[CentOS-docs] about Release Notes 6.8 , word "TLSv1.2" should be changed to "TLS v1.2"

[YosiyukiOoyama]

In RelaseNotes 6.8, at the section "Major changes",
the word "TlSv1.2" should be changed to "TLS v1.2" .

  TlSv1.2 -> TLS v1.2


Now, in this ReleaseNotes, not "CentOS6" but "CentOS 6",

And now, not "SMBIOS3.0.0 " but "SMBIOS 3.0.0 ".

But now, why not "TLS v1.2" but "TlSv1.2" ?

___
CentOS-docs mailing list
CentOS-docs@centos.org
https://lists.centos.org/mailman/listinfo/centos-docs

Re: [CentOS] Pulling in broadwell support for cent6u5

[Johnny Hughes]

On 06/15/2016 10:18 PM, Johnny Hughes wrote:
> On 06/15/2016 05:10 PM, jsl6uy js16uy wrote:
>> Thanks much for the the reply!
>> Some sec updates/bug fixes have been applied thru the run of 6u5 and after,
>> but yes, still firmly in 6u5 land. Guess will have to test.
>> Broadwell cpus do run in the OS, but "6u5" is stated as not supporting
>> 26XXv4 chipsets.
>>
> 
> Theoretically, it should be possible to run the latest kernel with other
> older CentOS-6 packages.  It may or may not function correctly.  That
> setup would NOT be supported for RHEL (for example).  You would
> therefore need to test it to see if it works well enough for you to use.
> 
> But theoretically it is also possible to run whatever workload you are
> trying to run on the latest '6.7 + updates'.
>


And '6.8 + updates' .. did I forget that I released that less than a
month ago :)


> You would need to test both scenarios to see which one supports your
> workload the best.
> 
> I would point out that we provide CentOS-6, which is defined as all the
> latest updates installed.  Point releases are just a mechanism to create
> installable trees and new installers for new hardware at a point in
> time. It has never been a tested scenario to only pick and choose
> updates while not installing all of them.
> 
> There have been more than one CRITICAL update to CentOS since the 6.5
> tree and installable media were released, including several updates that
> correct security issues which have their own name and website.  Many of
> those issues are remotely exploitable .. the actual definition of a
> 'CRITICAL' update from Red Hat's perspective is:
> 
> "This rating is given to flaws that could be easily exploited by a
> remote unauthenticated attacker and lead to system compromise (arbitrary
> code execution) without requiring user interaction. These are the types
> of vulnerabilities that can be exploited by worms. Flaws that require an
> authenticated remote user, a local user, or an unlikely configuration
> are not classed as Critical impact."
> 
> Taken from:
> https://access.redhat.com/security/updates/classification
> 
> I would think that a customer who had data stolen or was somehow hurt by
> an entity who purposely ran servers that came into contact with the
> internet and also purposely ran software that had CRITCAL and
> correctable security flaws present would be very upset.  I would also
> think that they would expect an entity to install every security update
> to protect their data .. But what do I know.
> 
> Thanks,
> Johnny Hughes
> 
>> On Wed, Jun 15, 2016 at 4:56 PM, John R Pierce  wrote:
>>
>>> On 6/15/2016 2:48 PM, jsl6uy js16uy wrote:
>>>
 Hello, all. Hope all is well
 Is it possible to install kernel and support files from 6u7 into a base
 6u5
 image to achieve full broadwell support in 6u5?
 We are "locked", clearly not fully since willing to up jump kernels, on
 6u5.

>>>
>>>
>>> "Locked", meaning you're running a ~3 old OS with no security or bugfix
>>> updates?thats not good.
>>>
>>> All centos 6 systems are the same base version 2.6.32 kernel, with fixes
>>> and updates backported.   If you're asking, can you run the 2.6.32-573
>>> kernel with a 6u5 everything-else, well, everything else was never tested
>>> with that kernel.





signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Pulling in broadwell support for cent6u5

[John R Pierce]

On 6/15/2016 8:18 PM, Johnny Hughes wrote:

I would point out that we provide CentOS-6, which is defined as all the
latest updates installed.  Point releases are just a mechanism to create
installable trees and new installers for new hardware at a point in
time. It has never been a tested scenario to only pick and choose
updates while not installing all of them.


+100


I would think that a customer who had data stolen or was somehow hurt by
an entity who purposely ran servers that came into contact with the
internet and also purposely ran software that had CRITCAL and
correctable security flaws present would be very upset.  I would also
think that they would expect an entity to install every security update
to protect their data .. But what do I know.


+100^2




--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Pulling in broadwell support for cent6u5

[Johnny Hughes]

On 06/15/2016 05:10 PM, jsl6uy js16uy wrote:
> Thanks much for the the reply!
> Some sec updates/bug fixes have been applied thru the run of 6u5 and after,
> but yes, still firmly in 6u5 land. Guess will have to test.
> Broadwell cpus do run in the OS, but "6u5" is stated as not supporting
> 26XXv4 chipsets.
> 

Theoretically, it should be possible to run the latest kernel with other
older CentOS-6 packages.  It may or may not function correctly.  That
setup would NOT be supported for RHEL (for example).  You would
therefore need to test it to see if it works well enough for you to use.

But theoretically it is also possible to run whatever workload you are
trying to run on the latest '6.7 + updates'.

You would need to test both scenarios to see which one supports your
workload the best.

I would point out that we provide CentOS-6, which is defined as all the
latest updates installed.  Point releases are just a mechanism to create
installable trees and new installers for new hardware at a point in
time. It has never been a tested scenario to only pick and choose
updates while not installing all of them.

There have been more than one CRITICAL update to CentOS since the 6.5
tree and installable media were released, including several updates that
correct security issues which have their own name and website.  Many of
those issues are remotely exploitable .. the actual definition of a
'CRITICAL' update from Red Hat's perspective is:

"This rating is given to flaws that could be easily exploited by a
remote unauthenticated attacker and lead to system compromise (arbitrary
code execution) without requiring user interaction. These are the types
of vulnerabilities that can be exploited by worms. Flaws that require an
authenticated remote user, a local user, or an unlikely configuration
are not classed as Critical impact."

Taken from:
https://access.redhat.com/security/updates/classification

I would think that a customer who had data stolen or was somehow hurt by
an entity who purposely ran servers that came into contact with the
internet and also purposely ran software that had CRITCAL and
correctable security flaws present would be very upset.  I would also
think that they would expect an entity to install every security update
to protect their data .. But what do I know.

Thanks,
Johnny Hughes

> On Wed, Jun 15, 2016 at 4:56 PM, John R Pierce  wrote:
> 
>> On 6/15/2016 2:48 PM, jsl6uy js16uy wrote:
>>
>>> Hello, all. Hope all is well
>>> Is it possible to install kernel and support files from 6u7 into a base
>>> 6u5
>>> image to achieve full broadwell support in 6u5?
>>> We are "locked", clearly not fully since willing to up jump kernels, on
>>> 6u5.
>>>
>>
>>
>> "Locked", meaning you're running a ~3 old OS with no security or bugfix
>> updates?thats not good.
>>
>> All centos 6 systems are the same base version 2.6.32 kernel, with fixes
>> and updates backported.   If you're asking, can you run the 2.6.32-573
>> kernel with a 6u5 everything-else, well, everything else was never tested
>> with that kernel.





signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] KVM issue

[John R Pierce]

running centos 6...  have had a KVM linux vm (also C6) going for quite 
awhile that depends on a USB device mapping (a external audio DAC module).


I updated the host today (yum update), it had been awhile (was like 6.5 
before, now its 6.8+), and rebooted.  the VM won't restart.


when I try and restart it, I get this

Error restoring domain: internal error Did not find USB device 8bb:2704 
bus:5 device:4


Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 44, in 
cb_wrapper

callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in tmpcb
callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1125, in 
startup

self._backend.create()
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 686, in create
if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error Did not find USB device 8bb:2704 bus:5 device:4


using virsh edit mydomain, I see...


  


  


and on the host, lsusb shows...

# lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 002: ID 08bb:2704 Texas Instruments Audio Codec


note the TI Audio device is bus 5, dev 2. Why is KVM insisting its 
bus 5 dev 4?   I've deleted the device from the VM and tried to start 
it, same error.   i've looked in every kvm/qemu related conf file I can 
find, no sign of bus 5 dev 4.


# virsh start mydomain
error: Failed to start domain mydomain
error: internal error Did not find USB device 8bb:2704 bus:5 device:4


how can I fix this?



--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Unable to mount a USB DVD drive

[Benjamin Smith]

I can't seem to get an external DVD drive to show up on an CentOS 7 server. 
Wondering if it's just missing a driver or if I'm missing something 
fundamental. 

It's an external USB device that works fine on my Fedora 21 Laptop, but I never 
get a /dev/ entry (EG: /dev/sr0) on the server.  

What can I do to make this thing work?


[root@norman ~]# tail -f /var/log/messages; # inserting the device into a port 
Jun 15 18:29:38 norman kernel: usb 1-3: new high-speed USB device number 5 
using ehci-pci
Jun 15 18:29:38 norman kernel: usb 1-3: New USB device found, idVendor=13fd, 
idProduct=1040
Jun 15 18:29:38 norman kernel: usb 1-3: New USB device strings: Mfr=1, 
Product=2, SerialNumber=3
Jun 15 18:29:38 norman kernel: usb 1-3: Product: RW/DVD_GCC-T10N 
Jun 15 18:29:38 norman kernel: usb 1-3: Manufacturer: Initio
Jun 15 18:29:38 norman kernel: usb 1-3: SerialNumber: W


[root@norman ~]# lsusb
Bus 001 Device 005: ID 13fd:1040 Initio Corporation INIC-1511L PATA Bridge
Bus 002 Device 002: ID 413c:2107 Dell Computer Corp. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub


[root@norman ~]# usb-devices 

T:  Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#=  1 Spd=480 MxCh= 8
D:  Ver= 2.00 Cls=09(hub  ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=1d6b ProdID=0002 Rev=03.10
S:  Manufacturer=Linux 3.10.0-229.20.1.el7.x86_64 ehci_hcd
S:  Product=EHCI Host Controller
S:  SerialNumber=:00:1c.3
C:  #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=0mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=09(hub  ) Sub=00 Prot=00 Driver=hub

T:  Bus=01 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#=  5 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=13fd ProdID=1040 Rev=01.06
S:  Manufacturer=Initio
S:  Product=RW/DVD_GCC-T10N 
S:  SerialNumber=W
C:  #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=2mA
I:  If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=05 Prot=50 Driver=(none)
--SNIP--



This is what tail -f /var/log/messages looks like on my F21 laptop: 
Jun 15 18:41:35 tesla kernel: [  913.678526] usb 1-2: new high-speed USB 
device number 5 using xhci_hcd
Jun 15 18:41:35 tesla kernel: usb 1-2: new high-speed USB device number 5 
using xhci_hcd
Jun 15 18:41:36 tesla kernel: [  913.843709] usb 1-2: New USB device found, 
idVendor=13fd, idProduct=1040
Jun 15 18:41:36 tesla kernel: [  913.843713] usb 1-2: New USB device strings: 
Mfr=1, Product=2, SerialNumber=3
Jun 15 18:41:36 tesla kernel: [  913.843715] usb 1-2: Product: RW/DVD_GCC-T10N 
Jun 15 18:41:36 tesla kernel: [  913.843717] usb 1-2: Manufacturer: Initio
Jun 15 18:41:36 tesla kernel: [  913.843718] usb 1-2: SerialNumber: 
W
Jun 15 18:41:36 tesla kernel: usb 1-2: New USB device found, idVendor=13fd, 
idProduct=1040
Jun 15 18:41:36 tesla kernel: usb 1-2: New USB device strings: Mfr=1, 
Product=2, SerialNumber=3
Jun 15 18:41:36 tesla kernel: usb 1-2: Product: RW/DVD_GCC-T10N 
Jun 15 18:41:36 tesla kernel: usb 1-2: Manufacturer: Initio
Jun 15 18:41:36 tesla kernel: usb 1-2: SerialNumber: W
Jun 15 18:41:36 tesla mtp-probe: checking bus 1, device 5: 
"/sys/devices/pci:00/:00:14.0/usb1/1-2"
Jun 15 18:41:36 tesla mtp-probe: bus: 1, device: 5 was not an MTP device
Jun 15 18:41:36 tesla kernel: [  913.863969] usb-storage 1-2:1.0: USB Mass 
Storage device detected
Jun 15 18:41:36 tesla kernel: [  913.864035] scsi host6: usb-storage 1-2:1.0
Jun 15 18:41:36 tesla kernel: [  913.864099] usbcore: registered new interface 
driver usb-storage
Jun 15 18:41:36 tesla kernel: usb-storage 1-2:1.0: USB Mass Storage device 
detected
Jun 15 18:41:36 tesla kernel: scsi host6: usb-storage 1-2:1.0
Jun 15 18:41:36 tesla kernel: usbcore: registered new interface driver usb-
storage
Jun 15 18:41:37 tesla kernel: [  914.864033] scsi 6:0:0:0: CD-ROM
HL-DT-ST RW/DVD_GCC-T10N  1.01 PQ: 0 ANSI: 0
Jun 15 18:41:37 tesla kernel: scsi 6:0:0:0: CD-ROMHL-DT-ST 
RW/DVD_GCC-T10N  1.01 PQ: 0 ANSI: 0
Jun 15 18:41:37 tesla kernel: [  914.867503] sr 6:0:0:0: [sr0] scsi3-mmc 
drive: 24x/24x writer cd/rw xa/form2 cdda tray
Jun 15 18:41:37 tesla kernel: [  914.867517] cdrom: Uniform CD-ROM driver 
Revision: 3.20
Jun 15 18:41:37 tesla kernel: [  914.867814] sr 6:0:0:0: Attached scsi generic 
sg2 type 5
Jun 15 18:41:37 tesla kernel: sr 6:0:0:0: [sr0] scsi3-mmc drive: 24x/24x 
writer cd/rw xa/form2 cdda tray
Jun 15 18:41:37 tesla kernel: cdrom: Uniform CD-ROM driver Revision: 3.20
Jun 15 18:41:37 tesla kernel: sr 6:0:0:0: Attached scsi generic sg2 type 5

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Is there popular multimedia framework supported in centos

[Gordon Messmer]

On 06/15/2016 09:20 AM, applema...@163.com wrote:

I know gstreamer is written in c Language. Is there popular multimedia 
framework written in c++ supported in centos? Thanks!


gstreamermm is the C++ bindings for gstreamer.

Otherwise:
https://www.google.com/#safe=off=c%2B%2B+multimedia+api+linux
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Pulling in broadwell support for cent6u5

[jsl6uy js16uy]

Thanks much for the the reply!
Some sec updates/bug fixes have been applied thru the run of 6u5 and after,
but yes, still firmly in 6u5 land. Guess will have to test.
Broadwell cpus do run in the OS, but "6u5" is stated as not supporting
26XXv4 chipsets.

regards

On Wed, Jun 15, 2016 at 4:56 PM, John R Pierce  wrote:

> On 6/15/2016 2:48 PM, jsl6uy js16uy wrote:
>
>> Hello, all. Hope all is well
>> Is it possible to install kernel and support files from 6u7 into a base
>> 6u5
>> image to achieve full broadwell support in 6u5?
>> We are "locked", clearly not fully since willing to up jump kernels, on
>> 6u5.
>>
>
>
> "Locked", meaning you're running a ~3 old OS with no security or bugfix
> updates?thats not good.
>
> All centos 6 systems are the same base version 2.6.32 kernel, with fixes
> and updates backported.   If you're asking, can you run the 2.6.32-573
> kernel with a 6u5 everything-else, well, everything else was never tested
> with that kernel.
>
>
>
> --
> john r pierce, recycling bits in santa cruz
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Pulling in broadwell support for cent6u5

[John R Pierce]

On 6/15/2016 2:48 PM, jsl6uy js16uy wrote:

Hello, all. Hope all is well
Is it possible to install kernel and support files from 6u7 into a base 6u5
image to achieve full broadwell support in 6u5?
We are "locked", clearly not fully since willing to up jump kernels, on 6u5.



"Locked", meaning you're running a ~3 old OS with no security or bugfix 
updates?thats not good.


All centos 6 systems are the same base version 2.6.32 kernel, with fixes 
and updates backported.   If you're asking, can you run the 2.6.32-573 
kernel with a 6u5 everything-else, well, everything else was never 
tested with that kernel.




--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Pulling in broadwell support for cent6u5

[jsl6uy js16uy]

Hello, all. Hope all is well
Is it possible to install kernel and support files from 6u7 into a base 6u5
image to achieve full broadwell support in 6u5?
We are "locked", clearly not fully since willing to up jump kernels, on 6u5.

Thanks for any and all help
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-es] Ayuda tarjeta de Red Centos 7

[José Roberto Alas]

El 14 de junio de 2016, 12:37, César Martinez
 escribió:
> Saludos amigos espero se encuentren bien, estoy empezando a migrar poco a
> poco ciertos servidores en especial centos 5 por su fecha límite de soporte,
> he configurado el primero y actualmente me esta funcionando muy bien en
> realidad no hubo que cambiar mucho en los archivos de configuración.
>
> He configurado las tarjetas de red wan y lan pero al listar me aparecen dos
> ips en una misma tarjeta (WAN) en realidad la primera que esta marcada con
> XX.XX para proteger datos sensibles es la que en realidad me dio el isp la
> otra no tengo idea de donde apareció
>
> Tengo echo unos nateos hacia unos servicios de otros equipos locales pero
> unos me están funcionando y otros no he probado estos nateos en el servidor
> antiguo centos 5 y todos funcionan  por eso creo que el nat a ratos se
> pierde porque la interfaz principal tiene dos ips.
>
> 2: enp1s0:  mtu 1500 qdisc pfifo_fast state
> UP qlen 1000
> link/ether ec:08:6b:03:9e:2f brd ff:ff:ff:ff:ff:ff
> *inet XXX.XXX.XXX.XXX*/30 brd XX.XX.XX.XX scope global enp1s0
>valid_lft forever preferred_lft forever
> *inet 192.168.1.254/24* brd 192.168.1.255 scope global dynamic enp1s0
>valid_lft 604sec preferred_lft 604sec

Raro, supongo el *inet significa algo, como conflicto.
>
> 3: enp2s0:  mtu 1500 qdisc pfifo_fast state
> UP qlen 1000
> link/ether b8:97:5a:cc:d9:a2 brd ff:ff:ff:ff:ff:ff
> inet 192.168.0.1/24 brd 192.168.0.255 scope global enp2s0
>valid_lft forever preferred_lft forever
>
> En mi archivo de configuración de la tarjeta tengo esto
>
> cat /etc/sysconfig/network-scripts/ifcfg-enp1s0
> HWADDR="ec:08:6b:03:9e:2f"
> TYPE=Ethernet
> BOOTPROTO=no
> DEFROUTE=yes
> PEERDNS=yes
> PEERROUTES=yes
> IPV4_FAILURE_FATAL=no
> IPV6INIT=no
> IPV6_AUTOCONF=no
> IPV6_DEFROUTE=no
> IPV6_PEERDNS=no
> IPV6_PEERROUTES=no
> IPV6_FAILURE_FATAL=no
> NAME=enp1s0
> UUID=c2684e1b-246e-42a7-9e2c-75a8fdc9b5eb
> DEVICE=enp1s0
> ONBOOT=yes
> IPADDR=XX.XX.XX.XXX
> NETMASK=255.255.255.252
> GATEWAY=XX.XX.XX.XX
> DNS1=XX.XX.XX.XX
> DNS2=8.8.8.4
>
Deberías de dejar BOOTPROTO como 'static' eliminar dejar las opciones basicas


> cat /etc/sysconfig/network-scripts/ifcfg-enp2s0
> TYPE=Ethernet
> BOOTPROTO=static
> DEFROUTE=yes
> PEERDNS=yes
> PEERROUTES=yes
> IPV4_FAILURE_FATAL=no
> IPV6INIT=no
> IPV6_AUTOCONF=no
> IPV6_DEFROUTE=no
> IPV6_PEERDNS=no
> IPV6_PEERROUTES=no
> IPV6_FAILURE_FATAL=no
> NAME=enp2s0
> UUID=93527eab-6375-4fb6-b5df-2029d946e453
> DEVICE=enp2s0
> ONBOOT=yes
> IPADDR=192.168.0.1
> NETMASK=255.255.255.0
>
> Gracias a todos los que puedan ayudarme con esta consulta
>
> --
> Saludos Cordiales
>
> |César Martínez M. | Ingeniero de Sistemas | SERVICOM
> |Tel: (593-2)554-271 2221-386 | Ext 4501
> |Celular: 0999374317 |Skype servicomecuador
> |Web www.servicomecuador.com Síguenos en:
> |Twitter: @servicomecuador |Facebook: servicomec
> |Zona Clientes: www.servicomecuador.com/billing
> |Blog: http://servicomecuador.com/blog
> |Dir. Av. 10 de Agosto N29-140 Entre
> |Acuña y  Cuero y Caicedo
> |Quito - Ecuador - Sudamérica
>
> ___
> CentOS-es mailing list
> CentOS-es@centos.org
> https://lists.centos.org/mailman/listinfo/centos-es



-- 
Saludos,
cheperobert
___
CentOS-es mailing list
CentOS-es@centos.org
https://lists.centos.org/mailman/listinfo/centos-es

Re: [CentOS] https and self signed

[Warren Young]

On Jun 15, 2016, at 10:40 AM, Valeri Galtsev  wrote:
> 
> Thanks, that means no need to install CA. There is always someone (Thanks,
> Warren!) who looked deeper into things, and can explain them.

I claimed that the topic fills books.  That wasn’t an exaggeration.  Back in 
1997, I read the first edition of this thick tome:

  http://shop.oreilly.com/product/9780596000455.do

The second edition is about 50% bigger, and it’s about 15 years old now, so it 
could probably be 1,000 pages and still not cover everything about the modern 
Internet PKI.

I’m not sure I could recommend a book that old in a field that still changes as 
much as web security does.  Perhaps someone else could recommend something more 
current.

> I need to look deeper myself how the identity of the server
> is ensured in this case

As I said in a prior email, there are different grades of certificate.  I 
mentioned EV and DV.  There’s also OV:

  https://www.globalsign.com/en/ssl-information-center/types-of-ssl-certificate/

> (i.e. whether tier 2, tier 3, …

The tier doesn’t affect how the CA does validation.  You could have a very 
meticulous tier 3 EV provider and a sloppy tier 1 provider that only does DV.

> can
> I still trust that the physical entity owning server cert is indeed who it
> claims to be).

It’s a chain of trust: the browser vendor trusts these 1,100 CAs, and you trust 
the browser vendor, so you implicitly trust all of the certs signed, directly 
or indirectly by those CAs.

If you want to take an active role in this, you need to go into the trust store 
for the browser(s) you use and remove CAs you do not trust.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[m . roth]

John Hodrien wrote:
> On Wed, 15 Jun 2016, John R Pierce wrote:
>
>> On 6/15/2016 6:47 AM, Jerry Geis wrote:
>>>  How do I get past this? I was looking to just self sign for https.
>>
>> in my admittedly limited experience with this stuff, you need to create
>> your own rootCA, and use that to sign your certificates, AND you need
to take
>> the public key of the rootCA and import it into any trust stores that will
>> be used to verify said certificates.
>
> If you don't do this, then there's no real point using SSL at all, and you
> *should* be forced to override security with arguments:
>
> wget --no-check-certificate
> curl --insecure

Or, maybe, you're working in a domain, and one upper level website is set
up with https-use-strict recursive, so it breaks *everything* below
I'd like to be able to say "but not me" in the website configuration page
- maybe it just throws up a warning, to remind you to pull it when it goes
live, but for dev & test

 mark, really tired of it breaking our *internal* documentation wiki
   for me

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Valeri Galtsev]

On Wed, June 15, 2016 10:31 am, Scott Robbins wrote:
> On Wed, Jun 15, 2016 at 10:02:57AM -0500, Valeri Galtsev wrote:
>>
>> On Wed, June 15, 2016 9:17 am, Warren Young wrote:
>> >>
>> >> Nowadays it's quite easy to get normal ssl certificates for free.
>> E.g.
>> >
>> > Today, I would prefer Let’s Encrypt:
>> >
>> >   https://letsencrypt.org/
>> >
>> > It is philosophically aligned with the open source software world,
>> rather
>> > than act as bait for a company that would prefer to sell you a cert
>> > instead.
>>
>> I have got question for experts. I just opened settings of Firefox
>> (latest, on FreeBSD), and took a look at the list of Certification
>> Authorities it comes with.
>>
>> I do see WoSign there (though I'd prefer to avoid my US located servers
>> have certificates signed by authority located in China, hence located
>> sort
>> of behind "the great firewall of China" - call me superstitious).
>>
>> I do not see neither starttls.com nor letsencrypt.org between
>> Authorities
>> certificates.
>
>
> I'm not an expert by any means, but I use letsencrypt (mostly for testing)
> and it's always worked for me in FreeBSD with Firefox, without any special
> effort on my part.
> You can try https://srobb.net which is using letsencrypt as its cert.

Thanks, Scott, I made a note, and will use it if there ever will be a need
(Now I get certs signed through institutional channel by intermediate
authority as well!). Intermediate CAs somehow slept my mind today (I
probably missed my morning coffee ;-)

Valeri


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Valeri Galtsev]

On Wed, June 15, 2016 10:38 am, Warren Young wrote:
> On Jun 15, 2016, at 9:02 AM, Valeri Galtsev 
> wrote:
>>
>> I do see WoSign there (though I'd prefer to avoid my US located servers
>> have certificates signed by authority located in China, hence located
>> sort
>> of behind "the great firewall of China" - call me superstitious).
>
> That’s a perfectly valid concern.  The last I heard, modern browsers
> trust 1,100 CAs!  Surely some of those CAs have interests that do not
> align with my interests.
>
>> I do not see neither starttls.com nor letsencrypt.org between
>> Authorities
>> certificates.
>
> That’s because they are not top-tier CAs.
>
>> This means (correct me if I'm wrong) that client has to
>> import one of these Certification Authorities certificates
>
> You must be unaware of certificate chaining:
>
>   https://en.wikipedia.org/wiki/Intermediate_certificate_authorities

Sorry, intermediate authorities just slept off my mind somehow (to say
worst: my server certificated _are_ signed by intermediate CA - shame on
me ;-)

Valeri



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Valeri Galtsev]

On Wed, June 15, 2016 10:48 am, Warren Young wrote:
> On Jun 15, 2016, at 9:38 AM, Warren Young  wrote:
>>
>> On Jun 15, 2016, at 9:02 AM, Valeri Galtsev 
>> wrote:
>>
>>> I do not see neither starttls.com nor letsencrypt.org between
>>> Authorities
>>> certificates.
>>
>> That’s because they are not top-tier CAs.
>
> I forgot to mention that letsencrypt.com uses one of its own certificates.
>  You can use your browser’s certificate detail view to see the chain of
> trust.  I see two levels here: IdenTrust -> TrustID -> Let’s Encrypt.

Thanks, that means no need to install CA. There is always someone (Thanks,
Warren!) who looked deeper into things, and can explain them. The only
thing here is: I need to look deeper myself how the identity of the server
is ensured in this case (i.e. whether tier 2, tier 3, ... CAs really do
that. But that is more fundamental thing: basically with that in play, can
I still trust that the physical entity owning server cert is indeed who it
claims to be).

>
> As for starttls.com, that doesn’t exist; you’re probably confusing it
> with the SMTP STARTTLS protocol extension.  What you mean is startssl.com,
> which is the main public face of StartCom.  StartCom is a top-tier CA.

I'm sure I did copy and paste, so that should have copied from OP e-mail...

Thanks again, Warren,

Valeri

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Jason Pyeron]

> -Original Message-
> From: Warren Young
> Sent: Wednesday, June 15, 2016 10:26
> To: CentOS mailing list
> Subject: Re: [CentOS] https and self signed
> 
> On Jun 15, 2016, at 7:47 AM, Jerry Geis  wrote:
> > 
> > Yes I can added the --insecure for curl - but - my other 
> app doesn't 

For the love of all that is holy, create your own CA and have your own PKI,
even for testing.

> > seem to work either - perhaps getting the same return 
> message instead 
> > of the actual file.
> 
...
> It's too bad, because self-signed certificates are only 
> unusual on the public Internet.  I wish the designers of TLS 
...
> self-signed cert that declares that it is for 172.16.69.42, 
> and that any host on 172.16.69.0/24 should trust it implicitly.

It is very easy to creat your own CA, to sign your own certs. There is no
need to support self signed "leaf nodes" of the PKI.

I have taken some liberties on this to save me time, you will need to change
config values to suit your needs.

$ mkdir -p CA/{private,certs}
$ cd CA
# copy the default openssl config
$ cp -v "$(openssl ca -verbose 2>&1 | head -n 1 | sed 's/Using configuration
from //')" .
$ sed -i 's/^\(\s*dir\s*=.*\)/#\1\ndir=./'
openssl.cnf
$ sed -i 's|^\(\s*certificate\s*=.*\)|#\1\ncertificate=$dir/CA.crt|'
openssl.cnf
$ sed -i 's|^\(\s*private_key\s*=.*\)|#\1\nprivate_key=$dir/private/CA.key|'
openssl.cnf
$ sed -i 's|^\(\s*new_certs_dir\s*=.*\)|#\1\nnew_certs_dir=$dir/newcerts|'
openssl.cnf
$ touch index.txt
# done setting up the file system
$ openssl req -config openssl.cnf -new -nodes -keyout private/CA.key -out
CA.csr
# answer the questions
$ openssl ca -config openssl.cnf -batch -in CA.csr -create_serial -selfsign
# there should only be one cert, the CA's self signed cert
$ cp certs/*.pem CA.crt
# done creating the CA


# now you can sign your server certificate signing requests (CSR)

# make a csr 

#sign server.csr
$ openssl ca -config openssl.cnf -batch -in server.csr

#files at end of email for understanding...


> 
> Such a cert could not be used to prove identity, prevent 
> spoofing, or prevent MITM attacks, but it would give a way to 
> set up encryption, which is often all you actually want.  
> MITM attacks could be largely prevented with certificate pinning.

And reducing the trusted CA set in your enterprise.



$ cat ./private/CA.key
-BEGIN PRIVATE KEY-
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDEHcq8mOpHHD+H
/qDNPpsG2GkRyj8wt9LVIltmUqwqIBlNe3nlxHEHg9YJExPbTTXERehNkpF8HPtM
S2rfcYMz2Cjq8C8CzNlC/Ur2a8GKfOufZU9a+gv8I2CXzah6DLkdZqqCsnC/dTPL
bRLPBlmmwldl3pcOpF1hmMF1CzCwDAx2V31ZijLHlMfd+cRdssfYk1D4ntGRBK+0
78g2/nBOKQsD6ajTXHwaH7eeV7BRasjGodSud8cJ1uhD0E3QLpW466sYmM1SGdgy
1mbuJYGnfHVy4zScDy7yQb4EvoQZOYOMJymETCQfk86B43Sncs20TEpDW2N48N+O
pbqM0TAxAgMBAAECggEAIt45IXb+kE4RbZhz9one/kSTybnvqjXEomhNX8/rFEJI
vWHqtlNK1U83Sr29lgwQNylGuCQLAcoVU+dExR1lel5ASCUT9qd9KU/neBCIhJrZ
OanFhiNW5ilUDyldfvWsI/IQ9tPK//9SiiSGZ5B1eBStfUsqCExo3eVO4ARxT5tF
Fug/XgyV5vdUnUFC/axQPCWNfkFlm6mXNBcVO+D7/kweklrKLGqIFQTSv7mzL5ya
nTslER6dTu/2gva6cVAw3PN8FjgFa85ISpAWcyZ7ZBHd2evL46V1WsxFOsu5Ish+
e4SPP0xf4+8VggNvPruPb0T3gV8jHbN4fyPGqH7DwQKBgQDmbg2Mj69WN1jw1EpH
agv2xzVqTnjQSdbD2YBJ8ZJqIolAZigdrLTXp/P/pnOXe+3up1S+9OGbktQAc9DN
i9zf6Wn9NyZ323YEfL2MLE8pRrLsFFw1+fVG/BNcrHMOnt3rSQ7v2LhGe/kLCIQh
RKDSf83sEvAcfcSCpWeoZRlnxQKBgQDZ4PnrBpUVm86cq9/RV4Ax0NJ7+u+ybLj5
tKEeEDRlzTyNv2KIF7MOWoK6EMBw3N/YloSp41Zm7UXAdwjJHrxZ3GrlHvYqJDaW
cGX+GjncDpcM2GIh4tcuhnKTdUZc/eGWPZRA97EPdhqwHbDaPLSrQhtDmPDCWVNs
DqyWPFbBfQKBgH7tuEDpFOgk7LUb+x6DZ7uz19SLDTmOsuKG+IfCragRBhGXNBnE
fIkeVuVHxvx2o4WGXsQhF/UeV/E32piepjgg1uVIb8Qt+0BVhgOklKZj70LjpDeH
THihefjedTJkiFGGmNe9RSRuPay6MC4zI3NQOxoDBIhtLsXYXtT/e5MRAoGAY48t
RFsmptAikm7rgGJmftz4QZUCENsjj18dvHoVJ2uoPvF0WdHSjT2IvPNIrIoRc4wc
JPFwGupTVEZQam60DK/u3LHQNKOFmirUQE/FnqvAFCuQdAGO6IChPIZ7V6Tff2K2
KxXD/9etDEsU9DSHLjav9KyfX3+n4hm2fZQm5JUCgYB1tiDFrX4kgf671A9eMXHa
4RJKtvKdXEzw/a1uU82rvShZnlfIijHOHnOduwpFbtZRjvwREslBjwe0KXC5n4rN
ontb9cb94SmJlrYWj0ZYGbECB2nh1xBq2IeF7ly8t6Ky5xRc9hcACX5Z5G0QfHf8
liGhEmq+iGBkYtW6Jucvbg==
-END PRIVATE KEY-

$ cat ./certs/FC4B076EEDAC665F.pem
-BEGIN CERTIFICATE-
MIIELjCCAxagAwIBAgIJAPxLB27trGZfMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCTUQxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
UHR5IEx0ZDEZMBcGA1UECwwQVHJ1c3QgRGVwYXJ0bWVudDEYMBYGA1UEAwwPUHJp
dmF0ZSBSb290IENBMSMwIQYJKoZIhvcNAQkBFhRzZWN1cml0eUBleGFtcGxlLmNv
bTAeFw0xNjA2MTUxNjI3MzBaFw0xNzA2MTUxNjI3MzBaMIGXMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTUQxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDEZMBcGA1UECwwQVHJ1c3QgRGVwYXJ0bWVudDEYMBYGA1UEAwwPUHJpdmF0ZSBS
b290IENBMSMwIQYJKoZIhvcNAQkBFhRzZWN1cml0eUBleGFtcGxlLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQdyryY6kccP4f+oM0+mwbYaRHK
PzC30tUiW2ZSrCogGU17eeXEcQeD1gkTE9tNNcRF6E2SkXwc+0xLat9xgzPYKOrw
LwLM2UL9SvZrwYp8659lT1r6C/wjYJfNqHoMuR1mqoKycL91M8ttEs8GWabCV2Xe
lw6kXWGYwXULMLAMDHZXfVmKMseUx935xF2yx9iTUPie0ZEEr7TvyDb+cE4pCwPp
qNNcfBoft55XsFFqyMah1K53xwnW6EPQTdAulbjrqxiYzVIZ2DLWZu4lgad8dXLj

[CentOS] Is there popular multimedia framework supported in centos

[applema...@163.com]

Hi,

I know gstreamer is written in c Language. Is there popular multimedia 
framework written in c++ supported in centos? Thanks!

B.R.

Andrew

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Warren Young]

On Jun 15, 2016, at 9:38 AM, Warren Young  wrote:
> 
> On Jun 15, 2016, at 9:02 AM, Valeri Galtsev  wrote:
> 
>> I do not see neither starttls.com nor letsencrypt.org between Authorities
>> certificates.
> 
> That’s because they are not top-tier CAs.

I forgot to mention that letsencrypt.com uses one of its own certificates.  You 
can use your browser’s certificate detail view to see the chain of trust.  I 
see two levels here: IdenTrust -> TrustID -> Let’s Encrypt.

As for starttls.com, that doesn’t exist; you’re probably confusing it with the 
SMTP STARTTLS protocol extension.  What you mean is startssl.com, which is the 
main public face of StartCom.  StartCom is a top-tier CA.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Warren Young]

On Jun 15, 2016, at 9:02 AM, Valeri Galtsev  wrote:
> 
> I do see WoSign there (though I'd prefer to avoid my US located servers
> have certificates signed by authority located in China, hence located sort
> of behind "the great firewall of China" - call me superstitious).

That’s a perfectly valid concern.  The last I heard, modern browsers trust 
1,100 CAs!  Surely some of those CAs have interests that do not align with my 
interests.

> I do not see neither starttls.com nor letsencrypt.org between Authorities
> certificates.

That’s because they are not top-tier CAs.

> This means (correct me if I'm wrong) that client has to
> import one of these Certification Authorities certificates

You must be unaware of certificate chaining:

  https://en.wikipedia.org/wiki/Intermediate_certificate_authorities

Even top-tier CAs use certificate chaining.  The proper way to run a CA is to 
keep your private root signing key off-line, using it only to sign some number 
of intermediate CA signing certs, which are the ones used to generate the certs 
publicly distributed by that CA.

Doing so lets a CA abandon an escaped private key by issuing a CRL for an 
escaped private key.  The CA then just generates a new signing key and 
continues on with that; it doesn’t have to get its new signing key into all the 
TLS clients’s trusted signing key stores because the new key’s trust chain goes 
back to the still-private offline root key.

Without that layer of protection, if their private signing key somehow escapes, 
the CA is basically out of business until they convince all the major browsers 
to distribute their replacement public key.

> - but other clients, like laptops had to download, install and
> trus my CA certificate).

If those laptops are Windows laptops on an AD domain, there is a way to push CA 
public keys out to them automatically.  (Don’t ask me how, I’m not a Windows 
admin.  I’m just aware that it can be done.)

> Also: with CA signing server certificate there is a part that is
> "verification of identity" of domain or server owner. Namely, that whoever
> requested certificate indeed exists as physical entity (person,
> organization or company) accessible at some physical address etc. This is
> costly process, and as I remember, free automatically signed certificates
> were only available from Certification Authority whose CA certificated had
> no chance to be included into CA bundles shipped with browsers, systems
> etc. For that exact reason: there is "no identity verification". The last
> apparently is costly process.

I’m not exactly sure what you’re asking here.  If you are simply pointing out 
that the free certificate providers — including Let’s Encrypt — do not do 
public records background checks, D checks, phone calls to phone numbers on 
your web page and DNS records, etc. to prove that you are who you say you are, 
that is true.

Let’s Encrypt is not in competition with EV certificates, for example:

  https://en.wikipedia.org/wiki/Extended_Validation_Certificate

The term of art for what Let’s Encrypt provides is a domain validation 
certificate. That is, it only proves that the holder was in control of the 
domain name at the time the cert was generated.

> So, someone, please, set all of us straight: what is the state of the art
> today?

The answer could fill books.  In a forum like this, you can only expect answers 
to specific questions for such broad topics.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Scott Robbins]

On Wed, Jun 15, 2016 at 10:02:57AM -0500, Valeri Galtsev wrote:
> 
> On Wed, June 15, 2016 9:17 am, Warren Young wrote:
> >>
> >> Nowadays it's quite easy to get normal ssl certificates for free. E.g.
> >
> > Today, I would prefer Let’s Encrypt:
> >
> >   https://letsencrypt.org/
> >
> > It is philosophically aligned with the open source software world, rather
> > than act as bait for a company that would prefer to sell you a cert
> > instead.
> 
> I have got question for experts. I just opened settings of Firefox
> (latest, on FreeBSD), and took a look at the list of Certification
> Authorities it comes with.
> 
> I do see WoSign there (though I'd prefer to avoid my US located servers
> have certificates signed by authority located in China, hence located sort
> of behind "the great firewall of China" - call me superstitious).
> 
> I do not see neither starttls.com nor letsencrypt.org between Authorities
> certificates. 


I'm not an expert by any means, but I use letsencrypt (mostly for testing)
and it's always worked for me in FreeBSD with Firefox, without any special
effort on my part. 
You can try https://srobb.net which is using letsencrypt as its cert.

-- 
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Paul Heinlein]

On Wed, 15 Jun 2016, John R Pierce wrote:


On 6/15/2016 6:47 AM, Jerry Geis wrote:

 How do I get past this? I was looking to just self sign for https.


in my admittedly limited experience with this stuff, you need to 
create your own rootCA, and use that to sign your certificates, AND 
you need to take the public key of the rootCA and import it into any 
trust stores that will be used to verify said certificates.


The EasyRSA scripts make creating and using your own Certificate 
Authority as painless as X.509 can be (which is to say, there will 
still be some pain). You can find them in the OpenVPN distribution 
tarball or at GitHub:


  https://github.com/OpenVPN/easy-rsa

--
Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[David Nelson]

On Jun 15, 2016, at 8:02 AM, Valeri Galtsev  wrote:
> 
> I do not see neither starttls.com  nor letsencrypt.org 
>  between Authorities
> certificates. This means (correct me if I'm wrong) that client has to
> import one of these Certification Authorities certificates, otherwise
> server certificate signed by one of these authorities is on the same page
> with my private Certification Authority (which I used to run for over 10
> years, then in my kickstart I had my CA certificate imported into CA of
> clients - but other clients, like laptops had to download, install and
> trus my CA certificate). Of course, this is a notch better than
> "self-signed" server certificates, as you only need to import CA
> certificate once, whereas you will need to import self-signed server
> certificates for each of the servers...



For my personal needs I use free StartSSL certs and the authority appears as 
StartCom, Ltd. in Firefox.

In my experience it is already a trusted authority in most/all browsers. At 
least I didn’t have to manually trust it, and I haven’t run into one that 
complains about it.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[John Hodrien]

On Wed, 15 Jun 2016, John R Pierce wrote:


On 6/15/2016 6:47 AM, Jerry Geis wrote:

 How do I get past this? I was looking to just self sign for https.


in my admittedly limited experience with this stuff, you need to create your 
own rootCA, and use that to sign your certificates, AND you need to take the 
public key of the rootCA and import it into any trust stores that will be 
used to verify said certificates.


If you don't do this, then there's no real point using SSL at all, and you
*should* be forced to override security with arguments:

wget --no-check-certificate
curl --insecure

etc.

jh
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[John R Pierce]

On 6/15/2016 6:47 AM, Jerry Geis wrote:

How do I get past this? I was looking to just self sign for https.


in my admittedly limited experience with this stuff, you need to create 
your own rootCA, and use that to sign your certificates, AND you need to 
take the public key of the rootCA and import it into any trust stores 
that will be used to verify said certificates.



--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Valeri Galtsev]

On Wed, June 15, 2016 9:17 am, Warren Young wrote:
> On Jun 15, 2016, at 7:57 AM, Александр Кириллов
>  wrote:
>>
>> Nowadays it's quite easy to get normal ssl certificates for free. E.g.
>>
>> http://www.startssl.com
>> http://buy.wosign.com/free
>
> Today, I would prefer Let’s Encrypt:
>
>   https://letsencrypt.org/
>
> It is philosophically aligned with the open source software world, rather
> than act as bait for a company that would prefer to sell you a cert
> instead.

I have got question for experts. I just opened settings of Firefox
(latest, on FreeBSD), and took a look at the list of Certification
Authorities it comes with.

I do see WoSign there (though I'd prefer to avoid my US located servers
have certificates signed by authority located in China, hence located sort
of behind "the great firewall of China" - call me superstitious).

I do not see neither starttls.com nor letsencrypt.org between Authorities
certificates. This means (correct me if I'm wrong) that client has to
import one of these Certification Authorities certificates, otherwise
server certificate signed by one of these authorities is on the same page
with my private Certification Authority (which I used to run for over 10
years, then in my kickstart I had my CA certificate imported into CA of
clients - but other clients, like laptops had to download, install and
trus my CA certificate). Of course, this is a notch better than
"self-signed" server certificates, as you only need to import CA
certificate once, whereas you will need to import self-signed server
certificates for each of the servers...

Am I missing something?

Also: with CA signing server certificate there is a part that is
"verification of identity" of domain or server owner. Namely, that whoever
requested certificate indeed exists as physical entity (person,
organization or company) accessible at some physical address etc. This is
costly process, and as I remember, free automatically signed certificates
were only available from Certification Authority whose CA certificated had
no chance to be included into CA bundles shipped with browsers, systems
etc. For that exact reason: there is "no identity verification". The last
apparently is costly process.

So, someone, please, set all of us straight: what is the state of the art
today?

Disclaimer: I have purely academic interest in this myself: my institution
makes CA signed certificated for my servers at no cost for me, and that
authority is in the CA Cert bundles.

Valeri

>
> I’m only aware of one case where you absolutely cannot use Let’s
> Encrypt, but it also affects the other public CAs: you can’t get a
> publicly-trusted cert for a machine without a publicly-recognized and
> -visible domain name.  For that, you still need to use self-signed certs
> or certs signed by a private CA.




Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Warren Young]

On Jun 15, 2016, at 7:47 AM, Jerry Geis  wrote:
> 
> Yes I can added the --insecure for curl - but - my other app doesn't
> seem to work either - perhaps getting the same return message instead of
> the actual file.

Because of all the security holes people have been finding in TLS, libraries 
implementing the client side of TLS are getting increasingly intolerant of 
risky configurations.

It’s too bad, because self-signed certificates are only unusual on the public 
Internet.  I wish the designers of TLS had included a flag in the cert that let 
it declare that it was only to be trusted on a private intranet by clients of 
that same intranet.

For example, instead of declaring that the given server is foo.example.com, it 
would be nice if you could generate a self-signed cert that declares that it is 
for 172.16.69.42, and that any host on 172.16.69.0/24 should trust it 
implicitly.

Such a cert could not be used to prove identity, prevent spoofing, or prevent 
MITM attacks, but it would give a way to set up encryption, which is often all 
you actually want.  MITM attacks could be largely prevented with certificate 
pinning.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Warren Young]

On Jun 15, 2016, at 7:57 AM, Александр Кириллов  wrote:
> 
> Nowadays it's quite easy to get normal ssl certificates for free. E.g.
> 
> http://www.startssl.com
> http://buy.wosign.com/free

Today, I would prefer Let’s Encrypt:

  https://letsencrypt.org/

It is philosophically aligned with the open source software world, rather than 
act as bait for a company that would prefer to sell you a cert instead.

I’m only aware of one case where you absolutely cannot use Let’s Encrypt, but 
it also affects the other public CAs: you can’t get a publicly-trusted cert for 
a machine without a publicly-recognized and -visible domain name.  For that, 
you still need to use self-signed certs or certs signed by a private CA.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Александр Кириллов]

Nowadays it's quite easy to get normal ssl certificates for free. E.g.

http://www.startssl.com
http://buy.wosign.com/free

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] https and self signed

[Jerry Geis]

I followed the instructions here https://wiki.centos.org/HowTos/Https

Checking port 80 I get the file...
curl http://localhost/file.html


Working



Checking port 443 I get and error
curl https://localhost/file.html

curl: (60) Peer's certificate issuer has been marked as not trusted by the
user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.


How do I get past this? I was looking to just self sign for https.

Yes I can added the --insecure for curl - but - my other app doesn't
seem to work either - perhaps getting the same return message instead of
the actual file.

Thanks,

jerry
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos