date:20140915

Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

2014-09-15 Thread Stuart Yeates

>I think you're missing the point. Protecting the content is as you say 
>unimportant if it's open content. But the big threat here is to the privacy of 
>the patrons. Your viewing history, if it gets into the wrong hands, could 
>easily put you or someone you care about at risk.

The big threat for me is that someone can unload a bogus thesis into my 
repository and on that basis claim to have a degree ...

When a TLS connection gets established, the two parties negotiate the most 
secure option they both support. That negotiation is driven by the client, 
meaning that modern sanely configured clients will normally be very secure from 
passive listening attacks.  Active attacks are more challenging to prevent, and 
raising the minimum security of the certs supported is one approach to do that.

Cheers
stuart



--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] DSPACE: (discovery) Is it possible to show a specific sidebarFacets for a specific collection?

2014-09-15 Thread David Cook

Hi Johanne:

 

1)  You need to also add “” 
under “” under the “EdusConfiguration”, or else 
it won’t show up in the sidebar facets for EdusConfiguration. It’ll show up as 
a search filter when searching, but not as a “facet”.

2)  You _cannot_ delete “” 
from “searchFilters” under the “defaultConfiguration”. That’s – what I consider 
to be  – the bug. The bean _must_ be in the “defaultConfiguration”. I think 
it’s very silly, but I have noticed this is necessary for it to work.

 

I imagine the reason why the facet appears on the “EdusConfiguration” after you 
delete it from “defaultConfiguration” is because the indexes are still full. 
Once you re-index the database, the indexes are emptied (because the bean isn’t 
referenced under “defaultConfiguration”) and the sidebar facets disappear.

 

If you keep “” under “” for both “defaultConfiguration” and 
“EdusConfiguration”, as well as under “”, you 
should be fine.


So:

 

1)  Add “” to “” under the “defaultConfiguration”

2)  Add “” to “” under the “EdusConfiguration”

3)  Add “” to “” under the “EdusConfiguration”

4)  “index-discovery –b”

5)  Restart Tomcat

6)  Note that "searchFilterDescriptionJournal” appears under the search 
filters when doing a search

7)  Note that “searchFilterDescriptionJournal” appears as a sidebar facet 
for the EdusConfiguration

8)  Profit : ) 

 

If you follow those exact steps, you should be fine. I have this working at the 
moment on a DSpace 4.2 instance.

 

David Cook

Systems Librarian

Prosentient Systems

72/330 Wattle St, Ultimo, NSW 2007

 

From: Johanne Crête [mailto:johanne.cr...@usherbrooke.ca] 
Sent: Tuesday, 16 September 2014 1:11 AM
To: David Cook; 'Terry Brady'
Cc: dspace-tech@lists.sourceforge.net
Subject: RE: [Dspace-tech] DSPACE: (discovery) Is it possible to show a 
specific sidebarFacets for a specific collection?

 

Hi David,

 

I resume all step that I have to execute to show a specific sidebarFacet for a 
specific collection:

 

1-  I add “” to the 
“searchFilters” under the “defaultConfiguration”

2-  I add “” to the 
“searchFilters” under the “EdusConfiguration”

3-  “index-discovery –b”

4-  I restart the servlet container (Tomcat)

 

RESULT : the sidebarfacet appears for the collection:  “defaultConfiguration” 
and “EdusConfiguration”

 

5-  I delete “” to the 
“searchFilters” under the “defaultConfiguration”

 

RESULT: the sidebarfacet appears on the “EdusConfiguration”, only on the 
specific collection. It’s exactly what I want, but….

 

6-  The problem is here:  if I execute “index-discovery –b” after the step 
5, then I restart the servlet container (Tomcat), the sidebarfacet disappears 
completely!

 

Thanks!

 

__

Johanne Crête

Technicienne en informatique

Service des bibliothèques et archives, Université de Sherbrooke

Sherbrooke (Québec) J1K 2R1 CANADA

  johanne.cr...@usherbrooke.ca

(819) 821-8000, poste 66294

    

 

 

 

 

De : David Cook [mailto:dc...@prosentient.com.au] 
Envoyé : 11 septembre 2014 20:36
À : Johanne Crête; 'Terry Brady'
Cc : dspace-tech@lists.sourceforge.net 
 
Objet : RE: [Dspace-tech] DSPACE: (discovery) Is it possible to show a specific 
sidebarFacets for a specific collection?

 

Hi Johanne:

 

Did you also add  “” to “” under “defaultConfiguration”? If so, that would be 
incorrect. 

 

You just need “” under “” under “defaultConfiguration”. 

 

The “EdusConfiguration” that you posted originally looks good. You just need 
the “” under the 
“defaultConfiguration” “searchFilters” for some strange reason. Yes, I do think 
it’s a bug. I’ve already logged it here:  
 
https://jira.duraspace.org/browse/DS-2132. However, I would appreciate any 
comments you have to add to the bug.

 

So, to re-iterate, you want “” to 
show up under “searchFilters” and “sidebarFacets” for “EdusConfiguration”, and 
ONLY under “searchFilters” for “defaultConfiguration”. After that, 
“index-discovery -b” and restart Tomcat. If I understand you correctly, that 
should show the Description Journal facet only for the handle associated with 
“EdusConfiguration”.

 

David Cook

Systems Librarian

Prosentient Systems

72/330 Wattle St, Ultimo, NSW 2007

 

From: Johanne Crête [mailto:johanne.cr...@usherbrooke.ca] 
Sent: Thursday, 11 September 2014 11:58 PM
To: David Cook; 'Terry Brady'
Cc: dspace-tech@lists.sourceforge.net 
 
Subject: RE: [Dspace-tech] DSPACE: (discovery) Is it possible to show a 
specific sidebarFacets for a specific collection?

 

Thanks for your answer.

 

Like you wrote, if I add “” to the 
“searchFilters” under the “defaultConfiguration” and the

Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

2014-09-15 Thread Jonathan Rees

I think you're missing the point. Protecting the content is as you say 
unimportant if it's open content. But the big threat here is to the privacy of 
the patrons. Your viewing history, if it gets into the wrong hands, could 
easily put you or someone you care about at risk.

Perhaps there's a way to get a secure channel for those who are able to make 
use of it, and drop down to less secure ciphers for your IE6 users? I don't 
know TLS well enough to know the answer, or even to know whether this is a good 
idea.

Best
Jonathan

On Sep 15, 2014, at 4:28 PM, Stuart Yeates  wrote:

> Both of the guidelines make complete sense if you’re a bank (or the payroll 
> system of a university). They make less sense when if you are a service whose 
> reason for existence is to promulgate information. For repositories to 
> enforce the latest and greatest security settings for users to access 
> documents makes no sense and is insane if (like my repositories) we also 
> offer the same documents over HTTP.
>  
> Note, for example, that your site can’t be accessed from IE 6 or by bots 
> running certain varieties of Java. That’s probably not a bad choice unless 
> you need it to be accessible to the third world, which has a much older 
> technological profile than the west.
>  
> It may make sense to lock down submission / admin interfaces, particularly if 
> these are accessed from off campus.
>  
> Cheers
> stuart
>  
> From: Alan Orth [mailto:alan.o...@gmail.com] 
> Sent: Monday, 15 September 2014 8:36 p.m.
> To: Stuart Yeates; Ivan Masár
> Cc: dspace-tech@lists.sourceforge.net
> Subject: Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS
>  
> Stuart,
> 
> Interesting that you consider Mozilla's guidlines too strict. 
> Bettercrypto.org's are even more so. :)
> 
> For reference, I use a "stricter" config than Mozilla's in that I disallow 
> SSLv3 (as even XP supports TLS 1.0), and I get an A+ on the Qualys SSL test:
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=cgspace.cgiar.org
> 
> TLS is fun, isn't it?!
> 
> Alan
> 
> On 09/15/2014 01:20 AM, Stuart Yeates wrote:
> I use a verifier to check my config:
>  
> https://www.ssllabs.com/ssltest/analyze.html?d=exams.victoria.ac.nz
>  
> Note that my settings are less secure than I might like, because increasing 
> them causes some platforms (especially mobile platforms) to fail to access 
> the content, while leaving nothing useful in the logs.
>  
> Personally I find the Mozilla advice a little strong on the “force users with 
> outdated browsers to update” approach.
>  
> It’s  also possible to force users who login to use more secure credentials 
> than those who just access content, if you can assume that only admin staff 
> login from their desktops with recent browsers. There’s an example 
> onhttps://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
>  
> Cheers
> stuart
>  
>  
> From: Alan Orth [mailto:alan.o...@gmail.com] 
> Sent: Sunday, 14 September 2014 7:39 p.m.
> To: Ivan Masár
> Cc: dspace-tech@lists.sourceforge.net
> Subject: Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS
>  
> Hi, Hilton.
>  
> Thanks for your reply.  First, I'd like to point out that I reverse proxy 
> DSpace via nginx (and Apache httpd a few years ago).  The decision to put 
> nginx / httpd in front of Tomcat was made partially on the fact that it's 
> easier to configure HTTPS in those servers than Tomcat, and nginx supports 
> more modern crypto than Apache http or Apache Tomcat.  Also mod_rewrite and 
> vhosts etc were easier.
>  
> Your HTTPS configuration could use several improvements.  Attached is a 
> screenshot of the negotiated cipher suite as seen in Chrome in GNU/Linux.  Of 
> note:
> - The connection is encrypted using AES CBC.  AES is government-grade 
> security, but implemented in CBC mode it is vulnerable to padding oracle 
> attacks (see BEAST and Lucky13)[0].  It is recommended to use GCM mode 
> (galois counter mode).
> - Message authentication (MAC, basically a hash or fingerprint) is using 
> SHA1, which is of course very old and started showing weaknesses in academic 
> circles and was first shown to be broken in 2005[1].
> - Your connection is using Diffie-Hellman Ephemeral, which is good! Ephemeral 
> means that there is a temporary secret used in the HTTPS negotiation that is 
> thrown away after the session. In the scenario that an adversary (NSA?) gets 
> your HTTPS key and records secure traffic, they won't be able to decode those 
> sessions.  This is called 'forward secrecy' (sometimes "perfect" forward 
> secrecy).
>  
> Other than that, your HTTPS certs are signed using SHA1, which has been 
> deprecated by all major browsers in favor of SHA2[2].
>  
> It's kinda overwhelming, but using the Mozilla cipher list will get you 
> started.  They are a list of safe defaults which take into account most of 
> the latest information we have on cryptography.
>  
> Hope that helps,
>  
> [0] https://wiki.mozilla.org/Secur

[Dspace-tech] Lucene causes Dspace to crash

2014-09-15 Thread Robbins, Seth David

Hello,
We’re running Dspace 3.2 with XMLUI. Our production instance recently crashed 
with a segmentation fault. According to the fatal error report generated by the 
JVM, it appears to have been caused by lucene while reading from the search 
indexes (The problematic frame is 
org.apache.lucene.index.SementTermPositions.skipPositions(), I’ll spare you the 
thread dump). Has anyone here experiences anything similar before. I’m 
wondering if some bit of the search index has been corrupted, or if this is 
just a freak accident.
Thanks,
Seth

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

2014-09-15 Thread Stuart Yeates

There is also an argument that ‘freedom to read’-type statements suggest HTTPS 
to prevent casual snooping on people’s reading habits, however this is 
undermined by our use of DOI and handle which are reliably HTTPS, so we’re 
already leaking that info.

Cheers
stuart


From: Hilton Gibson [mailto:hilton.gib...@gmail.com]
Sent: Tuesday, 16 September 2014 8:34 a.m.
To: Stuart Yeates
Cc: Alan Orth; Ivan Masár; dspace-tech@lists.sourceforge.net
Subject: Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

+1 to Stuart, my only intention with https is to secure user credentials, 
beyond that it does not matter.

Hilton Gibson
Ubuntu Linux Systems Administrator
JS Gericke Library
Room 1025C
Stellenbosch University
Private Bag X5036
Stellenbosch
7599
South Africa

Tel: +27 21 808 4100 | Cell: +27 84 646 4758

On 15 September 2014 22:28, Stuart Yeates 
mailto:stuart.yea...@vuw.ac.nz>> wrote:
Both of the guidelines make complete sense if you’re a bank (or the payroll 
system of a university). They make less sense when if you are a service whose 
reason for existence is to promulgate information. For repositories to enforce 
the latest and greatest security settings for users to access documents makes 
no sense and is insane if (like my repositories) we also offer the same 
documents over HTTP.

Note, for example, that your site can’t be accessed from IE 6 or by bots 
running certain varieties of Java. That’s probably not a bad choice unless you 
need it to be accessible to the third world, which has a much older 
technological profile than the west.

It may make sense to lock down submission / admin interfaces, particularly if 
these are accessed from off campus.

Cheers
stuart

From: Alan Orth [mailto:alan.o...@gmail.com]
Sent: Monday, 15 September 2014 8:36 p.m.
To: Stuart Yeates; Ivan Masár
Cc: dspace-tech@lists.sourceforge.net
Subject: Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

Stuart,

Interesting that you consider Mozilla's guidlines too strict. 
Bettercrypto.org's are even more so. :)

For reference, I use a "stricter" config than Mozilla's in that I disallow 
SSLv3 (as even XP supports TLS 1.0), and I get an A+ on the Qualys SSL test:

https://www.ssllabs.com/ssltest/analyze.html?d=cgspace.cgiar.org

TLS is fun, isn't it?!

Alan
On 09/15/2014 01:20 AM, Stuart Yeates wrote:
I use a verifier to check my config:

https://www.ssllabs.com/ssltest/analyze.html?d=exams.victoria.ac.nz

Note that my settings are less secure than I might like, because increasing 
them causes some platforms (especially mobile platforms) to fail to access the 
content, while leaving nothing useful in the logs.

Personally I find the Mozilla advice a little strong on the “force users with 
outdated browsers to update” approach.

It’s  also possible to force users who login to use more secure credentials 
than those who just access content, if you can assume that only admin staff 
login from their desktops with recent browsers. There’s an example on 
https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html

Cheers
stuart


From: Alan Orth [mailto:alan.o...@gmail.com]
Sent: Sunday, 14 September 2014 7:39 p.m.
To: Ivan Masár
Cc: dspace-tech@lists.sourceforge.net
Subject: Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

Hi, Hilton.

Thanks for your reply.  First, I'd like to point out that I reverse proxy 
DSpace via nginx (and Apache httpd a few years ago).  The decision to put nginx 
/ httpd in front of Tomcat was made partially on the fact that it's easier to 
configure HTTPS in those servers than Tomcat, and nginx supports more modern 
crypto than Apache http or Apache Tomcat.  Also mod_rewrite and vhosts etc were 
easier.

Your HTTPS configuration could use several improvements.  Attached is a 
screenshot of the negotiated cipher suite as seen in Chrome in GNU/Linux.  Of 
note:
- The connection is encrypted using AES CBC.  AES is government-grade security, 
but implemented in CBC mode it is vulnerable to padding oracle attacks (see 
BEAST and Lucky13)[0].  It is recommended to use GCM mode (galois counter mode).
- Message authentication (MAC, basically a hash or fingerprint) is using SHA1, 
which is of course very old and started showing weaknesses in academic circles 
and was first shown to be broken in 2005[1].
- Your connection is using Diffie-Hellman Ephemeral, which is good! Ephemeral 
means that there is a temporary secret used in the HTTPS negotiation that is 
thrown away after the session. In the scenario that an adversary (NSA?) gets 
your HTTPS key and records secure traffic, they won't be able to decode those 
sessions.  This is called 'forward secrecy' (sometimes "perfect" forward 
secrecy).

Other than that, your HTTPS certs are signed using SHA1, which has been 
deprecated by all major browsers in favor of SHA2[2].

It's kinda overwhelming, but using

Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

2014-09-15 Thread Hilton Gibson

+1 to Stuart, my only intention with https is to secure user credentials,
beyond that it does not matter.

*Hilton Gibson*
Ubuntu Linux Systems Administrator
JS Gericke Library
Room 1025C
Stellenbosch University
Private Bag X5036
Stellenbosch
7599
South Africa

Tel: +27 21 808 4100 | Cell: +27 84 646 4758

On 15 September 2014 22:28, Stuart Yeates  wrote:

>  Both of the guidelines make complete sense if you’re a bank (or the
> payroll system of a university). They make less sense when if you are a
> service whose reason for existence is to promulgate information. For
> repositories to enforce the latest and greatest security settings for users
> to access documents makes no sense and is insane if (like my repositories)
> we also offer the same documents over HTTP.
>
>
>
> Note, for example, that your site can’t be accessed from IE 6 or by bots
> running certain varieties of Java. That’s probably not a bad choice unless
> you need it to be accessible to the third world, which has a much older
> technological profile than the west.
>
>
>
> It may make sense to lock down submission / admin interfaces, particularly
> if these are accessed from off campus.
>
>
>
> Cheers
>
> stuart
>
>
>
> *From:* Alan Orth [mailto:alan.o...@gmail.com]
> *Sent:* Monday, 15 September 2014 8:36 p.m.
> *To:* Stuart Yeates; Ivan Masár
> *Cc:* dspace-tech@lists.sourceforge.net
> *Subject:* Re: [Dspace-tech] Recommended TLS cipher suite for sites using
> HTTPS
>
>
>
> Stuart,
>
> Interesting that you consider Mozilla's guidlines too strict.
> Bettercrypto.org's are even more so. :)
>
> For reference, I use a "stricter" config than Mozilla's in that I disallow
> SSLv3 (as even XP supports TLS 1.0), and I get an A+ on the Qualys SSL test:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=cgspace.cgiar.org
>
> TLS is fun, isn't it?!
>
> Alan
>
> On 09/15/2014 01:20 AM, Stuart Yeates wrote:
>
> I use a verifier to check my config:
>
>
>
> https://www.ssllabs.com/ssltest/analyze.html?d=exams.victoria.ac.nz
>
>
>
> Note that my settings are less secure than I might like, because
> increasing them causes some platforms (especially mobile platforms) to fail
> to access the content, while leaving nothing useful in the logs.
>
>
>
> Personally I find the Mozilla advice a little strong on the “force users
> with outdated browsers to update” approach.
>
>
>
> It’s  also possible to force users who login to use more secure
> credentials than those who just access content, if you can assume that only
> admin staff login from their desktops with recent browsers. There’s an
> example on https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
>
>
>
> Cheers
>
> stuart
>
>
>
>
>
> *From:* Alan Orth [mailto:alan.o...@gmail.com ]
> *Sent:* Sunday, 14 September 2014 7:39 p.m.
> *To:* Ivan Masár
> *Cc:* dspace-tech@lists.sourceforge.net
> *Subject:* Re: [Dspace-tech] Recommended TLS cipher suite for sites using
> HTTPS
>
>
>
> Hi, Hilton.
>
>
>
> Thanks for your reply.  First, I'd like to point out that I reverse proxy
> DSpace via nginx (and Apache httpd a few years ago).  The decision to put
> nginx / httpd in front of Tomcat was made partially on the fact that it's
> easier to configure HTTPS in those servers than Tomcat, and nginx supports
> more modern crypto than Apache http or Apache Tomcat.  Also mod_rewrite and
> vhosts etc were easier.
>
>
>
> Your HTTPS configuration could use several improvements.  Attached is a
> screenshot of the negotiated cipher suite as seen in Chrome in GNU/Linux.
>  Of note:
>
> - The connection is encrypted using AES CBC.  AES is government-grade
> security, but implemented in CBC mode it is vulnerable to padding oracle
> attacks (see BEAST and Lucky13)[0].  It is recommended to use GCM mode
> (galois counter mode).
>
> - Message authentication (MAC, basically a hash or fingerprint) is using
> SHA1, which is of course very old and started showing weaknesses in
> academic circles and was first shown to be broken in 2005[1].
>
> - Your connection is using Diffie-Hellman Ephemeral, which is good!
> Ephemeral means that there is a temporary secret used in the HTTPS
> negotiation that is thrown away after the session. In the scenario that an
> adversary (NSA?) gets your HTTPS key and records secure traffic, they won't
> be able to decode those sessions.  This is called 'forward secrecy'
> (sometimes "perfect" forward secrecy).
>
>
>
> Other than that, your HTTPS certs are signed using SHA1, which has been
> deprecated by all major browsers in favor of SHA2[2].
>
>
>
> It's kinda overwhelming, but using the Mozilla cipher list will get you
> started.  They are a list of safe defaults which take into account most of
> the latest information we have on cryptography.
>
>
>
> Hope that helps,
>
>
>
> [0] https://wiki.mozilla.org/Security/Server_Side_TLS#Attacks_on_TLS
>
> [1] https://www.schneier.com/blog/archives/2005/02/sha1_broken.html
>
> [2] https://sha.com/
>
>
>
> On Sat, Sep 13, 2014 at 10:35 PM, helix84  wrot

Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

2014-09-15 Thread Stuart Yeates

Both of the guidelines make complete sense if you're a bank (or the payroll 
system of a university). They make less sense when if you are a service whose 
reason for existence is to promulgate information. For repositories to enforce 
the latest and greatest security settings for users to access documents makes 
no sense and is insane if (like my repositories) we also offer the same 
documents over HTTP.

Note, for example, that your site can't be accessed from IE 6 or by bots 
running certain varieties of Java. That's probably not a bad choice unless you 
need it to be accessible to the third world, which has a much older 
technological profile than the west.

It may make sense to lock down submission / admin interfaces, particularly if 
these are accessed from off campus.

Cheers
stuart

From: Alan Orth [mailto:alan.o...@gmail.com]
Sent: Monday, 15 September 2014 8:36 p.m.
To: Stuart Yeates; Ivan Masár
Cc: dspace-tech@lists.sourceforge.net
Subject: Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

Stuart,

Interesting that you consider Mozilla's guidlines too strict. 
Bettercrypto.org's are even more so. :)

For reference, I use a "stricter" config than Mozilla's in that I disallow 
SSLv3 (as even XP supports TLS 1.0), and I get an A+ on the Qualys SSL test:

https://www.ssllabs.com/ssltest/analyze.html?d=cgspace.cgiar.org

TLS is fun, isn't it?!

Alan
On 09/15/2014 01:20 AM, Stuart Yeates wrote:
I use a verifier to check my config:

https://www.ssllabs.com/ssltest/analyze.html?d=exams.victoria.ac.nz

Note that my settings are less secure than I might like, because increasing 
them causes some platforms (especially mobile platforms) to fail to access the 
content, while leaving nothing useful in the logs.

Personally I find the Mozilla advice a little strong on the "force users with 
outdated browsers to update" approach.

It's  also possible to force users who login to use more secure credentials 
than those who just access content, if you can assume that only admin staff 
login from their desktops with recent browsers. There's an example on 
https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html

Cheers
stuart

From: Alan Orth [mailto:alan.o...@gmail.com]
Sent: Sunday, 14 September 2014 7:39 p.m.
To: Ivan Masár
Cc: dspace-tech@lists.sourceforge.net
Subject: Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

Hi, Hilton.

Thanks for your reply.  First, I'd like to point out that I reverse proxy 
DSpace via nginx (and Apache httpd a few years ago).  The decision to put nginx 
/ httpd in front of Tomcat was made partially on the fact that it's easier to 
configure HTTPS in those servers than Tomcat, and nginx supports more modern 
crypto than Apache http or Apache Tomcat.  Also mod_rewrite and vhosts etc were 
easier.

Your HTTPS configuration could use several improvements.  Attached is a 
screenshot of the negotiated cipher suite as seen in Chrome in GNU/Linux.  Of 
note:
- The connection is encrypted using AES CBC.  AES is government-grade security, 
but implemented in CBC mode it is vulnerable to padding oracle attacks (see 
BEAST and Lucky13)[0].  It is recommended to use GCM mode (galois counter mode).
- Message authentication (MAC, basically a hash or fingerprint) is using SHA1, 
which is of course very old and started showing weaknesses in academic circles 
and was first shown to be broken in 2005[1].
- Your connection is using Diffie-Hellman Ephemeral, which is good! Ephemeral 
means that there is a temporary secret used in the HTTPS negotiation that is 
thrown away after the session. In the scenario that an adversary (NSA?) gets 
your HTTPS key and records secure traffic, they won't be able to decode those 
sessions.  This is called 'forward secrecy' (sometimes "perfect" forward 
secrecy).

Other than that, your HTTPS certs are signed using SHA1, which has been 
deprecated by all major browsers in favor of SHA2[2].

It's kinda overwhelming, but using the Mozilla cipher list will get you 
started.  They are a list of safe defaults which take into account most of the 
latest information we have on cryptography.

Hope that helps,

[0] https://wiki.mozilla.org/Security/Server_Side_TLS#Attacks_on_TLS
[1] https://www.schneier.com/blog/archives/2005/02/sha1_broken.html
[2] https://sha.com/

On Sat, Sep 13, 2014 at 10:35 PM, helix84 
mailto:heli...@centrum.sk>> wrote:
On Sat, Sep 13, 2014 at 9:05 PM, Hilton Gibson 
mailto:hilton.gib...@gmail.com>> wrote:
> Who is the arbiter "safe ciphers"?
> I am not a cipher expert.

There's no arbiter. The set changes over time as new vulnerabilities
are found in existing ciphers and new ciphers are developed to
mitigate those attack vectors. A cipher might look good on paper, but
only widespread use reveals its weaknesses. Then there is the natural
deprecation of shorter key sizes, which is required as new computers
gets faster. Furthermore, errors exist in PRNGs, which encry

[Dspace-tech] Extract (Unnecessary) metadata with Harvested Items

2014-09-15 Thread Hayden Young

When I harvest from another DSpace instance I am getting additional 
metadata information attached to the item. These include 
dc.date.updated, dc.identifier, etc. Is it possible to configure the 
harvester to not add these extra metadata values?

Cheers


Hayden

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

[Dspace-tech] DSPACE - Statistics issue

2014-09-15 Thread Naveen Srinivasan

Hello Everyone,

I am new to Dspace . I am looking at the installed version to fix the issue.

Issue : After login to Repository .  On clicking the Statistics link under
Administrative section is not producing the output .I am getting the below
message "There are currently no reports available for this service. Please
check back later."

My question is how to find the installed version ? I verified most of the
cfg files ,but no luck.

Second is how to get the statistics ,i came to know that cron jobs should
be scheduled,But to schedule it below files are required which I am not
able to find in my bin directory,
 [dspace]/bin/stat-general
 [dspace]/bin/stat-monthly
 [dspace]/bin/stat-report-general
 [dspace]/bin/stat-report-monthly

Please help me on this,how to make this work ? Thanks in advance


Regards,
Naveen
Mob : (312) 774-1687
--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] Compare repositories

2014-09-15 Thread Michael Guthrie

Awesome, thanks a lot!

On 15 September 2014 15:42, Hilton Gibson  wrote:

> Hi Michael
>
> Done. Thx for the info.
>
> Cheers
>
> hg
>
> *Hilton Gibson*
> Ubuntu Linux Systems Administrator
> JS Gericke Library
> Room 1025C
> Stellenbosch University
> Private Bag X5036
> Stellenbosch
> 7599
> South Africa
>
> Tel: +27 21 808 4100 | Cell: +27 84 646 4758
>
> On 15 September 2014 16:04, Michael Guthrie  wrote:
>
>> Hi Hilton
>> I would like to get our hosted repository service and open source
>> repository software added to the list.
>> What's the best way of doing that?
>> www.knowledgearc.com
>> Best regards,
>> Michael
>>
>> mich...@knowledgearc.com
>>
>> On 15 September 2014 06:48, Hilton Gibson 
>> wrote:
>>
>>> Hi
>>>
>>> Here is the beginning of a draft:
>>> http://wiki.lib.sun.ac.za/index.php/List_of_Repository_Software
>>> Help with info and suggestions would be welcome.
>>>
>>> Cheers
>>>
>>> hg
>>>
>>> *Hilton Gibson*
>>> Ubuntu Linux Systems Administrator
>>> JS Gericke Library
>>> Room 1025C
>>> Stellenbosch University
>>> Private Bag X5036
>>> Stellenbosch
>>> 7599
>>> South Africa
>>>
>>> Tel: +27 21 808 4100 | Cell: +27 84 646 4758
>>>
>>> On 15 September 2014 07:30, P.Hadadan (NW) 
>>> wrote:
>>>
 Dear All,

 Please compare dspace, vivo, fedora, alfresco and more as repository.





 Sincerely,

 *P.Hadadan | *Senior Software Developer

 NotionWave | Toronto, Canada

 P.Hadadan [at] notionwave [dot] com




 --
 Want excitement?
 Manually upgrade your production database.
 When you want reliability, choose Perforce
 Perforce version control. Predictably reliable.

 http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
 ___
 DSpace-tech mailing list
 DSpace-tech@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/dspace-tech
 List Etiquette:
 https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

>>>
>>>
>>>
>>> --
>>> Want excitement?
>>> Manually upgrade your production database.
>>> When you want reliability, choose Perforce
>>> Perforce version control. Predictably reliable.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
>>> ___
>>> DSpace-tech mailing list
>>> DSpace-tech@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>>> List Etiquette:
>>> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>>>
>>
>>
>
--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] DSPACE: (discovery) Is it possible to show a specific sidebarFacets for a specific collection?

2014-09-15 Thread Johanne Crête

Hi David,

I resume all step that I have to execute to show a specific sidebarFacet for a 
specific collection:


1-  I add “” to the 
“searchFilters” under the “defaultConfiguration”

2-  I add “” to the 
“searchFilters” under the “EdusConfiguration”

3-  “index-discovery –b”

4-  I restart the servlet container (Tomcat)



RESULT : the sidebarfacet appears for the collection:  “defaultConfiguration” 
and “EdusConfiguration”



5-  I delete “” to the 
“searchFilters” under the “defaultConfiguration”



RESULT: the sidebarfacet appears on the “EdusConfiguration”, only on the 
specific collection. It’s exactly what I want, but….


6-  The problem is here:  if I execute “index-discovery –b” after the step 
5, then I restart the servlet container (Tomcat), the sidebarfacet disappears 
completely!

Thanks!

__
Johanne Crête
Technicienne en informatique
Service des bibliothèques et archives, Université de Sherbrooke
Sherbrooke (Québec) J1K 2R1 CANADA
johanne.cr...@usherbrooke.ca
(819) 821-8000, poste 66294
[cid:image001.png@01CD5B51.8AEC6840] 
[cid:image008.png@01CF96C9.F68A85E0]    
[Description : Description : cid:image003.png@01CCE18F.717815D0] 




De : David Cook [mailto:dc...@prosentient.com.au]
Envoyé : 11 septembre 2014 20:36
À : Johanne Crête; 'Terry Brady'
Cc : dspace-tech@lists.sourceforge.net
Objet : RE: [Dspace-tech] DSPACE: (discovery) Is it possible to show a specific 
sidebarFacets for a specific collection?

Hi Johanne:

Did you also add  “” to “” under “defaultConfiguration”? If so, that would be 
incorrect.

You just need “” under “” under “defaultConfiguration”.

The “EdusConfiguration” that you posted originally looks good. You just need 
the “” under the 
“defaultConfiguration” “searchFilters” for some strange reason. Yes, I do think 
it’s a bug. I’ve already logged it here: 
https://jira.duraspace.org/browse/DS-2132. However, I would appreciate any 
comments you have to add to the bug.

So, to re-iterate, you want “” to 
show up under “searchFilters” and “sidebarFacets” for “EdusConfiguration”, and 
ONLY under “searchFilters” for “defaultConfiguration”. After that, 
“index-discovery -b” and restart Tomcat. If I understand you correctly, that 
should show the Description Journal facet only for the handle associated with 
“EdusConfiguration”.

David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St, Ultimo, NSW 2007

From: Johanne Crête [mailto:johanne.cr...@usherbrooke.ca]
Sent: Thursday, 11 September 2014 11:58 PM
To: David Cook; 'Terry Brady'
Cc: dspace-tech@lists.sourceforge.net
Subject: RE: [Dspace-tech] DSPACE: (discovery) Is it possible to show a 
specific sidebarFacets for a specific collection?

Thanks for your answer.

Like you wrote, if I add “” to the 
“searchFilters” under the “defaultConfiguration” and then  “index-discovery 
–b”, then restart your servlet container (Tomcat),  the sidebarfacet is show. 
It’s great, but the facet appear on the superior level.

After that, I just delete the add “” to the “searchFilters” under the “defaultConfiguration” WHITOUT 
“index-discovery –b”. The sidebarfacet appear just for the specific collection! 
 Is it a bug? Because, for keeping this sidebarfacet, I can’t “index-discovery 
–b”!

__
Johanne Crête
Technicienne en informatique
Service des bibliothèques et archives, Université de Sherbrooke
Sherbrooke (Québec) J1K 2R1 CANADA
johanne.cr...@usherbrooke.ca
(819) 821-8000, poste 66294
[cid:image001.png@01CD5B51.8AEC6840] 
[cid:image008.png@01CF96C9.F68A85E0]    
[Description : Description : cid:image003.png@01CCE18F.717815D0] 




De : David Cook [mailto:dc...@prosentient.com.au]
Envoyé : 9 septembre 2014 03:06
À : 'Terry Brady'; Johanne Crête
Cc : dspace-tech@lists.sourceforge.net
Objet : RE: [Dspace-tech] DSPACE: (discovery) Is it possible to show a specific 
sidebarFacets for a specific collection?

Hi Johanne:

You might need to add “” to the 
“searchFilters” under the “defaultConfiguration” as well.

I think it’s a bug, but I’ve noticed that I can only get custom facets to show 
up in non-default configurations, if I have the bean referenced in the 
defaultConfiguration searchFilters.

Try following my suggestion, then “index-discovery –b”, then restart your 
servlet container (Tomcat,Jetty,etc).

I bet you that does the trick ;).

David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St, Ultimo, NSW 2007

From: Terry Brady [mailto:terry.br...@georgetown.edu]
Sent: Thursday, 4 September 2014 5:36 AM
T

Re: [Dspace-tech] Compare repositories

2014-09-15 Thread Hilton Gibson

Hi Michael

Done. Thx for the info.

Cheers

hg

*Hilton Gibson*
Ubuntu Linux Systems Administrator
JS Gericke Library
Room 1025C
Stellenbosch University
Private Bag X5036
Stellenbosch
7599
South Africa

Tel: +27 21 808 4100 | Cell: +27 84 646 4758

On 15 September 2014 16:04, Michael Guthrie  wrote:

> Hi Hilton
> I would like to get our hosted repository service and open source
> repository software added to the list.
> What's the best way of doing that?
> www.knowledgearc.com
> Best regards,
> Michael
>
> mich...@knowledgearc.com
>
> On 15 September 2014 06:48, Hilton Gibson  wrote:
>
>> Hi
>>
>> Here is the beginning of a draft:
>> http://wiki.lib.sun.ac.za/index.php/List_of_Repository_Software
>> Help with info and suggestions would be welcome.
>>
>> Cheers
>>
>> hg
>>
>> *Hilton Gibson*
>> Ubuntu Linux Systems Administrator
>> JS Gericke Library
>> Room 1025C
>> Stellenbosch University
>> Private Bag X5036
>> Stellenbosch
>> 7599
>> South Africa
>>
>> Tel: +27 21 808 4100 | Cell: +27 84 646 4758
>>
>> On 15 September 2014 07:30, P.Hadadan (NW) 
>> wrote:
>>
>>> Dear All,
>>>
>>> Please compare dspace, vivo, fedora, alfresco and more as repository.
>>>
>>>
>>>
>>>
>>>
>>> Sincerely,
>>>
>>> *P.Hadadan | *Senior Software Developer
>>>
>>> NotionWave | Toronto, Canada
>>>
>>> P.Hadadan [at] notionwave [dot] com
>>>
>>>
>>>
>>>
>>> --
>>> Want excitement?
>>> Manually upgrade your production database.
>>> When you want reliability, choose Perforce
>>> Perforce version control. Predictably reliable.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
>>> ___
>>> DSpace-tech mailing list
>>> DSpace-tech@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>>> List Etiquette:
>>> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>>>
>>
>>
>>
>> --
>> Want excitement?
>> Manually upgrade your production database.
>> When you want reliability, choose Perforce
>> Perforce version control. Predictably reliable.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
>> ___
>> DSpace-tech mailing list
>> DSpace-tech@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>> List Etiquette:
>> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>>
>
>
--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

[Dspace-tech] Send Harvested Items to Workflow

2014-09-15 Thread Hayden Young

I have a collection which is harvesting from another DSpace archive. The 
requirement is to send harvested items to workflow until they are 
checked and published.

How is this achieved?

Cheers


Hayden

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] Compare repositories

2014-09-15 Thread Michael Guthrie

Hi Hilton
I would like to get our hosted repository service and open source
repository software added to the list.
What's the best way of doing that?
www.knowledgearc.com
Best regards,
Michael

mich...@knowledgearc.com

On 15 September 2014 06:48, Hilton Gibson  wrote:

> Hi
>
> Here is the beginning of a draft:
> http://wiki.lib.sun.ac.za/index.php/List_of_Repository_Software
> Help with info and suggestions would be welcome.
>
> Cheers
>
> hg
>
> *Hilton Gibson*
> Ubuntu Linux Systems Administrator
> JS Gericke Library
> Room 1025C
> Stellenbosch University
> Private Bag X5036
> Stellenbosch
> 7599
> South Africa
>
> Tel: +27 21 808 4100 | Cell: +27 84 646 4758
>
> On 15 September 2014 07:30, P.Hadadan (NW) 
> wrote:
>
>> Dear All,
>>
>> Please compare dspace, vivo, fedora, alfresco and more as repository.
>>
>>
>>
>>
>>
>> Sincerely,
>>
>> *P.Hadadan | *Senior Software Developer
>>
>> NotionWave | Toronto, Canada
>>
>> P.Hadadan [at] notionwave [dot] com
>>
>>
>>
>>
>> --
>> Want excitement?
>> Manually upgrade your production database.
>> When you want reliability, choose Perforce
>> Perforce version control. Predictably reliable.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
>> ___
>> DSpace-tech mailing list
>> DSpace-tech@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>> List Etiquette:
>> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>>
>
>
>
> --
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> ___
> DSpace-tech mailing list
> DSpace-tech@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
> List Etiquette:
> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>
--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] Compare repositories

2014-09-15 Thread Hilton Gibson

Hi Lighton

Thx! Updated the wiki page:
http://wiki.lib.sun.ac.za/index.php/List_of_Repository_Software with your
reference's.

Cheers

hg

*Hilton Gibson*
Ubuntu Linux Systems Administrator
JS Gericke Library
Room 1025C
Stellenbosch University
Private Bag X5036
Stellenbosch
7599
South Africa

Tel: +27 21 808 4100 | Cell: +27 84 646 4758

On 15 September 2014 09:15, Lighton Phiri  wrote:

>  Perhaps this [1] 2010 repository survey might be of help, although it
> does not include some of the tools you listed. In addition, please also see
> these [2, 3]
>
> [1] http://www.rsp.ac.uk/start/software-survey/results-2010
> [2]
> http://www.wseas.us/e-library/conferences/2010/Faro/DNCOCO/DNCOCO-16.pdf
> [3] http://www.ariadne.ac.uk/issue64/fay
>
> --
> Lighton Phirihttp://lightonphiri.org
>
> On 15/09/2014 07:30, P.Hadadan (NW) wrote:
>
>  Dear All,
>
> Please compare dspace, vivo, fedora, alfresco and more as repository.
>
>
>
>
>
> Sincerely,
>
> *P.Hadadan | *Senior Software Developer
>
> NotionWave | Toronto, Canada
>
> P.Hadadan [at] notionwave [dot] com
>
>
>
>
> --
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably 
> reliable.http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
>
>
>
> ___
> DSpace-tech mailing 
> listDSpace-tech@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/dspace-tech
> List Etiquette: 
> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>
>
>
>
> --
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> ___
> DSpace-tech mailing list
> DSpace-tech@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
> List Etiquette:
> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>
--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

2014-09-15 Thread Alan Orth

Stuart,

Interesting that you consider Mozilla's guidlines too strict.
Bettercrypto.org's are even more so. :)

For reference, I use a "stricter" config than Mozilla's in that I
disallow SSLv3 (as even XP supports TLS 1.0), and I get an A+ on the
Qualys SSL test:

https://www.ssllabs.com/ssltest/analyze.html?d=cgspace.cgiar.org

TLS is fun, isn't it?!

Alan

On 09/15/2014 01:20 AM, Stuart Yeates wrote:
>
> I use a verifier to check my config:
>
>  
>
> https://www.ssllabs.com/ssltest/analyze.html?d=exams.victoria.ac.nz
>
>  
>
> Note that my settings are less secure than I might like, because
> increasing them causes some platforms (especially mobile platforms) to
> fail to access the content, while leaving nothing useful in the logs.
>
>  
>
> Personally I find the Mozilla advice a little strong on the "force
> users with outdated browsers to update" approach.
>
>  
>
> It's  also possible to force users who login to use more secure
> credentials than those who just access content, if you can assume that
> only admin staff login from their desktops with recent browsers.
> There's an example on
> https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
> 
>
>  
>
> Cheers
>
> stuart
>
>  
>
>  
>
> *From:*Alan Orth [mailto:alan.o...@gmail.com]
> *Sent:* Sunday, 14 September 2014 7:39 p.m.
> *To:* Ivan Masár
> *Cc:* dspace-tech@lists.sourceforge.net
> *Subject:* Re: [Dspace-tech] Recommended TLS cipher suite for sites
> using HTTPS
>
>  
>
> Hi, Hilton.
>
>  
>
> Thanks for your reply.  First, I'd like to point out that I reverse
> proxy DSpace via nginx (and Apache httpd a few years ago).  The
> decision to put nginx / httpd in front of Tomcat was made partially on
> the fact that it's easier to configure HTTPS in those servers than
> Tomcat, and nginx supports more modern crypto than Apache http or
> Apache Tomcat.  Also mod_rewrite and vhosts etc were easier.
>
>  
>
> Your HTTPS configuration could use several improvements.  Attached is
> a screenshot of the negotiated cipher suite as seen in Chrome in
> GNU/Linux.  Of note:
>
> - The connection is encrypted using AES CBC.  AES is government-grade
> security, but implemented in CBC mode it is vulnerable to padding
> oracle attacks (see BEAST and Lucky13)[0].  It is recommended to use
> GCM mode (galois counter mode).
>
> - Message authentication (MAC, basically a hash or fingerprint) is
> using SHA1, which is of course very old and started showing weaknesses
> in academic circles and was first shown to be broken in 2005[1].
>
> - Your connection is using Diffie-Hellman Ephemeral, which is good!
> Ephemeral means that there is a temporary secret used in the HTTPS
> negotiation that is thrown away after the session. In the scenario
> that an adversary (NSA?) gets your HTTPS key and records secure
> traffic, they won't be able to decode those sessions.  This is called
> 'forward secrecy' (sometimes "perfect" forward secrecy).
>
>  
>
> Other than that, your HTTPS certs are signed using SHA1, which has
> been deprecated by all major browsers in favor of SHA2[2].
>
>  
>
> It's kinda overwhelming, but using the Mozilla cipher list will get
> you started.  They are a list of safe defaults which take into account
> most of the latest information we have on cryptography.
>
>  
>
> Hope that helps,
>
>  
>
> [0] https://wiki.mozilla.org/Security/Server_Side_TLS#Attacks_on_TLS
>
> [1] https://www.schneier.com/blog/archives/2005/02/sha1_broken.html
>
> [2] https://sha.com/
>
>  
>
> On Sat, Sep 13, 2014 at 10:35 PM, helix84  > wrote:
>
> On Sat, Sep 13, 2014 at 9:05 PM, Hilton Gibson
> mailto:hilton.gib...@gmail.com>> wrote:
> > Who is the arbiter "safe ciphers"?
> > I am not a cipher expert.
>
> There's no arbiter. The set changes over time as new vulnerabilities
> are found in existing ciphers and new ciphers are developed to
> mitigate those attack vectors. A cipher might look good on paper, but
> only widespread use reveals its weaknesses. Then there is the natural
> deprecation of shorter key sizes, which is required as new computers
> gets faster. Furthermore, errors exist in PRNGs, which encryption
> vitally depends on. The only way is to keep up to date on this
> information. That's why the Mozilla list Alan mentioned helps - they
> watch it for you and give you their recommendations.
>
>
>
> Regards,
> ~~helix84
>
> Compulsory reading: DSpace Mailing List Etiquette
> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>
>
>
>  
>
> -- 
>
> Alan Orth
> alan.o...@gmail.com 
> http://alaninkenya.org
> http://mjanja.co.ke
> "In heaven all the interesting people are missing." -Friedrich Nietzsche
>
> GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0
>

-- 
Alan Orth
alan.o...@gmail.com
http://alaninkenya.org
http://mjanja.co.ke
"I have always wished for my computer to be as easy to use as my telephone; my 
wish has come

Re: [Dspace-tech] Compare repositories

2014-09-15 Thread emilio lorenzo


Another reference: http://unesdoc.unesco.org/images/0022/002271/227115E.pdf

It is recent (april 2014) but I personally don´t like this: because 
although  is edited by UNESCO, it is made by one of the parties, 
bepress,  (sounds strange)


Emilio


El 15/09/2014 7:48, Hilton Gibson escribió:

Hi

Here is the beginning of a draft: 
http://wiki.lib.sun.ac.za/index.php/List_of_Repository_Software

Help with info and suggestions would be welcome.

Cheers

hg

*Hilton Gibson*
Ubuntu Linux Systems Administrator
JS Gericke Library
Room 1025C
Stellenbosch University
Private Bag X5036
Stellenbosch
7599
South Africa

Tel: +27 21 808 4100 | Cell: +27 84 646 4758

On 15 September 2014 07:30, P.Hadadan (NW) > wrote:


Dear All,

Please compare dspace, vivo, fedora, alfresco and more as repository.

Sincerely,

*P.Hadadan | *Senior Software Developer

NotionWave | Toronto, Canada

P.Hadadan [at] notionwave [dot] com



--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette:
https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette




--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk


___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette


--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] Compare repositories

2014-09-15 Thread Lighton Phiri

Perhaps this [1] 2010 repository survey might be of help, although it 
does not include some of the tools you listed. In addition, please also 
see these [2, 3]


[1] http://www.rsp.ac.uk/start/software-survey/results-2010
[2] http://www.wseas.us/e-library/conferences/2010/Faro/DNCOCO/DNCOCO-16.pdf
[3] http://www.ariadne.ac.uk/issue64/fay

--
Lighton Phiri
http://lightonphiri.org

On 15/09/2014 07:30, P.Hadadan (NW) wrote:


Dear All,

Please compare dspace, vivo, fedora, alfresco and more as repository.

Sincerely,

*P.Hadadan | *Senior Software Developer

NotionWave | Toronto, Canada

P.Hadadan [at] notionwave [dot] com



--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk


___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette


--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

Re: [Dspace-tech] DSPACE: (discovery) Is it possible to show a specific sidebarFacets for a specific collection?

Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

[Dspace-tech] Lucene causes Dspace to crash

Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

[Dspace-tech] Extract (Unnecessary) metadata with Harvested Items

[Dspace-tech] DSPACE - Statistics issue

Re: [Dspace-tech] Compare repositories

Re: [Dspace-tech] DSPACE: (discovery) Is it possible to show a specific sidebarFacets for a specific collection?

Re: [Dspace-tech] Compare repositories

[Dspace-tech] Send Harvested Items to Workflow

Re: [Dspace-tech] Compare repositories

Re: [Dspace-tech] Compare repositories

Re: [Dspace-tech] Recommended TLS cipher suite for sites using HTTPS

Re: [Dspace-tech] Compare repositories

Re: [Dspace-tech] Compare repositories

18 matches

Site Navigation

Mail list logo

Footer information