I'd suggest getting free SSL certificates from Let's Encrypt -- https://letsencrypt.org/
There's been some discussion in the past on this subject on the Evergreen dev mailing list: http://list.georgialibraries.org/pipermail/open-ils-dev/2016-June/010153.html While I'd be curious to see how that would affect a primarily intranet based Evergreen system (meaning, I think you'd still want to have a FQDN hostname for your Evergreen system and not a local hostname or IP address used internally), I think that they offer a good service for SSL certificates. I imagine there's plenty more thoughts or suggestions on the subject since that time. -- Ben On Thu, Mar 30, 2017 at 10:19 AM, Josh Stompro <stomp...@exchange.larl.org> wrote: > StartSSL shouldn’t be used any more. They were banned from Chrome and > Firefox early this year because of reasons including the fact that they were > silently purchased by a Chinese company, and because they were issuing back > dated certificates to get around the SHA-1 phase out. They also allowed > users to get certificates for main domains if they could certify that they > had control of subdomains. > > > > https://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/ > > > > Josh Stompro - LARL IT Director > > > > From: Open-ils-general > [mailto:open-ils-general-boun...@list.georgialibraries.org] On Behalf Of > Bill Ott > Sent: Thursday, March 30, 2017 9:10 AM > To: open-ils-general@list.georgialibraries.org > Subject: Re: [OPEN-ILS-GENERAL] Disabling SSL in Evergreen ILS > > > > For single server implementations, there are also free certificates > available from organizations like StartSSL. > > > > On 03/30/2017 10:04 AM, Rogan Hamby wrote: > > While SSL on an intranet may not be necessary it still isn't harmful. I may > be of a paranoid bent but you can have security issues even on an intranet, > especially large geographically distributed ones. And with the increasingly > punitive behavior of browsers to punish non-encrypted connections in various > ways (usually with warnings and such) I'd question if it would be easier to > just implement the SSL for the intranet than try to pass around it. > > > > > > > Rogan Hamby > > Data and Project Analyst > > Equinox Open Library Initiative > > phone: 1-877-OPEN-ILS (673-6457) > > email: ro...@equinoxinitiative.org > > web: http://EquinoxInitiative.org > > > > On Thu, Mar 30, 2017 at 10:00 AM, Jason Stephenson <ja...@sigio.com> wrote: > > I should add that the staff client requires SSL and there's no easy way > to chagne that, so you can't completely disable SSL and expect things to > still function properly. > > > > > On 03/30/2017 09:23 AM, Jason Stephenson wrote: >> Jayaraj, >> >> It would be done via the Apache configuration files. You'd move >> everything from the SSL enabled vhost configurations to the non-SSL >> vhosts, i.e everything from the port 443 configuration sections to the >> port 80 configuration. Some of that configuration is duplicated, so only >> the unique things need to go. >> >> There may also be some directives to force SSL on some locations. You'll >> want to remove those also. >> >> I'm writing this from memory without looking at the files, which is >> alway a bad thing to do, but I think that covers it. >> >> HtH, >> Jason >> >> On 03/30/2017 04:16 AM, Jayaraj JR wrote: >>> Hello, >>> >>> Greetings of the day ! >>> >>> SSL or https is a better option as far as security is concerned. But the >>> heightened security level may not be necessary at many times especially >>> while using Evergreen in Intranet. Besides the browser often warns the >>> user that entering to my account in evergreen catalog is dangerous if >>> purchased SSL is not implemented. This may often create confusion for >>> childern and beginning users who are not well versed with computers. >>> They are very often advised to add security exception for accessing the >>> library catalog. >>> >>> It would appreciable, if any option or configuration is available to >>> disable the SSL and to use the full library catalog via http. >>> Kindly advice the configuration to use my account in Evergreen catalog >>> via http itself and not https >>> >>> -- >>> Thanks in Advance, >>> >>> Jayaraj J R >>> Library Information Assistant >>> IISER Thiruvananthapuram > > > > -- Benjamin Shum Evergreener