Re: [Sks-devel] HKPS + ssl + nginx
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Here's the nginx config I use for my server. This setup tries
to be the most secure with HTTPS and HSTS with cert pinning.
Also, the cipher list is 100% forward secrecy and uses a strong
4096 dhparam.
Unfortunately, the only downside is that if you visit
http://sks.daylightpirates.org:11371/ using Firefox or Chrome,
your browser will try to force https (since the domain cert is
pinned in those browsers), and I can't use https over that
port. Not a problem for normal keyserver usage via gpg, but
it's confusing for someone who clicks on my domain in the
sks-keyservers.net list.
Daniel
###
server {
listen 104.131.30.118:443;
listen [2604:a880:800:10::688:e001]:443;
server_name sks.daylightpirates.org;
ssl on;
ssl_certificate sks.daylightpirates.org.crt;
ssl_certificate_key sks.daylightpirates.org.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GC
M-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDH
E-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:D
HE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
ssl_dhparam /etc/nginx/sks.daylightpirates.org.dhparam;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
access_log off;
location / {
proxy_pass http://127.0.0.1:11371/;
proxy_pass_header Server;
add_header Via "1.1 sks.daylightpirates.org:11371 (ngin
x)";
add_header Strict-Transport-Security "max-age=63072000;
includeSubdomains; preload";
proxy_ignore_client_abort on;
client_max_body_size 8m;
}
}
server {
listen 104.131.30.118:443;
listen [2604:a880:800:10::688:e001]:443;
server_name *.sks-keyservers.net;
server_name *.pool.sks-keyservers.net;
server_name keys.gnupg.net;
ssl on;
ssl_certificate pool.sks-keyservers.net.crt;
ssl_certificate_key pool.sks-keyservers.net.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GC
M-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDH
E-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:D
HE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
access_log off;
location / {
proxy_pass http://127.0.0.1:11371/;
proxy_pass_header Server;
add_header Via "1.1 sks.daylightpirates.org:11371 (ngin
x)";
add_header Strict-Transport-Security "max-age=63072000;
includeSubdomains; preload";
proxy_ignore_client_abort on;
client_max_body_size 8m;
}
}
server {
listen 104.131.30.118:11371;
listen [2604:a880:800:10::688:e001]:11371;
server_name sks.daylightpirates.org;
server_name *.sks-keyservers.net;
server_name *.pool.sks-keyservers.net;
server_name keys.gnupg.net;
access_log off;
location / {
proxy_pass http://127.0.0.1:11371/;
proxy_pass_header Server;
add_header Via "1.1 sks.daylightpirates.org:11371 (ngin
x)";
proxy_ignore_client_abort on;
client_max_body_size 8m;
}
}
server {
listen 104.131.30.118:80;
listen [2604:a880:800:10::688:e001]:80;
server_name sks.daylightpirates.org;
server_name *.sks-keyservers.net;
server_name *.pool.sks-keyservers.net;
server_name keys.gnupg.net;
access_log off;
location / {
proxy_pass http://127.0.0.1:11371/;
proxy_pass_header Server;
add_header Via "1.1 sks.daylightpirates.org:11371 (ngin
x)";
proxy_ignore_client_abort on;
client_max_body_size 8m;
}
}
###
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQIcBAEBAgAGBQJVvRHbAAoJEOf2+tFy7+49c+oP+wZ2bnna1LWw7okmJOBh+/21
d+dNTZPS/PqfMjw7HLB8lfOeDQtdi+s7VTz1ZMPJ9NyKExyyi1/W5eVCNng5NgNG
7HuK3tc3FN8X2UbUb5aHFH9aWEZR18t+y39oSrepaMEJ9zkYJBEDTVxmZPqpIrum
/gVHBY7MrKTQjZ/8naaPglBvn1OV+LLkSuZzy/X+No5hAzJ8oynPqeF8wNkHUcxv
gT3Ce3txQcPds62x1PDi550rZNzyuin9bw/WQaaRzkte6oEXhFiO2LOemBPV4dTu
/BQ5YzAXv+6pkDi3Oli/5UUdw+3PaOIh2lXrWBDphuTx5O+zytCNCYklVO+QjvYQ
hLUEppUz6zKJYqnbC0CQR1CeBlat8owbRcJt5Q2PRWMlaxYYlfXqW1CCtWKAvbJ+
9ZfjQItwq+QtazVQjwKAmax2UgbqMRbgu7zGEIdpk1434NYKQje6zI3TBqlief6U
pqe3mShpRTJuuSGKUKMOc6Wshj4n5qgDyhsSyQSu5zzGBb8o250BsW9lGf03X9n+
L3U5GXugJHG/fvFT8cZMQVuiO07CYW0hVDbmZ0YvYZ54BxKprThxMwwaRyWHp9Zj
MXw08ByS6qKty5bmKd22OaJsrpThvhzuCRKTF6U0NKr6krfE+SqIrGjVVM6tM7rA
dY8dKX/6JN6scGvmY/Z/
=0Qk8
-END PGP SIGNATURE-
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Monit and Munin script for sks server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/01/2015 04:25 PM, Arnold wrote: > On 19-07-15 17:58 +0200, Kristian Fiskerstrand wrote: > > Looking at https://sks-keyservers.net/status/ I see > >> These statistics were last updated: 2015-07-19 19:35 (UTC) > > Kristian, did you update something on the monitoring that did not > turn out as expected? ;-) > Thanks for the nudge, just did a manual update and don't see any issues, so will monitor it a bit and see if it persists. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJVvQ2pAAoJECULev7WN52F0E4H/RGfyKOp/ntIckpANPWs7mlJ Ouz9U48ettILOOs1a+MPsfTsMD5zaCvFVmtc4zSqPsf0lgzrt31OxwXO9raeM+oz YO2fqRtHA6OAZiPinQNRFoQhRq5VY2Lnhw51Z7BuJPkG2yVVT4RT+Nx26amQRpnw KyDWUjWNFxkAHbXLtFMKo9iE6BWB5ITnX0TVsF1MnixPPpCdCCw/wNPn4orcoqlx qPknJFzrT0YPJaqubJUAv5V8CvSchHDRJppOIY2KBXgOaGmyI/64EA42loT5wmwQ F4ZK62dTgr6wf+62TKha4qbzjRPTDnj2iT4Pn/mtYD2ibIDXj36PrxJXcuiTvXo= =Zpbo -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] 4 million keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01.08.2015 at 16:25, Arnold wrote: > On 19-07-15 17:58 +0200, Kristian Fiskerstrand wrote: > > Looking at https://sks-keyservers.net/status/ I see > >> These statistics were last updated: 2015-07-19 19:35 (UTC) > > Kristian, did you update something on the monitoring that did not > turn out as expected? ;-) > Oh no, I just missed the 4 million keys mark because of that. https://pgpkeys.urown.net/stats/ Total number of keys: 4.002.656 https://sks-keyservers.net/status/info/pgpkeys.urown.net Keys: 3,993,010 -BEGIN PGP SIGNATURE- iQF7BAEBCgBmBQJVvOKJXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNTEwNjBDN0RBNDY3QzM3OTVCQkREMUJG MDhEOUJERDEzMDg2MTEzAAoJEPCNm90TCGETq2cH+MPHE4pI2aK7Fp3+X3h20Sb/ GHYXa0F/wPSSltBJARHgxNtR1Z0WRiEj//RIKHWZ3ktdZBiw+e5BaIMIOhFtcI/L F3AMNmDIxYB5XofuFMaqPdHnBXy58tZF4WYLnB9jFjlHZBAfERMd+vI6rpJGR5P1 T+w0ZuzVrKzYGUj9CWDN7ar1pblDPwjGIvf0eKg5yfdfMunlMWW8fjZdLqewkzUP vHTRt4/nqBYRWmpH+12onGyu1u/tyb/Qu1iXvzYhEqmL9cOcLIcUEmsPQYxehI54 KznRMbdxSzAKkk/6OrWNLr4GwrfiE626U4sksvlXwiR3dWYsnkZ+ym//EUsDfg== =NWsT -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS + ssl + nginx
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 31.07.2015 at 01:05, Mike Forbes wrote: > So now begins the task of trying to make HKPS and SSL and SKS all work > together. > > Currently we're serving up our main pgp pages with our own SSL cert > (https://pgp.net.nz) > > If we were to serve this using the HKPS cert I imagine it would throw > a certificate warning for most people who haven't imported the > hkps.pool.sks-keyservers.net CA. > > My question is, how have other people managed to get HKPS working > together with their own SSL certs? > > Our nginx config pushes all requests on port 80 to 443, then has a > location section for /pks that points to the locally running sks > daemon on 127.0.0.1:11371 > > I'd love to hear how others have managed this. > I haven't tried it, as I don't have any SKS cert. But an additional virtual nginx server using *hkps.pool.sks-keyservers.net* as *servername* on port 443 and the appropriate *ssl_certificate* and *ssl_certificate_key* should probably do it. Probably should be the default, so any client can use it, and browsers can get to the one with your own cert by SNI. Personally I use *Public-Key-Pins* and *Strict-Transport-Security* instead of HTTP redirects, as we are not really sure how the various pgp-clients handle the HTTP redirects. -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJVvN6xXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNTEwNjBDN0RBNDY3QzM3OTVCQkREMUJG MDhEOUJERDEzMDg2MTEzAAoJEPCNm90TCGETr5EIAJz3CQxG/V+48JLgtlXqenRu xj3isl/oueYLkQKamECDZ6wd7/M2ODox2t8rbSY61M33yR/lWpe/Vjpr8CBPVL+e DFxfUAPyQYtpIpQLEi0YUEqMUQAutIkZViwTgoe787OmW/CKqBBU8H3CVUsCF4yb UHNexmPgcMfStJH60e1XrlRP4l3CMohWPwB7YFygbUa+R0XNGlW3Cmal24NUlsPP B18hP16IqxPCBuGxq3IwySBub/LU8ggypCCBCpi7WfWwBXBLl3DePoYFVqgtHo6e QVTUpm/gcwhbTIoY6Yj95pqm3iRJkz+wgrfv09wyu3vUFTe9ZC9CyiH642zGYRE= =UyBv -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Monit and Munin script for sks server
On 19-07-15 17:58 +0200, Kristian Fiskerstrand wrote: Looking at https://sks-keyservers.net/status/ I see > These statistics were last updated: 2015-07-19 19:35 (UTC) Kristian, did you update something on the monitoring that did not turn out as expected? ;-) Kind regards, Arnold ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS + ssl + nginx
On Fri, 31 Jul 2015 11:05:15 +1200 Mike Forbes wrote: > If we were to serve this using the HKPS cert I imagine it would throw > a certificate warning for most people who haven't imported the > hkps.pool.sks-keyservers.net CA. If you want to use hkps.pool.sks-keyservers.net with GnuPG you have to download and configure the CA certificate. That's at least how it is explained in https://help.riseup.net/en/security/message-security/openpgp/best-practices/#use-the-sks-keyserver-pool-instead-of-one-specific-server-with-secure-connections . So maybe this also answers the rest of your questions? Sincerely, Malte ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
