Hi all.
Regards from México. As Mike said, letsencrypt could work for Evergreen as an option. In a Evergreen testing server for 2.12.0 EG version, I already installed a LetsEncrypt certificate and It is working fine. https://biblos.ipicyt.edu.mx/eg/opac/home Rgds Atentamente. Francisco Javier Guel Mendoza ________________________________ De: Open-ils-general <open-ils-general-boun...@list.georgialibraries.org> en nombre de Mike Rylander <mrylan...@gmail.com> Enviado: jueves, 30 de marzo de 2017 08:40 a. m. Para: Evergreen Discussion Group Asunto: Re: [OPEN-ILS-GENERAL] Disabling SSL in Evergreen ILS Hi, There are several relatively simple services (some entirely in-browser) that can get certs from Let's Encrypt available at https://letsencrypt.org/docs/client-options/ . If have control over many client options - Let's Encrypt<https://letsencrypt.org/docs/client-options/> letsencrypt.org Let’s Encrypt uses the ACME protocol to verify that you control a given domain name and to issue you a certificate. To get a Let’s Encrypt certificate, you’ll ... DNS for your domain, you could set up an external DNS entry for the name of the internal server and receive a cert, then use internal (split-brain) DNS to use that name for a private IP and make use of the cert you generate. These certs are fairly short-lived, but once DNS is set up, the update process is easy. HTH, -- Mike Rylander | President | Equinox Open Library Initiative | phone: 1-877-OPEN-ILS (673-6457) | email: mi...@equinoxinitiative.org | web: http://equinoxinitiative.org On Thu, Mar 30, 2017 at 10:19 AM, Josh Stompro <stomp...@exchange.larl.org> wrote: > StartSSL shouldn’t be used any more. They were banned from Chrome and > Firefox early this year because of reasons including the fact that they were > silently purchased by a Chinese company, and because they were issuing back > dated certificates to get around the SHA-1 phase out. They also allowed > users to get certificates for main domains if they could certify that they > had control of subdomains. > > > > https://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/ [https://cdn.arstechnica.net/wp-content/uploads/2016/09/barricade-800x600.jpg]<https://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/> Firefox ready to block certificate authority that ...<https://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/> arstechnica.com The organization that develops Firefox has recommended the browser block digital credentials issued by a China-based certificate authority for 12 months after ... > > > > Josh Stompro - LARL IT Director > > > > From: Open-ils-general > [mailto:open-ils-general-boun...@list.georgialibraries.org] On Behalf Of > Bill Ott > Sent: Thursday, March 30, 2017 9:10 AM > To: open-ils-general@list.georgialibraries.org > Subject: Re: [OPEN-ILS-GENERAL] Disabling SSL in Evergreen ILS > > > > For single server implementations, there are also free certificates > available from organizations like StartSSL. > > > > On 03/30/2017 10:04 AM, Rogan Hamby wrote: > > While SSL on an intranet may not be necessary it still isn't harmful. I may > be of a paranoid bent but you can have security issues even on an intranet, > especially large geographically distributed ones. And with the increasingly > punitive behavior of browsers to punish non-encrypted connections in various > ways (usually with warnings and such) I'd question if it would be easier to > just implement the SSL for the intranet than try to pass around it. > > > > > > > Rogan Hamby > > Data and Project Analyst > > Equinox Open Library Initiative > > phone: 1-877-OPEN-ILS (673-6457) > > email: ro...@equinoxinitiative.org > > web: http://EquinoxInitiative.org > > > > On Thu, Mar 30, 2017 at 10:00 AM, Jason Stephenson <ja...@sigio.com> wrote: > > I should add that the staff client requires SSL and there's no easy way > to chagne that, so you can't completely disable SSL and expect things to > still function properly. > > > > > On 03/30/2017 09:23 AM, Jason Stephenson wrote: >> Jayaraj, >> >> It would be done via the Apache configuration files. You'd move >> everything from the SSL enabled vhost configurations to the non-SSL >> vhosts, i.e everything from the port 443 configuration sections to the >> port 80 configuration. Some of that configuration is duplicated, so only >> the unique things need to go. >> >> There may also be some directives to force SSL on some locations. You'll >> want to remove those also. >> >> I'm writing this from memory without looking at the files, which is >> alway a bad thing to do, but I think that covers it. >> >> HtH, >> Jason >> >> On 03/30/2017 04:16 AM, Jayaraj JR wrote: >>> Hello, >>> >>> Greetings of the day ! >>> >>> SSL or https is a better option as far as security is concerned. But the >>> heightened security level may not be necessary at many times especially >>> while using Evergreen in Intranet. Besides the browser often warns the >>> user that entering to my account in evergreen catalog is dangerous if >>> purchased SSL is not implemented. This may often create confusion for >>> childern and beginning users who are not well versed with computers. >>> They are very often advised to add security exception for accessing the >>> library catalog. >>> >>> It would appreciable, if any option or configuration is available to >>> disable the SSL and to use the full library catalog via http. >>> Kindly advice the configuration to use my account in Evergreen catalog >>> via http itself and not https >>> >>> -- >>> Thanks in Advance, >>> >>> Jayaraj J R >>> Library Information Assistant >>> IISER Thiruvananthapuram > > > >
