On 03/07/2009 03:03 PM, Joseph Oreste Bruni wrote: > On Mar 7, 2009, at 8:11 AM, Gab wrote: >> I wish to in https ssl the sks web interface . >> What are the directives for cert.pem and key.pem and to enable ssl ? > > I don't believe that the built-in web server supports SSL. However, you > could front-end SKS with Apache configured as a proxy.
We're currently doing this on zimmermann with nginx providing the
front-layer proxy (still using X.509-certified TLS, unfortunately). The
configuration snippet looks like this:
> server {
> listen 443;
> listen 11372;
> server_name zimmermann.mayfirst.org;
> ssl on;
> ssl_certificate /etc/ssl/certs/zimmermann.mayfirst.org-cert.pem;
> ssl_certificate_key /etc/ssl/private/zimmermann.mayfirst.org-key.pem;
> access_log off;
>
> location / {
> proxy_pass http://localhost:11371/;
> }
> }
We chose to listen on port 443 so people could browse to it with
https://zimmermann.mayfirst.org/ (the X.509 certificate offered here is
signed by a private certificate authority [0], which i have also
signed, if you care to certify it)
We also are listening on port 11372 because this seems to be the choice
of gnupg maintainers for hkp-over-tls (hkps?), according to this recent
(as yet unreleased) patch to gpg:
http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924
hope this is useful, and i'm happy to explain more details if folks are
interested.
--dkg
[0] https://support.mayfirst.org/wiki/mfpl_certificate_authority
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
