Re: [Sks-devel] HKPS certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Am 17.05.2015 um 06:52 schrieb Christian Felsing: > Hi, > > I am wondering, if CAcert would offer CA solutions to handle this > type of "special" applications. I can imagine a sub CA which offers > a web service (authenticated by a specific client certificate) to > sign server certificates for that purpose. > The server certificates issued by CAcert already include the XMPP server name extensions in the SANs of the certificate as well as the necessary purpose flags to use them as client certificates. That way they can be used for authenticating servers to each other (cf. Debian BTS #747453). In fact: I'm using CAcert certificates on my server nearly exclusively (except for the SKS PKI). The problem with the SKS PKI is the missing CRL/OCSP infrastructure, which we should strongly encourage Kristian to set up ASAP if he wants to maintain his own root. That's something CAcert COULD provide as part of an (special kind of) Organization Assurance in a new Policy (maybe in a new subroot), BUT CAcert has a quite strong stance on not allowing subroots that are not maintained by us. Also the way Organization Assurance is implemented right now you won't get domains outside your organization included in certificates. But this limitation could be resolved with a CPS change introducing support for HA server pools - which might be of interest outside the SKS pool. > Christian > > > Am 16.05.2015 um 23:36 schrieb Benny Baumann: >> Which lead to the situation that I specifically need to disable >> OCSP stapling in my nginx for those 3 domains. > Kind regards, Benny Baumann CAcert SoftWare Assessment Team CAcert OpenPGP SKS Admin Team* CAcert Infrastructure Team *Yes, CAcert has its own SKS server. It's part of the normal network, but we asked Kristian to not include it in the pool (for reasons). -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJVWFY+AAoJEPHTXLno4S6tz2wQAKhvO6gysVpSfkP9b2e4pu2d mA5yhu2BgSzRoQSOgzlGU/XLY4kZ8whnUujDBbwKcRWggkhkpTJw3D07oWCfnaxd T/YnrQEQQKLlbvX2jDEN19CEYLMutNwhAptw4RPh0fef3s24Gb4Dog1J3YAP2PF1 hogjbU4afN/TgCS9dSdRIaGgFzaW7agnRC8ZMZWS1MveVb9rx75AFqNjG6skRQq7 V3NE/fZIEH7LEmzvEF2yqYdtI9J6DA0Jp4zQhO+9fkLnX2p7gZsZVTFTvTgmW/Rr N6MCWEnPC/442NAWtCRiZU1V19DyQS5FU5t/kHf027up8CqSiJ/X2G3VOyk1weMS 5ffPnlSx7SsQFpz8v//iVawe7IcIIJnUTW2h5dyvHL9yIZNyyDh8oOoX+n8DRrrY ODevgXSPqkVNs8nhiN5rmbdoSOibr9CXNLV1/CkpYNsdBpBo5EJKwR0uYTyCEyIJ XzzK24fNTrKaS0PCz5MSGnvYLxfIpqWYR1zAlf55sgSDy/aZVXKeYU1dFoHoKKM4 w5wlUSlPjfiNlvhYwiphvPxVFNhItSSVYmRMWXwiTNcfAFoiHkDHKo2qanINfUgw piVKNvaDq1fhOxicNsAPUZpRJ4UhcYxVVV/tiXy+9EiiS3eI/p5YU5EK0z5BrM/s 0Pc3DRx/ZcVyzkcX5erS =Qk/y -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, Am 14.05.2015 um 13:02 schrieb Christiaan de Die le Clercq: > Hi! > > I am wondering if I can still get a certificate for > keys.techwolf12.nl, my server has been stable for over 3 months now > and I would like to add an extra layer of security. Last time I contacted Kristian about certificates for HKPS it ended in me asking nasty questions about missing CRL and OCSP URIs in the certificates making them practialy irrevocable ... Which lead to the situation that I specifically need to disable OCSP stapling in my nginx for those 3 domains. > > I've emailed Kristian a few times now without getting a response. Might take a few days for him to reply. Be patient. > > Does anyone know how to get an certificate? Actually you send a CSR to Kristian and get your signed certificate back. Which reminds me: I should send Kristian two new CSRs for server aliases of my key server ;-) Regards, BenBE. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJVV7hCAAoJEPHTXLno4S6tN/AP/jp0BOI3ZHRrgTRs9so/NDNv 9pjmIwZpnb1hczkl39/EsjsMCAWcIh0xVHWzOhuhl6nTabzj+dwRTXdNwuNqnf36 eRIl+Lk+pNRhk76ClC9z4576yC6eZCjabeILnzdpWYzd0fY3rSKHSQtJQXiGQqxm yXeF8cAeFexZE/0mhICb7nnZ9y/hK3bEKjadTHVFaD+DNOfnnxgMCLrHzyEPYkgM yuxqNILa8yVI1/BCmmQZigKqxgxSWmMyfFCMi7JV7vwM3794Wq+qNdqxBbFE6lG3 5QscMukaeCZh5zCg/n85Us4UxbjB5EoCBj9D95MdxwQ1ufcsHNsQKcMcY4JkI63u 34+YKFQEKGbShgtli26RjK/PM+mG1tx7+V0w/Gjl8Dkjnyc4xLqJPIjueWGqgQce Ac0MnOZAOglkbKHsWzH6VN4dAebqOxRkt327ZUV0EO3DWDzP0n7YbZuygkPyVQOe 3ZiahaS3Oq6+2MlyzeyZKZzcxV/RaGPaPz6f/TVWprv82hgmALdbbYyHksjb5pA1 k5Y0JeqRvmHxMtLFNgkhM+kkg7j+VRGGo5ru3TOnM+MyvYMh5PEkv11KJFtJjELg NNfcigNhkC2G03+fi7LPMoALyZGqlrRaz8GnbTLKVU2T1vEXzmp08Plbym/yU8x7 nnHP2uEr5hw3AQZroTYN =G7pY -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Pre-Announcement: Move of pgp.benny-baumann.de
Hi, I just want to pre-announce that my keyserver at pgp.benny-baumann.de will be moving to new hardware and therefore new IP addresses soon. I'm currently organizing some stuff, thus I can't provide the new information for after the move yet. I'll do so once I know them and the server with the new setup is online. In addition there will be a new server pgp.security.fail which will be a HA-Setup using a combined SKS/Conflux instance behind a nginx and mod_gnutls for SSL. The old pgp.benny-baumann.de will forward to the Conflux/Hockeypuck) part of the setup. If you want to peer with this new setup, drop me a mail; but be patient for replies as I have to still setup some stuff. Kind regards, BenBE. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] 1.1.5 is in wheezy-backports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Am 11.06.2014 06:41, schrieb John Zaitseff: > Hi, Gabor, > >>> Another small note: the directory should be /var/backups/sks (plural >>> "backups", not singular "backup") for consistency with the FHS. >> >> It is my typo. Script uses correct path. > > Not on my machine it didn't! :-) Version 1.1.5-1, postinst line 94 and > postrm line 5. > > By the way, I think the contents of /var/lib/sks/www should be > conffiles, too... Seconded. Also the backups should be cleaned up if not within the third most recent ones nor done today. > > > John > -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTmAbhAAoJEPHTXLno4S6tPG8QAM4mkUCV2ckUwc98O+kz4NXM oYLShXJOVGwXG12kwepkwXiKZfFsJjeYeucPhHh1nXs875q/c/2owqObbHUouEZs E55zEhYicE49g2H/BRu8MHbWJdL1TAtTRDPWlyUjRunqulCSs9cM1X1qlePcQQCt tH07KdNl/dDZaxvs2SmfwXCEhj9yNqO9iwYi2dnwfvoakeGrR1szh7ozk1wt9Ujm TZou4sKzrItTuyjGNLrmuvUhUAPuZdp35ScX52tVoaUdgDppwBhoi0sxFqrB1+Yl 6L4vQ6Hn8HqyqmNmjz9cW0yif+jGRB6hZRmmGHmRGuMSQ/IDSSen1hdpHB2oGpoe FOQuLZVaBG6RqqJIxd9xWw6u9azih5VE8ypbDZMdWh+Cztf2xfhSUQ8HilzK3TLW /8ddNyS+NrY42wntGOJEAHtjYIbOhVuiU3h+ihzksWZcwN2iZEsKtOlXQCqiRCS6 EUMrddG+4YbyGH3JAzuOFYOgujYdURI2u191pLTaVItkB5sHqqCSqASv+ZfkDhZl mtnQKiHGcvphT267t3MgUEEti1Wxkuot9a9HacpUD/WFnwC+P508ZxTkcyzVjftl YRd+H9KJ7H3RiFbd5a80ALGP92yz39JslkiQ8G8qdp4oE9U2s0echr/1A1NoLzdj HuamARmg1XnIsNaRNemF =efko -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] HPKS Certificates and Revokation?
Hi folks, hi Kristian, I just had a review of my cert after I got hinted on a small, but essential problem with the HPKS certificates: They contain no revokation information. Neither CRL nor OCSP. Thus even IF Kristian was going to revoke them, nobody could ever notice (from the certificates alone) because the certificates don't say where to find this information. And while we are at problems in those certificates: The issuer reads C=NO, ST=Oslo, O=... CA, CN=... CA I doubt that Oslo is a state. And to make things even worse, given a correct CSR with C=DE, ST=SH, L=Kiel the certificate I got lacks the L= information, thus the certificate indicates only that it's for somewhere in Schleswig-Holstein (northern part of Germany). Thus I'd like to ask Kristian for the following changes: 1. Reissue all certificates under a new root (might as well be using the same key material) that gets the DN of itself right 2. Reissue all certificates unter this new root with either C, C,L or C,ST,L for the location 3. Ensure EVERY issued certificate contains a CRL extension to know where to download the necessary CRLs to check revokation 4. Ensure EVERY issued certificate contains a OCSP extension so clients can check for revokation using OCSP 4a) (libmoz-pkix requirement) Ensure responses are valid for no longer than 10 days; but better: restrict them to about 5 days at most. 4b) Ensure this responder is reachable via IPv4 and IPv6 and understands dynamic requests 5. Establish an official document specifying minimum key size constraints (at least 4096 bit RSA or equivalent) and a signing policy 5a) Include a link to this document into the certificates Kind regards, BenBE. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] old certificates
Hi, Am 29.04.2014 12:52, schrieb Kiss Gabor (Bitman): > Dear all, > > A quick scan of certificates used by current HKPS pool members > shows that the following servers have pre-heartbleed certificate: > > a.keyserver.pki.scientia.net Aug 4 15:32:48 2013 GMT > key.adeti.org Mar 9 12:35:57 2014 GMT > key.ip6.liNov 9 14:26:10 2013 GMT > keys.alderwick.co.uk Feb 7 18:22:08 2014 GMT > keys.fedoraproject.orgAug 6 08:22:21 2013 GMT > keys.sflc.infoOct 2 19:57:20 2013 GMT > keys2.alderwick.co.uk Feb 7 18:22:36 2014 GMT > keyserver.codinginfinity.com Jan 9 21:24:09 2014 GMT > keyserver.secretresearchfacility.com Jul 5 00:02:38 2013 GMT > keyserver.secure-u.de Jan 13 19:18:27 2014 GMT Will poke the maintainer accordingly, server probably affected AFAIK. > keyserver.skoopsmedia.net Nov 19 18:24:26 2013 GMT > keyserver.ut.mephi.ru Nov 13 12:45:02 2013 GMT > keyserver.witopia.net Nov 7 22:13:57 2013 GMT > klucze.achjoj.infoNov 13 19:37:55 2013 GMT > pgpkeys.euMar 9 12:48:04 2014 GMT > sks.fidocon.deAug 31 11:22:45 2013 GMT Same person. Same procedure. > sks.karotte.org Jul 4 21:10:30 2013 GMT > sks.mrball.netOct 4 22:02:56 2013 GMT > sks.undergrid.net Nov 14 17:52:09 2013 GMT > zimmermann.mayfirst.org Nov 13 20:49:36 2013 GMT I'm not on the list and if you connect to my server (pgp.benny-baumann.de) you will find it will talk to you using a HKPS certificate - but responds your query with plaintext - which is a known bug in the used wrapper (mod_gnutls combined with mod_proxy). Thus: My server is not affected. Once this issue is fixed you'll find the certificate continued being used. > I bet at least one third of these servers is affected by > Heartbleed Bug. :-) However I cannot figure out which of them. > I ask everybody to declare if they did not use compromised version > of openssl since the start of validity period of certificate. No affected OpenSSL version in the webserver process. > Gabor Regards, BenBE. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Problem solved - Looking for further peers for 78.47.150.61
Hi, do you happen to have a FQDN for your server? Also please provide the Long Key ID or the full fingerprint for your contact key if possible. Regards, BenBE. Am 27.04.2014 00:55, schrieb Matthias Schreiber: > Hello everyone, > > finally I could manage to solve the DB problems I faced. It turned out > that wrong file access permissions for the sks folders caused the > problems... > > Now I'm looking for further peers. Here again the main information for > the key server: > > - SKS version: 1.1.4 > - address: 78.47.150.61:11371 > - location: Germany > - Connectivity: IPv4 > - Key database: up-to-date (thanks to Martin) > > Please feel free to add the following line: > > 78.47.150.61 11370 # Matthias Schreiber > 0x10D49726 > > Greetings, > Matthias > > ___ > Sks-devel mailing list > Sks-devel@nongnu.org > https://lists.nongnu.org/mailman/listinfo/sks-devel > signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Folks, Am 09.04.2014 17:38, schrieb Kiss Gabor (Bitman): > Folks, > > Do not forget that all hkps.pool.sks-keyservers.net certificates > should be revoked and replaced after fixing openssl Heartbleed Bug > on vulnerable key servers. (Including mine.) My keyserver at pgp.benny-baumann was NOT affected, because: - - I don't use OpenSSL, but GnuTLS 3.2 > > > Gabor Regards, BenBE. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJTRjrGAAoJEPHTXLno4S6txLcP/RUxeJaeGJMtPvkpO7n0faWv JF2i2GPWUFXotKO74DCbnYMWzogpM6WZ8NvA85qC03ACpEpEvFbjg2RGlXLasCsb Dbzfqmx7Ci4xj3ywhD4hI1rxUFHhfCjY5/ZWVvaMJlyBXOAz6Bh5fOGYVHNuStUD EzVB3P+eXFpto/kZWAg6rXzVb+qdxK0G2SYpIBDi5BGx4P4yISnWKzvd3IyzbfcE 0a6kX0nZuFjZyxz6MUczo8ricT5wbsvxwFuv0dpd1ePEkQXiyrk7/t5iq1RLJX5w Wc0Of7lsruG6O7bC7/lqH8+xj9igquofNJpujE+frfdK72KClPdZ26mdcZS3GaKG B2Es2Cn28U4Defi4ZoRk9tWJU3jNZA2IW4ato6+DPqU4ljWCZXWUKMPu+MkMd2GO 4YiY391CMT99wf7A3ZNGzccEoAuljhNziZce2D+4HJ5IF721Y/t6v+7ljO/T9P/Q KrEQ4KQnSPAXPq9IgVdVqdF4r4U1J6z/48u3PD8hqsm1DrAGdRfHRoivJWUdvydj MGEkikwMK2ken4Wdlkkwx+HdoszJR4ubEOUBTFi6mBV+836nKJwXm8+dZxj3CizV 6w/W7N2N8hcwhSN/ggeROKnF1iOQU5ojh/VmTmahruHQYwC5gmgez9zfWAp2+sG8 yjE0K38rcjsin0edNQPo =RQkI -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Tuning
Hi, Am 11.02.2014 20:19, schrieb Daniel Kahn Gillmor: > On 02/11/2014 01:58 PM, Benny Baumann wrote: >> Am 11.02.2014 16:59, schrieb Kristian Fiskerstrand: >>> Unless you run it in a clustered setup where the different members >>> calculate it on different times and the frontend passes the request on >>> before timeout :p >> Its almost instantly for my maschine ... > what is almost instantly, Benny? Are you saying that the stats Usually below 5 seconds; thus after restarting the service and switching to the browser I already get useful stats. > calculation returns almost instantly? If so, i wonder why there is such > a variation. How much RAM is available for your machine? what other 8GiB RAM available total; 3 GiB usually used, rest ist available as disk cache. > contention do you have for disk I/O? What kind of disks are you using? RAID1 with two disks. Although before updating the DB settings I hardly got SKS keep up with usual load. > > On a pretty decent machine (zimmermann.mayfirst.org), i'm seeing the > following duration in the logs: > > 2014-02-11 19:17:17 Calculating DB stats > 2014-02-11 19:17:49 Done calculating DB stats > > so that's over half a minute of blocked access. 2014-02-11 20:12:16 Calculating DB stats 2014-02-11 20:12:44 Done calculating DB stats Core i7, 8x2.6GHz > >> IMHO better include a line "updated last at $TIME taking $DURATION seconds. > I like this proposal. > >> Given most servers update their stats at different times and the number >> of keys you are allowed to lag behind being quite small it's more an >> issue of the stats misrepresenting a keyserver which would actually be >> just fine. Either you would need to update the stats for the pool just >> once a day OR update stats on the individual servers more frequently so >> information isn't lagging behind. > I'm not sure what you mean "update the stats for the pool". Do you mean > "update the key size limit" or "check on the stats reported by each > keyserver" or something else? Keep the pool update the server details every hour while also asking the SKS instances to do their stats more frequent (like every 2-6 hours). People who can't affort the resources then could just keep at once every day. > >> I'd advocate for the second option to >> update the stats on the various servers more often as this should reduce >> the fluctuation due to outdated stats pretty good. > If the cost of stats generation was close to zero, i'd agree with you. > But that's not what it looks like to me. If stats generation is > expensive (and blocking), then increasing the regular frequency of stats > generation would mean more frequent failures of systems already in the > pool (since they don't have a way to remove themselves from the pool > during the time they are generating stats). > > --dkg > What about moving the stats update into recon? Regards, BenBE. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Tuning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, Am 11.02.2014 16:59, schrieb Kristian Fiskerstrand: > On 02/11/2014 04:53 PM, Daniel Kahn Gillmor wrote: > > On 02/11/2014 10:48 AM, Kristian Fiskerstrand wrote: > >> By default stats are updated once a day, for more than this you > >> need to send a USR2-signal to sks. > > > In particular, you need to send USR2 to "sks db", not "sks recon". > > And note that while "sks db" is calculating stats, it cannot serve > > HKP requests. It can take several minutes or more to calculate the > > stats (depending on the work pattern of the machine), so during > > that time, your keyserver will not be responsive. > > > Unless you run it in a clustered setup where the different members > calculate it on different times and the frontend passes the request on > before timeout :p Its almost instantly for my maschine ... > > I wonder if it would be interesting to record the update stats times > on the servers and use this for exclusion in the pools around the > update time somehow. Are people experiencing any difference to the IMHO better include a line "updated last at $TIME taking $DURATION seconds. > responsiveness of the pool after switching to requirement of rprox? > And is it worthwhile to add some kind of stats update detection, or is > this issue so minor that it would only add unnecessary complexity? I think most servers in the pool should cope just fine with it. > > One thing I've noticed is that the number of servers in the pools > themselves fluctuate throughout the day if there are larger additions > in number of keys, as the servers updating once a day gets dropped for > missing keys to the dynamic stats. But with the number of servers we > have today, from a pool perspective this is perfectly OK. Given most servers update their stats at different times and the number of keys you are allowed to lag behind being quite small it's more an issue of the stats misrepresenting a keyserver which would actually be just fine. Either you would need to update the stats for the pool just once a day OR update stats on the individual servers more frequently so information isn't lagging behind. I'd advocate for the second option to update the stats on the various servers more often as this should reduce the fluctuation due to outdated stats pretty good. Regards, BenBE. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJS+nLUAAoJEPHTXLno4S6t7pUP/jN/ZJizNx6Wr6ZI4EBMq7PV Jn++0nu11l62oPfK/rSgnUOrzYB1VXOFveeyDK607fu4p7kjeMCYQFx4MxuOqli3 tn+ZEGBhTv6G9TFuLKQuc+WRFcLjz2SCbfCIeNNzB0yizCFs1fJ+iY7zaYSjVwjA pzVytnASPZVkgPgxeTLsZNfQ/gHq1iRlqgw3HDRh4ApjW1Y43DoI2rTnCmKI1kpY PjGjJWeKkn7mDxLZr8qx/2Icn3RQbkc4jAAgHEELcNpA4InDu3HOexmSBwRFuUoU FnkEx0YPzoosWoCUMlw1zY9Yn9ttF2WMcbFS3hsxBly83zZ/sDA7ssXal3O/KGlO 8ZNenpJFhy4akIDAC8nuGznhHqZu5FDKU/fKjO3oMUJjhBEW7bdl1NE69LIFHYK6 3kcWnESLpFR5vD9KfA3BuidJqtAza3hZojcltMgerKx3wZ2zLV4Me+xH78jcEFz6 cGMxxZnTRmvr75ZqGG+kyg3EyIMKlnB3TOFg1PqTdmsGMep79+5Die58wrDULRxh alMPfKboSM1RJ/R13YMIAYCWe+yJcNIHKV2zXzeVxBXvbPv8pt0FaPlFC3SVd4Ma /jYm3HoiDVmvxQZ9Gx72I3okt9SBBFVYk3p4QqdnMC5fIkiWyY1fJ+hJxWdpHrpr Eg7fgMTQGeIn0AoaIIKZ =evzP -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS SSL Ciphers
Hi guys, Am 11.02.2014 14:16, schrieb Stephan Seitz: > Hi guys, > > since I've recently checked (and understood :) ) the difference of SSL > ciphers, I've build up a cypherlist which is currently used on > keyserver.secretresearchfacility.com (part of hkps pool) > > The following syntax is for Apache, but can easily be changed for > lighttpd or nginx. > > SSLEngine on > SSLProtocol All -SSLv2 -SSLv3 > SSLHonorCipherOrder On > SSLCompression off > SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA > +SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128: > +AES128:+SSLv3:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:! > ECDSA:CAMELLIA256:SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA' I'm using mod_gnutls on my server with special regards to strong protection with PFS where available and enforced 256 bit cipher strength. Configuration goes something along the lines of: GnuTLSEnable on GnuTLSCertificateFile domain.crt.chain GnuTLSKeyFile key.key GnuTLSPriorities SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:!MD5:!ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:!CAMELLIA-128-CBC:-AES-256-CBC:!AES-128-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+AEAD:+SHA512:+SHA384:+SHA256:+AES-256-GCM:+SHA1:+VERS-TLS1.0:-DHE-RSA:-RSA:+DHE-RSA:+DHE-DSS:+RSA:+SRP:+CAMELLIA-256-CBC:+AES-256-CBC:-VERS-SSL3.0:%SERVER_PRECEDENCE GnuTLSDHFile dhparam.dh.pem Header add Strict-Transport-Security "max-age=15768000" Please note that this enforces at least TLS 1.0 with 256-bit Ciphers (AES or Camellia) and kicks out everything below 256 Bit, especially RC4, DES, 3DES. The DHE KEX uses a 13kBit prime, but due to the small certificate will be reduced to about 8192 bit). Unfortunately I'm still fighting with a bug with mod_gnutls and mod_proxy not quite liking each other. But I hope to resolve that one soon. > > > > Apache 2.2 shipped with Centos6, Debian7 and Ubuntu 12.04 LTS are too > old. > If you want to take the most out of EC, use a very recent Apache 2.2 or > move over to 2.4. > Nginx and lighttpd doesn't have that limitation of EC cipher usage. Running Apache 2.4.7 with mod_gnutls (trunk 0.5.10+) and GnuTLS 3.2.10 on Debian (Stable+Testing+Unstable+Experimental+OwnBuilds). > > > > Cheers, > > Stephan > signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Peering for pgp.benny-baumann.de
Hi, after some trouble with the SKS software, Disk Cache settings and somehow borked dumps I now have a working setup at pgp.benny-baumann.de for which I'm looking for Gossip/Peering partners. Details: pgp.benny-baumann.de11370 # Benny Baumann 0xE8E12EAD I'm looking forward to many offers for peerings and hope the server doesn't cause too much trouble. Kind regards, BenBE. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Protocol Details for HKP\HKPS\Gossip
Hi folks, because I know this might get a bit complicated let's split this in 3 parts: 1. HKP: AFAIK this is based on HTTP/1.0, but is there any documentation on what possible calls could arrive at the server (in the logs I noticed /pks/lookup, /pks/hashquery and /pks/add, but it's somehow a bit troublesome to re-engineer the whole API when one was going to write some own frontend or caching interface. How accurate is the description[1] linked at [2]? 2. HKPS: Any difference from HKP aside from tunneling by SSL and the pinning of the CA of the certificate? 3. Gossip: Is there some documentation of the binary gossip protocol? Having a rough look at the TCP dump I made for testing this looks like the OpenPGP data is sent in the clear, but unfortunately I didn't manage to get any more out of the dump. But given only the algorithmic description [3],[4] it's not quite feasable to come up with a complying implementation. Regards, BenBE. [1] http://tools.ietf.org/id/draft-shaw-openpgp-hkp-00.txt [2] http://www.ietf.org/mail-archive/web/openpgp/current/msg07087.html [3] http://ipsit.bu.edu/documents/ieee-it3-web.pdf [4] http://ipsit.bu.edu/documents/BUTR2002-01.ps signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
