On Wed, 2020-04-01 at 18:52 +0000, Michael C. Jaeger wrote: Hi, Please go ahead, sound good in general, just allow me to understand the cases here
* either we add a 127.0.0.1 / snakeoil certificate and then there will be an error message in the browser that hostname does not match the cert when accessing the fossology over the network (server setup) - Yes. With a 127.0.0.1 we will get a warning in the browser when accessing it over the network. * or we try to determine the hostname but then there will be the same error when accessing the localhost? - I cannot say for sure. There may be a clever way to do this. For example, it may be possible to edit an install script with the hostname and generate the self-signed cert. But, and this is kind of a big but, it will still throw a warning. How about an optional step in the install as a script? This is likely the best approach. This way it can be an argument like "--self-signed-cert" or "--install-cert" to the script that the end user has to consciously add on. This way you'd likely have the flexibility to people to reuse their existing certificates, choose a self-signed cert, or simply ignore it entirely if they don't care. Thanks for your replies, it helps me know where my patches are likely to land and prioritizes my contributions. Cheers, Jeremiah Kind regards, Michael From: "Foster, Jeremiah" <jfos...@luxoft.com> Date: Wednesday, 1. April 2020 at 20:45 To: "fossol...@fossology.org" <fossol...@fossology.org>, "Jaeger, Michael C. (CT RDA SSI DOS-DE)" <michael.c.jae...@siemens.com> Subject: Re: [FOSSology] Hi I have a questions before using fossology On Wed, 2020-04-01 at 18:25 +0000, Jaeger, Michael C. wrote: Hi, I am not sure how the creation of a self signed certificate as part of the installation of the FOSSology software improves the situation. Well, in Debian, the self-signed "snake oil" cert can get you up and running with https quickly. If it were part of the default FOSSology install then we'd be encouraging encryption of passwords and other important data upon installation. Currently there are lots of warnings that might be ignored (bad) or improperly fixed (not so bad, depending). From a technical point of view, of course, we could even add a self signed certificate creation step in the post install operations. This might be good. I note that this script https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOrange-OpenSource%2FFossology-Docker-Deploy-Scripts%2Fblob%2Fmaster%2Fsetup-container-web.sh&data=02%7C01%7Cmichael.c.jaeger%40siemens.com%7C51a95f9727cf41c6613808d7d66ce1f4%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637213635456677949&sdata=RfiQxtSt0bBNSKF2lrFgf9iRLXMToyY7qtaCc6OpnkY%3D&reserved=0> does that in the Docker setup. Perhaps we merge some of that data into the official install? I'm writing some docs as we speak, I'll suggest a merge or PR. Of course M. Toussaint might as well. :-) But, for most cases, would self signed certificates work right out of the box? – we need to know the hostname of the machine we re on … maybe this is possible, but I, just do not know how reliably you can determine the hostname. And if some is using the fossology in a localhost setup, is it helpful to create a certificate with the hostname and then the user call localhost and the certificate does not match … I am missing the possibilies here, please let me know how this could work. Likely no, because we don't know the domain name and getting a cert from Let's Encrypt or another CA will require that you know, and control, the domain. To get around this, the Debian snake oil cert uses the localhost ip address 127.0.0.1. I have not seen a documentation (as part of the FOSSology documentation) of how to create a self signed certificate. Okay, I'll suggest what is hopefully a simple, easy-to-understand process since I think at least having these instructions helps support better security practice. I'll also hack on the configuration and set up (as little as possible) to make it easy-ish to have this OOTB. Cheers, Jeremiah Kind regards, Michael From: <fossology@lists.fossology.org> on behalf of "Jeremiah C. Foster" <jfos...@luxoft.com> Date: Wednesday, 1. April 2020 at 18:43 To: "fossol...@fossology.org" <fossol...@fossology.org> Subject: Re: [FOSSology] Hi I have a questions before using fossology On Tue, 2020-03-31 at 21:42 +0000, Michael C. Jaeger wrote: Hello, thanks for reaching out to us. To your questions: *) is source code leaking out from a fossology server? Answer: 1. Usually not , the fossology solution is entire self contained. You can run fossology entirely without access to the internet. The main point why you would need Internet access is about updating your OS and packages. 2. But please understand that despite the FOSSology server can run everything on its own database, it your responsibility to secure your server installation from being hacked. One first task would be to enable a connection using https. Is there documentation on doing this? I understand that there is plenty of documentation already on the internet that describes using TLS and certificates with apache and nginx, but there doesn't appear to be a ton of documentation on the way that FOSSology sets things up. For example, FOSSology does not appear add a self-signed cert which would enable https upon installation. Am I mistaken, is there more info on this? Regards, Jeremiah ________________________________ This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you. ________________________________ This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you. ________________________________ This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3349): https://lists.fossology.org/g/fossology/message/3349 Mute This Topic: https://lists.fossology.org/mt/72670290/21656 Group Owner: fossology+ow...@lists.fossology.org Unsubscribe: https://lists.fossology.org/g/fossology/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
