Hi,

There are several relatively simple services (some entirely
in-browser) that can get certs from Let's Encrypt available at
https://letsencrypt.org/docs/client-options/ .  If have control over
DNS for your domain, you could set up an external DNS entry for the
name of the internal server and receive a cert, then use internal
(split-brain) DNS to use that name for a private IP and make use of
the cert you generate.  These certs are fairly short-lived, but once
DNS is set up, the update process is easy.

HTH,

--
Mike Rylander
 | President
 | Equinox Open Library Initiative
 | phone:  1-877-OPEN-ILS (673-6457)
 | email:  mi...@equinoxinitiative.org
 | web:  http://equinoxinitiative.org


On Thu, Mar 30, 2017 at 10:19 AM, Josh Stompro
<stomp...@exchange.larl.org> wrote:
> StartSSL shouldn’t be used any more.  They were banned from Chrome and
> Firefox early this year because of reasons including the fact that they were
> silently purchased by a Chinese company, and because they were issuing back
> dated certificates to get around the SHA-1 phase out.  They also allowed
> users to get certificates for main domains if they could certify that they
> had control of subdomains.
>
>
>
> https://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/
>
>
>
> Josh Stompro - LARL IT Director
>
>
>
> From: Open-ils-general
> [mailto:open-ils-general-boun...@list.georgialibraries.org] On Behalf Of
> Bill Ott
> Sent: Thursday, March 30, 2017 9:10 AM
> To: open-ils-general@list.georgialibraries.org
> Subject: Re: [OPEN-ILS-GENERAL] Disabling SSL in Evergreen ILS
>
>
>
> For single server implementations, there are also free certificates
> available from organizations like StartSSL.
>
>
>
> On 03/30/2017 10:04 AM, Rogan Hamby wrote:
>
> While SSL on an intranet may not be necessary it still isn't harmful.  I may
> be of a paranoid bent but you can have security issues even on an intranet,
> especially large geographically distributed ones.  And with the increasingly
> punitive behavior of browsers to punish non-encrypted connections in various
> ways (usually with warnings and such) I'd question if it would be easier to
> just implement the SSL for the intranet than try to pass around it.
>
>
>
>
>
>
> Rogan Hamby
>
> Data and Project Analyst
>
> Equinox Open Library Initiative
>
> phone:  1-877-OPEN-ILS (673-6457)
>
> email:  ro...@equinoxinitiative.org
>
> web:  http://EquinoxInitiative.org
>
>
>
> On Thu, Mar 30, 2017 at 10:00 AM, Jason Stephenson <ja...@sigio.com> wrote:
>
> I should add that the staff client requires SSL and there's no easy way
> to chagne that, so you can't completely disable SSL and expect things to
> still function properly.
>
>
>
>
> On 03/30/2017 09:23 AM, Jason Stephenson wrote:
>> Jayaraj,
>>
>> It would be done via the Apache configuration files. You'd move
>> everything from the SSL enabled vhost configurations to the non-SSL
>> vhosts, i.e everything from the port 443 configuration sections to the
>> port 80 configuration. Some of that configuration is duplicated, so only
>> the unique things need to go.
>>
>> There may also be some directives to force SSL on some locations. You'll
>> want to remove those also.
>>
>> I'm writing this from memory without looking at the files, which is
>> alway a bad thing to do, but I think that covers it.
>>
>> HtH,
>> Jason
>>
>> On 03/30/2017 04:16 AM, Jayaraj JR wrote:
>>> Hello,
>>>
>>> Greetings of the day !
>>>
>>> SSL or https is a better option as far as security is concerned. But the
>>> heightened security level may not be necessary at many times especially
>>> while using Evergreen in Intranet. Besides the browser often warns the
>>> user that entering to my account in evergreen catalog is dangerous if
>>> purchased SSL is not implemented. This may often create confusion for
>>> childern and beginning users who are not well versed with computers.
>>> They are very often advised to add security exception for accessing the
>>> library catalog.
>>>
>>> It would appreciable, if any option or configuration is available to
>>> disable the SSL and to use the full library catalog via http.
>>> Kindly advice the configuration to use my account in Evergreen catalog
>>> via http itself and not https
>>>
>>> --
>>> Thanks in Advance,
>>>
>>> Jayaraj J R
>>> Library Information Assistant
>>> IISER Thiruvananthapuram
>
>
>
>

Reply via email to