Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

2016-05-10 Thread Theo de Raadt
> > I don't see any with priviledge seperation, nor any which could > > plausibly be pledged. > > For months there wasn't anything other than the official client. After > the service started operating and showed itself to not be vapourware > people started writing their own, but obviously the

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

2016-05-10 Thread Stuart Henderson
On 2016-05-10, Theo de Raadt wrote: >> It's still relatively young and the clients are improving. > > I actually don't think they are improving. > > I don't see any with priviledge seperation, nor any which could > plausibly be pledged. For months there wasn't anything

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

2016-05-10 Thread Theo de Raadt
> It's still relatively young and the clients are improving. I actually don't think they are improving. I don't see any with priviledge seperation, nor any which could plausibly be pledged.

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

2016-05-10 Thread Kamil CholewiƄski
On Tue, 10 May 2016, Ingo Schwarze wrote: > Hi Kristaps, > > Kristaps Dzonsons wrote on Tue, May 10, 2016 at 11:37:42AM +0200: > >> (1) download ... couldn't find ... didn't require bash >> (2) aforementioned script in a cronjob >> (2b) user to have access to >> (3) doas rule >>

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

2016-05-10 Thread Stuart Henderson
On 2016-05-10, Ingo Schwarze wrote: > Hi Kristaps, > > Kristaps Dzonsons wrote on Tue, May 10, 2016 at 11:37:42AM +0200: > >> (1) download ... couldn't find ... didn't require bash >> (2) aforementioned script in a cronjob >> (2b) user to have access to >> (3) doas rule >> (4)

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

2016-05-10 Thread Ingo Schwarze
Hi Kristaps, Kristaps Dzonsons wrote on Tue, May 10, 2016 at 11:37:42AM +0200: > (1) download ... couldn't find ... didn't require bash > (2) aforementioned script in a cronjob > (2b) user to have access to > (3) doas rule > (4) doas rule > (5) [another?] script from a cronjob You must be

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

2016-05-10 Thread Kristaps Dzonsons
>> (By the way, httpd(8) doesn't support SNI yet--what do you use a >> web server? I found that apache2's chroot and https combo didn't >> pass the "can I set this up in less than five minutes" sniff >> test--I ended up using nginx.) > > OpenBSD httpd :) If you need to serve more than one

Re: letsencrypt (Was: Re: TLS now supported on openbsd.org?)

2016-05-10 Thread sid77
- Original Message - > (By the way, httpd(8) doesn't support SNI yet--what do you use a web > server? I found that apache2's chroot and https combo didn't pass the > "can I set this up in less than five minutes" sniff test--I ended up > using nginx.) OpenBSD httpd :) If you need to serve

letsencrypt (Was: Re: TLS now supported on openbsd.org?)

2016-05-10 Thread Kristaps Dzonsons
> I dislike the idea. > > For one, it does not stop a MITM by itself. > > In addition, enforced encryption makes it hard to cache and/or use > proper http proxies with the site. > > Purely informative sites don't need TLS. The user can opt to use TLS > if he thinks the content he needs to read