Received: from smtp5.hushmail.com (smtp5.hushmail.com [65.39.178.142]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id CCF455F5F8 for ; Fri, 3 Feb 2017 00:30:55 +0000 (UTC) Received: from smtp5.hushmail.com (localhost [127.0.0.1]) by smtp5.hushmail.com (Postfix) with SMTP id 53CD120282 for ; Fri, 3 Feb 2017 00:30:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=hushmail.com; h=date:to:subject:from; s=hush; bh=eAjPhS+8JnH+YMUwGtqY6LvJQKwF2qOpXt67/hYmrxQ=; b=yNTRehLTmiL9PfjwGj2wBcYxvIPHvDWJ0cDr61EosZ52HVXOrjZF5/wPJkFub2DVbEfYSfdvbQxBqqC2vMA0u6BqM0KdU8hjpkw00zF3aiq7sjXAN9gxehYuAx9q/U7V6b/F4IFNHH5BEiQPiC+hMaF9X0qPjfkueFSE4OK5oUqPMHwwFraOLcAGNUpnE9l9fuEKIoS+lM6IjHWRr1Xv2hYoohN41/qYiJ5mZaT3UW8BJZUEr74zr9+7VVTpuwHUMP9kf8ihkkmGm+jTz8vNf7c7s2d9KL4tLlGEVSSWG8iAOQ2+foFcxfg15t5QJeYGFRg5N3zkEktRCJmuDjWOFw== Received: from smtp.hushmail.com (w9.hushmail.com [65.39.178.29]) by smtp5.hushmail.com (Postfix) with ESMTP for ; Fri, 3 Feb 2017 00:30:48 +0000 (UTC) Received: by smtp.hushmail.com (Postfix, from userid 99) id 1155440155; Fri, 3 Feb 2017 00:30:47 +0000 (UTC) MIME-Version: 1.0 Date: Thu, 02 Feb 2017 18:30:47 -0600 To: users@httpd.apache.org From: rich.greder@hushmail.com In-Reply-To: References: <20170202165421.3D19740179@smtp.hushmail.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="UTF-8" Message-Id: <20170203003048.1155440155@smtp.hushmail.com> Subject: Re: [users@httpd] How to enable 443 on apache2 using provided key files archived-at: Fri, 03 Feb 2017 00:31:01 -0000 On 2/2/2017 at 1:27 PM, "Erik Dobák" wrote: > >well i am still unsure abut the full encryption. i don't like >that. if >there is a problem the overheads grow to analyze the situation. >what about >just signing the messages? i mean if you have messages for all why >do you >want to hide them? > Because the site has a user authentication portal. The owner of the server does not want user passwords being sent in plaintext. Some portions of the site is not open to the public. There is computational overhead, but they have invested in hardware sufficient for managing that. The problem I am faced is a software/compatibility/standards issue. I wholeheartedly believe in the open internet model though and my own personal sites are available on our favorite port 80, as well as port 443 (via letsencrypt.org) for the paranoid who think the gov't can't see it. >E > >On 2 February 2017 at 17:54, wrote: > >> Hello, >> >> There is a freshly installed (from Ubuntu 16.04 package) apache >server >> running in a large institution that needs to have port 443 >traffic >> enabled. I am helping a friend of mine configure this server >and, at the >> same time, writing a document for reproducing the installation >procedure >> that will be published online. The server has it's own >subdomain and the >> system administrator generated encryption keys to be used for >this server. >> The administrator is talented, but seems to be inexperienced in >open-source >> solutions, so outside help is needed. As a courtesy to my >friend, whom I'm >> helping set this up, I've anonymized the TLD from the filename, >but the >> files are as follows: >> >> _.example.com.p12 >> Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root- >primary.txt >> SSL Certificate - .example.com.txt >> >> I personally do not have easy access to these files, but I can >request >> actions to be performed on them. I had not previously been >acquainted with >> P12 files until now. I found a website that seems to be able to >help me >> export data from the P12 file into a data format that apache can >readily >> use: >> >> http://wiki.i.gov.ph/iwiki/bin/view/PNPKI/How+to+install+ >> SSL+certificate+in+apache+ubuntu+server >> >> After reading through this website, I proposed these steps: >> >> sudo openssl pkcs12 -in /vault/_.example.com.p12 -nocerts -out >> /vault/private.pem >> sudo openssl rsa -in private.pem -out /vault/key.pem >> sudo openssl pkcs12 -in /vault/_.example.com.p12 -clcerts - >nokeys -out >> /vault/cert.pem >> sudo openssl pkcs12 -in /vault/_.example.p12 -nokeys -cacerts - >out >> /vault/CAchain.pem >> >> And then modify ./sites-available/site-443.conf with the lines: >> >> SSLCertificateFile /vault/cert.pem >> SSLCertificateKeyFile /vault/keys.pem >> SSLCertificateChainFile /vault/CAchain.pem >> SSLCACertificateFile /vault/Intermediate-GeoTrust-True >> BusinessID-RSA-SHA2-SHA1Root-primary.txt >> >> >> We tried some of the openssl commands in that document, but we >don't have >> the password. The file named "SSL Certificate - >.example.com.txt" is >> unused, and that does concern me that I'm either neglecting a >critical file >> or needlessly duplicating it. Before asking the administrator >for a >> password, we have questioned whether we are making this >needlessly >> difficult and were curious if there is a solution where these >files can be >> used directly by apache. >> >> As you can guess, I'm no expert at encryption. Getting keys, >for the >> purpose of self-education is very expensive. The extent of my >experience >> is limited to creating self-signed certificates back in the good >old days >> before the web-browser people decided that was to be forbidden >practice, >> and more recently, letsencrypt.org, which operates in a magical >smoke and >> mirrors method. I would like to know if this would be the best >practice >> for my friend encrypting his server's traffic. I am very >grateful for any >> feedback. >> >> Thank you very much! >> >> Rich >> >> >> ----------------------------------------------------------------- >---- >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org >> For additional commands, e-mail: users-help@httpd.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org