Re: [Sks-devel] HKPS + ssl + nginx
On Fri, 31 Jul 2015 11:05:15 +1200 Mike Forbes mi...@nzrs.net.nz wrote: If we were to serve this using the HKPS cert I imagine it would throw a certificate warning for most people who haven't imported the hkps.pool.sks-keyservers.net CA. If you want to use hkps.pool.sks-keyservers.net with GnuPG you have to download and configure the CA certificate. That's at least how it is explained in https://help.riseup.net/en/security/message-security/openpgp/best-practices/#use-the-sks-keyserver-pool-instead-of-one-specific-server-with-secure-connections . So maybe this also answers the rest of your questions? Sincerely, Malte ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS + ssl + nginx
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 31.07.2015 at 01:05, Mike Forbes wrote: So now begins the task of trying to make HKPS and SSL and SKS all work together. Currently we're serving up our main pgp pages with our own SSL cert (https://pgp.net.nz) If we were to serve this using the HKPS cert I imagine it would throw a certificate warning for most people who haven't imported the hkps.pool.sks-keyservers.net CA. My question is, how have other people managed to get HKPS working together with their own SSL certs? Our nginx config pushes all requests on port 80 to 443, then has a location section for /pks that points to the locally running sks daemon on 127.0.0.1:11371 I'd love to hear how others have managed this. I haven't tried it, as I don't have any SKS cert. But an additional virtual nginx server using *hkps.pool.sks-keyservers.net* as *servername* on port 443 and the appropriate *ssl_certificate* and *ssl_certificate_key* should probably do it. Probably should be the default, so any client can use it, and browsers can get to the one with your own cert by SNI. Personally I use *Public-Key-Pins* and *Strict-Transport-Security* instead of HTTP redirects, as we are not really sure how the various pgp-clients handle the HTTP redirects. -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJVvN6xXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNTEwNjBDN0RBNDY3QzM3OTVCQkREMUJG MDhEOUJERDEzMDg2MTEzAAoJEPCNm90TCGETr5EIAJz3CQxG/V+48JLgtlXqenRu xj3isl/oueYLkQKamECDZ6wd7/M2ODox2t8rbSY61M33yR/lWpe/Vjpr8CBPVL+e DFxfUAPyQYtpIpQLEi0YUEqMUQAutIkZViwTgoe787OmW/CKqBBU8H3CVUsCF4yb UHNexmPgcMfStJH60e1XrlRP4l3CMohWPwB7YFygbUa+R0XNGlW3Cmal24NUlsPP B18hP16IqxPCBuGxq3IwySBub/LU8ggypCCBCpi7WfWwBXBLl3DePoYFVqgtHo6e QVTUpm/gcwhbTIoY6Yj95pqm3iRJkz+wgrfv09wyu3vUFTe9ZC9CyiH642zGYRE= =UyBv -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS + ssl + nginx
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here's the nginx config I use for my server. This setup tries to be the most secure with HTTPS and HSTS with cert pinning. Also, the cipher list is 100% forward secrecy and uses a strong 4096 dhparam. Unfortunately, the only downside is that if you visit http://sks.daylightpirates.org:11371/ using Firefox or Chrome, your browser will try to force https (since the domain cert is pinned in those browsers), and I can't use https over that port. Not a problem for normal keyserver usage via gpg, but it's confusing for someone who clicks on my domain in the sks-keyservers.net list. Daniel ### server { listen 104.131.30.118:443; listen [2604:a880:800:10::688:e001]:443; server_name sks.daylightpirates.org; ssl on; ssl_certificate sks.daylightpirates.org.crt; ssl_certificate_key sks.daylightpirates.org.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GC M-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDH E-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:D HE-RSA-AES256-SHA:DHE-RSA-AES128-SHA; ssl_dhparam /etc/nginx/sks.daylightpirates.org.dhparam; ssl_session_cache shared:SSL:50m; ssl_prefer_server_ciphers on; access_log off; location / { proxy_pass http://127.0.0.1:11371/; proxy_pass_header Server; add_header Via 1.1 sks.daylightpirates.org:11371 (ngin x); add_header Strict-Transport-Security max-age=63072000; includeSubdomains; preload; proxy_ignore_client_abort on; client_max_body_size 8m; } } server { listen 104.131.30.118:443; listen [2604:a880:800:10::688:e001]:443; server_name *.sks-keyservers.net; server_name *.pool.sks-keyservers.net; server_name keys.gnupg.net; ssl on; ssl_certificate pool.sks-keyservers.net.crt; ssl_certificate_key pool.sks-keyservers.net.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GC M-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDH E-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:D HE-RSA-AES256-SHA:DHE-RSA-AES128-SHA; ssl_session_cache shared:SSL:50m; ssl_prefer_server_ciphers on; access_log off; location / { proxy_pass http://127.0.0.1:11371/; proxy_pass_header Server; add_header Via 1.1 sks.daylightpirates.org:11371 (ngin x); add_header Strict-Transport-Security max-age=63072000; includeSubdomains; preload; proxy_ignore_client_abort on; client_max_body_size 8m; } } server { listen 104.131.30.118:11371; listen [2604:a880:800:10::688:e001]:11371; server_name sks.daylightpirates.org; server_name *.sks-keyservers.net; server_name *.pool.sks-keyservers.net; server_name keys.gnupg.net; access_log off; location / { proxy_pass http://127.0.0.1:11371/; proxy_pass_header Server; add_header Via 1.1 sks.daylightpirates.org:11371 (ngin x); proxy_ignore_client_abort on; client_max_body_size 8m; } } server { listen 104.131.30.118:80; listen [2604:a880:800:10::688:e001]:80; server_name sks.daylightpirates.org; server_name *.sks-keyservers.net; server_name *.pool.sks-keyservers.net; server_name keys.gnupg.net; access_log off; location / { proxy_pass http://127.0.0.1:11371/; proxy_pass_header Server; add_header Via 1.1 sks.daylightpirates.org:11371 (ngin x); proxy_ignore_client_abort on; client_max_body_size 8m; } } ### -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJVvRHbAAoJEOf2+tFy7+49c+oP+wZ2bnna1LWw7okmJOBh+/21 d+dNTZPS/PqfMjw7HLB8lfOeDQtdi+s7VTz1ZMPJ9NyKExyyi1/W5eVCNng5NgNG 7HuK3tc3FN8X2UbUb5aHFH9aWEZR18t+y39oSrepaMEJ9zkYJBEDTVxmZPqpIrum /gVHBY7MrKTQjZ/8naaPglBvn1OV+LLkSuZzy/X+No5hAzJ8oynPqeF8wNkHUcxv gT3Ce3txQcPds62x1PDi550rZNzyuin9bw/WQaaRzkte6oEXhFiO2LOemBPV4dTu /BQ5YzAXv+6pkDi3Oli/5UUdw+3PaOIh2lXrWBDphuTx5O+zytCNCYklVO+QjvYQ hLUEppUz6zKJYqnbC0CQR1CeBlat8owbRcJt5Q2PRWMlaxYYlfXqW1CCtWKAvbJ+ 9ZfjQItwq+QtazVQjwKAmax2UgbqMRbgu7zGEIdpk1434NYKQje6zI3TBqlief6U pqe3mShpRTJuuSGKUKMOc6Wshj4n5qgDyhsSyQSu5zzGBb8o250BsW9lGf03X9n+ L3U5GXugJHG/fvFT8cZMQVuiO07CYW0hVDbmZ0YvYZ54BxKprThxMwwaRyWHp9Zj MXw08ByS6qKty5bmKd22OaJsrpThvhzuCRKTF6U0NKr6krfE+SqIrGjVVM6tM7rA dY8dKX/6JN6scGvmY/Z/ =0Qk8 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] HKPS + ssl + nginx
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, We've managed to get an HKPS cert from Kristian (thanks!) So now begins the task of trying to make HKPS and SSL and SKS all work together. Currently we're serving up our main pgp pages with our own SSL cert (https://pgp.net.nz) If we were to serve this using the HKPS cert I imagine it would throw a certificate warning for most people who haven't imported the hkps.pool.sks-keyservers.net CA. My question is, how have other people managed to get HKPS working together with their own SSL certs? Our nginx config pushes all requests on port 80 to 443, then has a location section for /pks that points to the locally running sks daemon on 127.0.0.1:11371 I'd love to hear how others have managed this. Cheers, - -- Mike Forbes System Administrator NZRS Ltd. M +64 21 999 416 P +64 4 555 0125 PGP: A2BB DF0B 311C 3C8F E1D7 5EEB DA03 46C0 D68F BF2E -BEGIN PGP SIGNATURE- iQQcBAEBCgAGBQJVuq2qAAoJENoDRsDWj78ulD8f/3mY32ha8cZQGZ44MeN7oZXx 8enUhGEHhrcV48p6jaLYor0wAISPoEdzk8/Jipc6b6Cb8O0W5sjS1vRibWkocs4k 40hI6MsxPdiBsa53Z1dPblu7xXEK8Pzt4z/ISgv9a8UwsdZOKPlDh3ke/ILDHk7K ppNnUhI1F53KK6vKGxpwXPgndF412ufsrpkhf05g2iVKHtiEMW5StwDyo/r0w3wF 6/yWgB1JCVO12IgOldVF7RdTt1PQd7xaORYnQrXUvl8sOgwRjWr9Cbhio5mRq1b+ /Hj3ZPt8YT6KB/FHPLxZZ3jYq9852MKipoheilHDFsNvRuY/x5F2VcP7ct0wm0YS IuEB9CSqZeSh/NDL4PPlRO/Cgs3rDbKDlcU5ifJyQDUNqZJCd457o8492f7QMVVm fQt8iATAPZkfJ9Ug7Zl1M+D3oos0FCVvP6nqWDNuwfJzKcnmxWhFj7Nfatpb7ep/ Ab+Acad4GcgvvaKqD8UGkWrwE2PDIde+EgZJ5lIUrTIlqr4Wfh1gDPTJgLJx2xor ma1Idj7rfKXvJDPWXYhmAeGGOx61GeY0qKAkB2Xy8LwwqDN9jIhiQVtcfY5M1jR3 heukNK1UzOmC2NczeLmdVvB4bLutbQiLz0KUF0O3XPRhQAma1jkApMincv5CVwKl RmEmtPw8tVcgs1A7P8h8PUSxXhEmv9b9gMw4cpJTZmVXHF7nJR7bb/cGzVnpmcGE MAzxc3qTQbj9edfWhQi0g1U6wFMz1MAB6vW5GFk543G9nZf2FMsb4FsxOdv/ZxQr o3lkHOcQ8aFdkXuO0D97OgIA3u7RaJvFLYdcr11j1WMZxnT2yJ8JeuWMdZ+lPNFl B1gnMF93IdayC+egFp75prhDba0HoeisZTpOM1OiKT3l0NMiSJWkkHlujgpsK9Um /i+Z6tTV6VH/1DuGRDc9vNWTIaZf4X+rIgGi/W/x7q8nThKx7qAusjZjWknvHc0g ycYNp2wz2bMYePb5g1lDRtfw76hxGB7bRR4Ge1D7YgSwl0sgDx/gjs7bhibPPzXU BHbv8Qx3qIPTD2rJhN0rYJasdSFRgnU2NN4/5SWqypxgRe5xLmUturXPVcU8aS5Z Ad4OWgrm7XTAZTrGAXgJCPbE8lDxuQAirAroyT9LY2hxzfe6Dy5Z1z3La82BQvHT +FM4aGdAY9cHYmY2K4lX3rUBCUxtqHFE+PynroOPH2vKcg2UgqGb7Xhwib/BhDvV 9bQmpO8C9eJaneXc2pCL1TVbQXNwCMXKDv3k7ObFEqizOAf6Xvg5h3D4SgZQBemk pXycUYYmw7oZA4ymh5a1v+cThZJx+ccgsQ2KaoCVzRvObLszyO+I4eLCO1vilxY= =+yat -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS + ssl + nginx
Hi, Mike, My question is, how have other people managed to get HKPS working together with their own SSL certs? I'm doing this with the Apache web server for https://keyserver.zap.org.au/, which is part of the SSL pool. Here are the appropriate config file sections; hope this helps: # For non-SSL: Listen 129.94.172.224:11371 VirtualHost *:11371 *:80 ServerAdmin keymas...@zap.org.au ServerName keyserver.zap.org.au ServerAlias *.sks-keyservers.net Proxy * Require all granted /Proxy ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au--error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au--access.log combined ServerSignature On /VirtualHost # For SSL on https://keyserver.zap.org.au/: Listen *:11372 #NameVirtualHost *:11372 VirtualHost *:11372 *:443 ServerAdmin keymas...@zap.org.au ServerName keyserver.zap.org.au SSLEngine on # Only allow secure ciphers and protocols SSLCipherSuite HIGH:!aNULL:!MD5 SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver.pem SSLCertificateKeyFile /etc/ssl/private/keyserver.pem SSLCACertificateFile /etc/ssl/certs/ZAP_Group_CA_Root.pem Proxy * Require all granted /Proxy ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--access.log combined_ssl ServerSignature On # Work around SSL (and other) problems in Microsoft Internet Explorer # (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz # for more information). BrowserMatch MSIE [2-6] \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch MSIE [17-9] ssl-unclean-shutdown /VirtualHost # For SSL on https://hkps.pool.sks-keyservers.net/: VirtualHost *:11372 *:443 ServerAdmin keymas...@zap.org.au ServerName hkps.pool.sks-keyservers.net ServerAlias *.pool.sks-keyservers.net *.sks-keyservers.net SSLEngine on # Only allow secure ciphers and protocols SSLCipherSuite HIGH:!aNULL:!MD5 SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver-sks.pem SSLCertificateKeyFile /etc/ssl/private/keyserver-sks.pem SSLCACertificateFile /etc/ssl/certs/sks-keyservers.netCA.pem Proxy * Require all granted /Proxy ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--access.log combined_ssl ServerSignature On # Work around SSL (and other) problems in Microsoft Internet Explorer # (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz # for more information). BrowserMatch MSIE [2-6] \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch MSIE [17-9] ssl-unclean-shutdown /VirtualHost -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS + ssl + nginx
Here is my nginx configuration that I use for my server. Obviously some of it would need to be customized and it is setup to support my 3 SKS nodes. upstream sks_servers { least_conn; server 127.0.0.1:11371; server xx.xx.xx.228:11371; server xx.xx.xx.229:11371; } server { listen xx.xx.xx.xx:11371default_server; listen xx.xx.xx.xx:80default_server; listen [::::::]:11371 default_server ipv6only=on; listen [::::::]:80 default_server ipv6only=on; access_log off; server_tokens off; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection '1; mode=block'; # deny access to files, starting with dot (hidden) or ending with ~ (temp) location ~ /\. { log_not_found off; deny all; } location ~ ~$ { log_not_found off; deny all; } # block of rules for static content location ~ /(favicon.ico|favicon.png|robots.txt)$ { log_not_found off; expires 1y; add_header Cache-Control public,max-age=259200; } location ~* \.(jpg|jpeg|png|gif|ico|css|js|mp3)$ { expires 30d; add_header Cache-Control public,max-age=259200; } location / { root /srv/www; index index.html; } location /pks { proxy_pass http://sks_servers/pks; proxy_set_header Host$host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass_header Server; add_header Via 1.1 sks.undergrid.net:$server_port (nginx); proxy_ignore_client_abort on; client_max_body_size 8m; } } server { listen xx.xx.xx.xx:443default_server ssl; listen [::::::]:443 default_server ssl ipv6only=on; access_log off; server_tokens off; ssl_certificate /etc/ssl/certs/sks.undergrid.net.crt; ssl_certificate_key /etc/ssl/private/sks.undergrid.net.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; add_header Strict-Transport-Security 'max-age=31536000;'; add_header Public-Key-Pins 'pin-sha256=Xnu7zI1oPbsQ4x47NpJVpOiMPPC3rLO81mTuKMiEjlI=; pin-sha256=9eGb55deEj42vOObXCSswgduvM5JNB7z/PriVx/AQUo=; max-age=315366000'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection '1; mode=block'; # deny access to files, starting with dot (hidden) or ending with ~ (temp) location ~ /\. { log_not_found off; deny all; } location ~ ~$ { log_not_found off; deny all; } # block of rules for static content location ~ /(favicon.ico|favicon.png|robots.txt)$ { log_not_found off; expires 1y; add_header Cache-Control public,max-age=259200; } location ~* \.(jpg|jpeg|png|gif|ico|css|js|mp3)$ { expires 30d; add_header Cache-Control public,max-age=259200; } location / { root /srv/www; index index.html; } location /pks { proxy_pass http://sks_servers/pks; proxy_set_header Host$host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass_header Server; add_header Via 1.1 sks.undergrid.net:$server_port (nginx); proxy_ignore_client_abort on; client_max_body_size 8m; } } On 7/30/2015 7:05 PM, Mike