On 03/07/2009 03:03 PM, Joseph Oreste Bruni wrote: > On Mar 7, 2009, at 8:11 AM, Gab wrote: >> I wish to in https ssl the sks web interface . >> What are the directives for cert.pem and key.pem and to enable ssl ? > > I don't believe that the built-in web server supports SSL. However, you > could front-end SKS with Apache configured as a proxy.
We're currently doing this on zimmermann with nginx providing the front-layer proxy (still using X.509-certified TLS, unfortunately). The configuration snippet looks like this: > server { > listen 443; > listen 11372; > server_name zimmermann.mayfirst.org; > ssl on; > ssl_certificate /etc/ssl/certs/zimmermann.mayfirst.org-cert.pem; > ssl_certificate_key /etc/ssl/private/zimmermann.mayfirst.org-key.pem; > access_log off; > > location / { > proxy_pass http://localhost:11371/; > } > } We chose to listen on port 443 so people could browse to it with https://zimmermann.mayfirst.org/ (the X.509 certificate offered here is signed by a private certificate authority [0], which i have also signed, if you care to certify it) We also are listening on port 11372 because this seems to be the choice of gnupg maintainers for hkp-over-tls (hkps?), according to this recent (as yet unreleased) patch to gpg: http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924 hope this is useful, and i'm happy to explain more details if folks are interested. --dkg [0] https://support.mayfirst.org/wiki/mfpl_certificate_authority
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel