Re: [CentOS] https and self signed

On Mon, June 20, 2016 13:16, Gordon Messmer wrote: > On 06/20/2016 07:47 AM, James B. Byrne wrote: >> On Sat, June 18, 2016 18:39, Gordon Messmer wrote: >> >>> I'm not interested in turning this in to a discussion on >>> epistemology. >>> This is based on the experience (the evidence) of some of

Re: [CentOS] https and self signed

On Wed, June 15, 2016 16:17, Warren Young wrote: > On Jun 15, 2016, at 7:57 AM, Александр Кириллов > wrote: >> >> Nowadays it's quite easy to get normal ssl certificates for free. E.g. >> >> http://www.startssl.com >> http://buy.wosign.com/free > > Today, I would prefer

Re: [CentOS] https and self signed

On Mon, June 20, 2016 19:16, Gordon Messmer wrote: > On 06/20/2016 07:47 AM, James B. Byrne wrote: >> Exactly what mindless person or committee of bike-shedders decided >> that software should be distributed so that copies of it expire? > > Expiration is a fundamental aspect of x509 certificates.

Re: [CentOS] https and self signed

On 06/20/2016 07:47 AM, James B. Byrne wrote: On Sat, June 18, 2016 18:39, Gordon Messmer wrote: I'm not interested in turning this in to a discussion on epistemology. This is based on the experience (the evidence) of some of the world's foremost experts in the field (Akamai, Cisco, EFF,

Re: [CentOS] https and self signed

On Mon, 2016-06-20 at 10:47 -0400, James B. Byrne wrote: > But hey, what is my time worth in comparison to the security those > certificates provided? SECURITY that was trivially evaded in the end. > Exactly what mindless person or committee of bike-shedders decided > that software

Re: [CentOS] https and self signed

On Sat, June 18, 2016 18:39, Gordon Messmer wrote: > On 06/18/2016 02:49 PM, James B. Byrne wrote: >> On Fri, June 17, 2016 21:40, Gordon Messmer wrote: >>> https://letsencrypt.org/2015/11/09/why-90-days.html >> With respect citing another person's or people's opinion in support >> of >> your own

Re: [CentOS] https and self signed

On Sat, 2016-06-18 at 19:49 -0500, Valeri Galtsev wrote: > Which browser do you use? I still am in a process of finding replacement > for Firefox (the closest is midori, it doesn't fully fill the bill for me > though). There is a Mozilla folk called Palemoon by some Europeans (Sweeds, I think)

Re: [CentOS] https and self signed

On Sat, June 18, 2016 6:50 pm, Always Learning wrote: > > On Sat, 2016-06-18 at 15:39 -0700, Gordon Messmer wrote: > >> I'm not interested in turning this in to a discussion on epistemology. >> This is based on the experience (the evidence) of some of the world's >> foremost experts in the field

Re: [CentOS] https and self signed

On Sat, 2016-06-18 at 15:39 -0700, Gordon Messmer wrote: > I'm not interested in turning this in to a discussion on epistemology. > This is based on the experience (the evidence) of some of the world's > foremost experts in the field (Akamai, Cisco, EFF, Mozilla, etc). The same Mozilla

Re: [CentOS] https and self signed

On 06/18/2016 02:49 PM, James B. Byrne wrote: On Fri, June 17, 2016 21:40, Gordon Messmer wrote: https://letsencrypt.org/2015/11/09/why-90-days.html With respect citing another person's or people's opinion in support of your own is not evidence in the sense I understand the word to mean. I'm

Re: [CentOS] https and self signed

On Fri, June 17, 2016 11:06, Walter H. wrote: > On 17.06.2016 16:46, James B. Byrne wrote: >> On Thu, June 16, 2016 13:53, Walter H. wrote: >>> On 15.06.2016 16:17, Warren Young wrote: but it also affects the other public CAs: you can’t get a publicly-trusted cert for a machine

Re: [CentOS] https and self signed

On Sat, 2016-06-18 at 08:20 -0500, Valeri Galtsev wrote: > On Sat, June 18, 2016 7:52 am, Always Learning wrote: > > > > Your connection is not secure > > > > The owner of harte-lyne.ca has configured their website improperly. To > > protect your information from being stolen, Firefox has not

Re: [CentOS] https and self signed

On 18.06.2016 03:41, Gordon Messmer wrote: On 06/17/2016 07:56 AM, James B. Byrne wrote: On Thu, June 16, 2016 14:09, Gordon Messmer wrote: I doubt that most users check the dates on SSL certificates, unless they are familiar enough with TLS to understand that a shorter validity period is

Re: [CentOS] https and self signed

On Sat, June 18, 2016 7:52 am, Always Learning wrote: > > On Fri, 2016-06-17 at 15:56 +0100, Michael H wrote: > >> On 17/06/16 15:46, James B. Byrne wrote: > >> > >> > We operate a private CA for our domain and have since 2005. We >> > maintain a public CRL strictly in accordance with our CPS

Re: [CentOS] https and self signed

On Fri, 2016-06-17 at 15:56 +0100, Michael H wrote: > On 17/06/16 15:46, James B. Byrne wrote: > > > > We operate a private CA for our domain and have since 2005. We > > maintain a public CRL strictly in accordance with our CPS and have our > > own OID assigned. Our CPS and CRL together with

Re: [CentOS] https and self signed

On 06/16/2016 10:50 PM, Walter H. wrote: On 16.06.2016 22:02, Gordon Messmer wrote: Without using a metaphor, please explain exactly who you think will not trust these certs, because I have never met these people. then you know now, that there exist such people ... Well, one, but I'm hardly

Re: [CentOS] https and self signed

On 06/17/2016 08:19 AM, James B. Byrne wrote: On Thu, June 16, 2016 14:23, Valeri Galtsev wrote: Oh, this is what he meant: Cert validity period. Though I agree with you in general (shorter period public key is exposed smaller chance secret key brute-force discovered), Like many things that

Re: [CentOS] https and self signed

On 06/17/2016 07:56 AM, James B. Byrne wrote: On Thu, June 16, 2016 14:09, Gordon Messmer wrote: I doubt that most users check the dates on SSL certificates, unless they are familiar enough with TLS to understand that a shorter validity period is better for security. What evidence do you

Re: [CentOS] https and self signed

for me I refuse it or in other words, when there is no OCSP response and I don't get a CRL from the CA the SSL-host is blocked; Forget it, Walter. If you feel it's more secure that way I'm not going to waste my time to convince you otherwise. )

Re: [CentOS] https and self signed

On 17.06.2016 22:39, Александр Кириллов wrote: yes and no, but faking a valid OCSP response that says good instead of revoked is also possible ... Could you please provide any proof for that statement? If it were true the whole PKI infrastructure should probably be thrown out of the window.

Re: [CentOS] https and self signed

yes and no, but faking a valid OCSP response that says good instead of revoked is also possible ... Could you please provide any proof for that statement? If it were true the whole PKI infrastructure should probably be thrown out of the window. ) the primary reason was to prevent problems

Re: [CentOS] https and self signed

On 17.06.2016 19:57, Александр Кириллов wrote: Then OCSP stapling is the way to go but it could be a real PITA to setup for the first time and may not be supported by older browsers anyway. not really, because the same server tells the client that the SSL certificate is good, as the SSL

Re: [CentOS] https and self signed

Then OCSP stapling is the way to go but it could be a real PITA to setup for the first time and may not be supported by older browsers anyway. not really, because the same server tells the client that the SSL certificate is good, as the SSL certificate itself; these must be independent;

Re: [CentOS] https and self signed

On Fri, June 17, 2016 10:19 am, James B. Byrne wrote: > > On Thu, June 16, 2016 14:23, Valeri Galtsev wrote: >> >> On Thu, June 16, 2016 1:09 pm, Gordon Messmer wrote: >>> >>> I doubt that most users check the dates on SSL certificates, >>> unless they are familiar enough with TLS to understand

Re: [CentOS] https and self signed

On Fri, June 17, 2016 9:56 am, Michael H wrote: > On 17/06/16 15:46, James B. Byrne wrote: >> On Thu, June 16, 2016 13:53, Walter H. wrote: >>> On 15.06.2016 16:17, Warren Young wrote: but it also affects the other public CAs: you can’t get a publicly-trusted cert for a machine

Re: [CentOS] https and self signed

On Thu, June 16, 2016 14:23, Valeri Galtsev wrote: > > On Thu, June 16, 2016 1:09 pm, Gordon Messmer wrote: >> >> I doubt that most users check the dates on SSL certificates, >> unless they are familiar enough with TLS to understand that >> a shorter validity period is better for security. > >

Re: [CentOS] https and self signed

On 17.06.2016 16:46, James B. Byrne wrote: On Thu, June 16, 2016 13:53, Walter H. wrote: On 15.06.2016 16:17, Warren Young wrote: but it also affects the other public CAs: you can’t get a publicly-trusted cert for a machine without a publicly-recognized and -visible domain name. For that,

Re: [CentOS] https and self signed

On 17/06/16 15:46, James B. Byrne wrote: > > On Thu, June 16, 2016 13:53, Walter H. wrote: >> On 15.06.2016 16:17, Warren Young wrote: >>> but it also affects the other public CAs: you can’t get a >>> publicly-trusted cert for a machine without a publicly-recognized >>> and -visible domain

Re: [CentOS] https and self signed

On Thu, June 16, 2016 13:53, Walter H. wrote: > On 15.06.2016 16:17, Warren Young wrote: >> but it also affects the other public CAs: you can’t get a >> publicly-trusted cert for a machine without a publicly-recognized >> and -visible domain name. For that, you still need to use >>

Re: [CentOS] https and self signed

On 17.06.2016 16:27, Александр Кириллов wrote: Walter H. писал 2016-06-16 22:54: On 16.06.2016 21:42, Александр Кириллов wrote: I don't think OCSP is critical for free certificates suitable for small businesses and personal sites. this is philosophy; I'd say when you do it then do it

Re: [CentOS] https and self signed

Walter H. писал 2016-06-16 22:54: On 16.06.2016 21:42, Александр Кириллов wrote: that is right, but hink of your potential clients, because wosign has a problem - slow OCSP, ... because their server infrastucture is located in China, and not the best bandwidth ... when validity checks of the

Re: [CentOS] https and self signed

On 16.06.2016 22:02, Gordon Messmer wrote: Without using a metaphor, please explain exactly who you think will not trust these certs, because I have never met these people. then you know now, that there exist such people ... at least the folks where their security software (antivirus, whatever)

Re: [CentOS] https and self signed

On Thu, June 16, 2016 3:00 pm, Gordon Messmer wrote: > On 06/16/2016 11:23 AM, Valeri Galtsev wrote: >> as the one who has to handle quite a >> few certificates, I only will go with certificates valid for a year, >> ...do I miss something?). > > > Yes. The tool that creates certificate/key

Re: [CentOS] https and self signed

On 06/16/2016 11:50 AM, Walter H. wrote: technically there is more: not the user needs to check the dates a SSL certificate is valid; just compare it with real life: which salesman would you trust more - the one that gets a new car every few years, which has the same advertisings on it and

Re: [CentOS] https and self signed

On 06/16/2016 11:23 AM, Valeri Galtsev wrote: as the one who has to handle quite a few certificates, I only will go with certificates valid for a year, ...do I miss something?). Yes. The tool that creates certificate/key pairs, submits the CSR, and installs the certificate is intended to be

Re: [CentOS] https and self signed

On 16.06.2016 21:42, Александр Кириллов wrote: that is right, but hink of your potential clients, because wosign has a problem - slow OCSP, ... because their server infrastucture is located in China, and not the best bandwidth ... when validity checks of the used SSL certificate very probable

Re: [CentOS] https and self signed

that is right, but hink of your potential clients, because wosign has a problem - slow OCSP, ... because their server infrastucture is located in China, and not the best bandwidth ... when validity checks of the used SSL certificate very probable fail, it is worse than not using SSL ... I

Re: [CentOS] https and self signed

On 16.06.2016 20:09, Gordon Messmer wrote: On 06/16/2016 10:53 AM, Walter H. wrote: lets encrypt only trusts for 3 months; would you really except in an onlineshop, someone trusts this shop? let us think something like this: "when the CA only trusts for 3 months, how should I trust for a

Re: [CentOS] https and self signed

Valeri Galtsev wrote: > > On Thu, June 16, 2016 1:09 pm, Gordon Messmer wrote: >> On 06/16/2016 10:53 AM, Walter H. wrote: >>> lets encrypt only trusts for 3 months; would you really except in an >>> onlineshop, someone trusts this shop? >>> let us think something like this: "when the CA only

Re: [CentOS] https and self signed

On Thu, June 16, 2016 1:09 pm, Gordon Messmer wrote: > On 06/16/2016 10:53 AM, Walter H. wrote: >> lets encrypt only trusts for 3 months; would you really except in an >> onlineshop, someone trusts this shop? >> let us think something like this: "when the CA only trusts for 3 >> months, how

Re: [CentOS] https and self signed

On Thu, June 16, 2016 12:53 pm, Walter H. wrote: > On 15.06.2016 16:17, Warren Young wrote: >> On Jun 15, 2016, at 7:57 AM, Александр >> Кириллов wrote: >>> Nowadays it's quite easy to get normal ssl certificates for free. E.g. >>> >>>

Re: [CentOS] https and self signed

On 06/16/2016 10:53 AM, Walter H. wrote: lets encrypt only trusts for 3 months; would you really except in an onlineshop, someone trusts this shop? let us think something like this: "when the CA only trusts for 3 months, how should I trust for a longer period which is important for warranty

Re: [CentOS] https and self signed

On 15.06.2016 15:57, Александр Кириллов wrote: Nowadays it's quite easy to get normal ssl certificates for free. E.g. http://www.startssl.com http://buy.wosign.com/free that is right, but hink of your potential clients, because wosign has a problem - slow OCSP, ... because their server

Re: [CentOS] https and self signed

On 15.06.2016 16:17, Warren Young wrote: On Jun 15, 2016, at 7:57 AM, Александр Кириллов wrote: Nowadays it's quite easy to get normal ssl certificates for free. E.g. http://www.startssl.com http://buy.wosign.com/free Today, I would prefer Let’s Encrypt:

Re: [CentOS] https and self signed

On Jun 15, 2016, at 10:40 AM, Valeri Galtsev wrote: > > Thanks, that means no need to install CA. There is always someone (Thanks, > Warren!) who looked deeper into things, and can explain them. I claimed that the topic fills books. That wasn’t an exaggeration. Back

Re: [CentOS] https and self signed

John Hodrien wrote: > On Wed, 15 Jun 2016, John R Pierce wrote: > >> On 6/15/2016 6:47 AM, Jerry Geis wrote: >>> How do I get past this? I was looking to just self sign for https. >> >> in my admittedly limited experience with this stuff, you need to create >> your own rootCA, and use that to

Re: [CentOS] https and self signed

On Wed, June 15, 2016 10:31 am, Scott Robbins wrote: > On Wed, Jun 15, 2016 at 10:02:57AM -0500, Valeri Galtsev wrote: >> >> On Wed, June 15, 2016 9:17 am, Warren Young wrote: >> >> >> >> Nowadays it's quite easy to get normal ssl certificates for free. >> E.g. >> > >> > Today, I would prefer

Re: [CentOS] https and self signed

On Wed, June 15, 2016 10:38 am, Warren Young wrote: > On Jun 15, 2016, at 9:02 AM, Valeri Galtsev > wrote: >> >> I do see WoSign there (though I'd prefer to avoid my US located servers >> have certificates signed by authority located in China, hence located >> sort >>

Re: [CentOS] https and self signed

On Wed, June 15, 2016 10:48 am, Warren Young wrote: > On Jun 15, 2016, at 9:38 AM, Warren Young wrote: >> >> On Jun 15, 2016, at 9:02 AM, Valeri Galtsev >> wrote: >> >>> I do not see neither starttls.com nor letsencrypt.org between >>> Authorities

Re: [CentOS] https and self signed

> -Original Message- > From: Warren Young > Sent: Wednesday, June 15, 2016 10:26 > To: CentOS mailing list > Subject: Re: [CentOS] https and self signed > > On Jun 15, 2016, at 7:47 AM, Jerry Geis <ge...@pagestation.com> wrote: > > > > Yes I can a

Re: [CentOS] https and self signed

On Jun 15, 2016, at 9:38 AM, Warren Young wrote: > > On Jun 15, 2016, at 9:02 AM, Valeri Galtsev wrote: > >> I do not see neither starttls.com nor letsencrypt.org between Authorities >> certificates. > > That’s because they are not top-tier CAs. I

Re: [CentOS] https and self signed

On Jun 15, 2016, at 9:02 AM, Valeri Galtsev wrote: > > I do see WoSign there (though I'd prefer to avoid my US located servers > have certificates signed by authority located in China, hence located sort > of behind "the great firewall of China" - call me

Re: [CentOS] https and self signed

On Wed, Jun 15, 2016 at 10:02:57AM -0500, Valeri Galtsev wrote: > > On Wed, June 15, 2016 9:17 am, Warren Young wrote: > >> > >> Nowadays it's quite easy to get normal ssl certificates for free. E.g. > > > > Today, I would prefer Let’s Encrypt: > > > > https://letsencrypt.org/ > > > > It is

Re: [CentOS] https and self signed

On Wed, 15 Jun 2016, John R Pierce wrote: On 6/15/2016 6:47 AM, Jerry Geis wrote: How do I get past this? I was looking to just self sign for https. in my admittedly limited experience with this stuff, you need to create your own rootCA, and use that to sign your certificates, AND you

Re: [CentOS] https and self signed

On Jun 15, 2016, at 8:02 AM, Valeri Galtsev wrote: > > I do not see neither starttls.com nor letsencrypt.org > between Authorities > certificates. This means (correct me if I'm wrong) that client has to > import one of

Re: [CentOS] https and self signed

On Wed, 15 Jun 2016, John R Pierce wrote: On 6/15/2016 6:47 AM, Jerry Geis wrote: How do I get past this? I was looking to just self sign for https. in my admittedly limited experience with this stuff, you need to create your own rootCA, and use that to sign your certificates, AND you need

Re: [CentOS] https and self signed

On 6/15/2016 6:47 AM, Jerry Geis wrote: How do I get past this? I was looking to just self sign for https. in my admittedly limited experience with this stuff, you need to create your own rootCA, and use that to sign your certificates, AND you need to take the public key of the rootCA and

Re: [CentOS] https and self signed

On Wed, June 15, 2016 9:17 am, Warren Young wrote: > On Jun 15, 2016, at 7:57 AM, Александр Кириллов > wrote: >> >> Nowadays it's quite easy to get normal ssl certificates for free. E.g. >> >> http://www.startssl.com >> http://buy.wosign.com/free > > Today,

Re: [CentOS] https and self signed

On Jun 15, 2016, at 7:47 AM, Jerry Geis wrote: > > Yes I can added the --insecure for curl - but - my other app doesn't > seem to work either - perhaps getting the same return message instead of > the actual file. Because of all the security holes people have been finding

Re: [CentOS] https and self signed

On Jun 15, 2016, at 7:57 AM, Александр Кириллов wrote: > > Nowadays it's quite easy to get normal ssl certificates for free. E.g. > > http://www.startssl.com > http://buy.wosign.com/free Today, I would prefer Let’s Encrypt: https://letsencrypt.org/ It is

Re: [CentOS] https and self signed

Nowadays it's quite easy to get normal ssl certificates for free. E.g. http://www.startssl.com http://buy.wosign.com/free ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos

[CentOS] https and self signed

I followed the instructions here https://wiki.centos.org/HowTos/Https Checking port 80 I get the file... curl http://localhost/file.html Working Checking port 443 I get and error curl https://localhost/file.html curl: (60) Peer's certificate issuer has been marked as not trusted by the