[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] HKPS configuration?
From: |
Daniel Kahn Gillmor |
Subject: |
Re: [Sks-devel] HKPS configuration? |
Date: |
Tue, 11 Feb 2014 10:34:45 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0 |
On 02/11/2014 10:27 AM, Christian Reiß wrote:
> hkps is basically a 443 to hkp forward - I am using nginx for that. Just
> be SURE you do NOT use SNI or rely/ need a vhost/hostname as some
> client/most clients (gnupg) do not send this information. It is actually
> only feasible on a dedicated IP for SKS where Port 443 is solely used
> for https/hkps.
actually, you do need SNI, if you want to be able to provide a different
X.509 certificate to users who connect to it with different names.
zimmermann.mayfirst.org serves keys at both hkps://keys.mayfirst.org and
hkps://hkps.pool.sks-keyservers.net from the same IP address, and uses a
different X.509 certificate, depending on which host the client is
connecting to. This relies on the client using SNI.
All of this can be done on the same IP address as your existing hkp
service, but on TCP port 443.
--dkg
signature.asc
Description: OpenPGP digital signature