Hi, Mike, > My question is, how have other people managed to get HKPS working > together with their own SSL certs?
I'm doing this with the Apache web server for https://keyserver.zap.org.au/, which is part of the SSL pool. Here are the appropriate config file sections; hope this helps: # For non-SSL: Listen 129.94.172.224:11371 <VirtualHost *:11371 *:80> ServerAdmin keymas...@zap.org.au ServerName keyserver.zap.org.au ServerAlias *.sks-keyservers.net <Proxy *> Require all granted </Proxy> ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au--error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au--access.log combined ServerSignature On </VirtualHost> # For SSL on https://keyserver.zap.org.au/: Listen *:11372 #NameVirtualHost *:11372 <VirtualHost *:11372 *:443> ServerAdmin keymas...@zap.org.au ServerName keyserver.zap.org.au SSLEngine on # Only allow secure ciphers and protocols SSLCipherSuite HIGH:!aNULL:!MD5 SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver.pem SSLCertificateKeyFile /etc/ssl/private/keyserver.pem SSLCACertificateFile /etc/ssl/certs/ZAP_Group_CA_Root.pem <Proxy *> Require all granted </Proxy> ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--access.log combined_ssl ServerSignature On # Work around SSL (and other) problems in Microsoft Internet Explorer # (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz # for more information). BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> # For SSL on https://hkps.pool.sks-keyservers.net/: <VirtualHost *:11372 *:443> ServerAdmin keymas...@zap.org.au ServerName hkps.pool.sks-keyservers.net ServerAlias *.pool.sks-keyservers.net *.sks-keyservers.net SSLEngine on # Only allow secure ciphers and protocols SSLCipherSuite HIGH:!aNULL:!MD5 SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver-sks.pem SSLCertificateKeyFile /etc/ssl/private/keyserver-sks.pem SSLCACertificateFile /etc/ssl/certs/sks-keyservers.netCA.pem <Proxy *> Require all granted </Proxy> ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--access.log combined_ssl ServerSignature On # Work around SSL (and other) problems in Microsoft Internet Explorer # (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz # for more information). BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> -- John Zaitseff ,--_|\ The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel