[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] HKPS + ssl + nginx
From: |
Alain Wolf |
Subject: |
Re: [Sks-devel] HKPS + ssl + nginx |
Date: |
Sat, 01 Aug 2015 16:58:57 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 31.07.2015 at 01:05, Mike Forbes wrote:
> So now begins the task of trying to make HKPS and SSL and SKS all work
> together.
>
> Currently we're serving up our main pgp pages with our own SSL cert
> (https://pgp.net.nz)
>
> If we were to serve this using the HKPS cert I imagine it would throw
> a certificate warning for most people who haven't imported the
> hkps.pool.sks-keyservers.net CA.
>
> My question is, how have other people managed to get HKPS working
> together with their own SSL certs?
>
> Our nginx config pushes all requests on port 80 to 443, then has a
> location section for /pks that points to the locally running sks
> daemon on 127.0.0.1:11371
>
> I'd love to hear how others have managed this.
>
I haven't tried it, as I don't have any SKS cert.
But an additional virtual nginx server using
*hkps.pool.sks-keyservers.net* as *servername* on port 443 and the
appropriate *ssl_certificate* and *ssl_certificate_key* should probably
do it.
Probably should be the default, so any client can use it, and browsers
can get to the one with your own cert by SNI.
Personally I use *Public-Key-Pins* and *Strict-Transport-Security*
instead of HTTP redirects, as we are not really sure how the various
pgp-clients handle the HTTP redirects.
-----BEGIN PGP SIGNATURE-----
iQF8BAEBCgBmBQJVvN6xXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNTEwNjBDN0RBNDY3QzM3OTVCQkREMUJG
MDhEOUJERDEzMDg2MTEzAAoJEPCNm90TCGETr5EIAJz3CQxG/V+48JLgtlXqenRu
xj3isl/oueYLkQKamECDZ6wd7/M2ODox2t8rbSY61M33yR/lWpe/Vjpr8CBPVL+e
DFxfUAPyQYtpIpQLEi0YUEqMUQAutIkZViwTgoe787OmW/CKqBBU8H3CVUsCF4yb
UHNexmPgcMfStJH60e1XrlRP4l3CMohWPwB7YFygbUa+R0XNGlW3Cmal24NUlsPP
B18hP16IqxPCBuGxq3IwySBub/LU8ggypCCBCpi7WfWwBXBLl3DePoYFVqgtHo6e
QVTUpm/gcwhbTIoY6Yj95pqm3iRJkz+wgrfv09wyu3vUFTe9ZC9CyiH642zGYRE=
=UyBv
-----END PGP SIGNATURE-----