[Gpg4win-users-en] Commonly accepted SSL/TLS certificate for gpg4win websites

David Kronlid david at kronlid.net
Thu Oct 15 23:23:56 CEST 2015 

If this is about keeping the cost low, why don't you buy one wildcard
certificate for *.gpg4win.org and just create tons of subdomains to
gpg4win.org and redirect all https requests to various web addresses you
use to list.gpg4win.org, de.gpg4win.org, www.gpg4win.org, etc. You can
still keep the same servers on the various current domains too, just make
the web servers redirect each https request to a subdomain under gpg4win.org
while still letting http go through. This won't break any existing links
found on the Internet, and will make it easier for you in the future to
gather everything under one good looking domain gpg4win.org and skip using
various domains for http requests too whenever you feel the time is ready.
A web server with one IP can have alot of domains pointing towards it so
this is a workaround if you only want to buy one single wildcard
certificate.

I don't see the certificate issue as the real problem here, but rather that
the people working on the gpg4win project over time have scattered things
under too many domains, and it doesn't look good and it's less practical in
the long run to keep it this way so why not take steps towards facilitating
a migration to having everything under one domain anyway?

Good luck with all this! It can be time consuming but it's worth it!

/David
Den 15 okt 2015 16:05 skrev "Thomas Arendsen Hein" <thomas at intevation.de>:

> Hi!
>
> There has been some discussion about SSL/TLS certificate that are
> automatically accepted by usual web browsers on this list (and
> elsewhere).
>
> TL;DR: We want to switch to a commercial SSL certificate for
> the gpg4win web and download services soon. Mailing list and forum
> will not yet be changed.
>
>
> = The current situation =
>
> The current certificate is provided by our own CA, which is not
> known by most browers unless the root certificate is imported from
> https://ssl.intevation.de/
>
> * Why don't we just buy a certificate?
>
>   We currently have to do this, because the certificate includes
>   over 40 SAN entries (including a wildcard entry) in a single
>   certificate: wald.intevation.org, *.wald.intevation.org and many
>   entries for the projects hosted on Wald.
>
>   I'm not aware of any commercial CA that offers such certificates,
>   I have only found CAs which offer 24 SAN entries, and then they
>   don't allow wildcard entries.
>
> * Why don't we simply use more IPs?
>
>   IPv4 IPs are a scarce resource, we don't want to waste them. But
>   we tried adding some extra IPs to our Wald server to have separate
>   SSL certificates for the most important services:
>   - *.wald.intevation.org and wald.intevation.org
>   - the 4 gpg4win hostnames currently hosted on Wald (gpg4win.org,
>     gpg4win.de and both prefixed with "www.")
>   - everything else (using a certificate signed by our own CA, like
>     the current one)
>
>   The main problem here was the templating mechanism of FusionForge
>   for the web server configuration files for Wald. Some early
>   attempts to adjust this failed, and because or admin capacities
>   were needed in other projects, we did not continue with this
>   approach. It certainly is possible, but might be too
>   time-consuming. If adjusting Wald fails, we could use a
>   workaround: A simple proxy or TCP forwarder in front of Wald, but
>   at that time, Wald was under heavy load and we did not want to add
>   extra overhead for a workaround. Since then we upgraded to more
>   powerful hardware, so this might be possibility for the future.
>
> * Why don't we simply use SNI to present different certificates?
>
>   1. Same reasons as above: We need to adjust the FusionForge
>      templating or add a proxy/forwarder as a workaround.
>   2. SNI has only very recently become supported by most browsers
>      and there is still some software that does not support SNI:
>      - Internet Explorer on Windows XP (should not be relevant
>        anymore, but unfortunately it is)
>      - older wget (as included in the still supported Debian wheezy)
>      - Python before 2.7.9 (again Debian wheezy)
>      - Mercurial before version 3.3 (Debian jessie has 3.1.2)
>      - Java 6 (even at the current patch level)
>      - Not sure if Android 2.x still counts, but I mention it for
>        completeness
>
>   I want to use SNI in the future, but I assume this still has to
>   wait a bit for getting Windows XP with IE usage below 1% and
>   maybe even Debian jessie becoming oldstable.
>
>
> = The proposed next step for gpg4win =
>
> My plan is to buy a certificate with the following SAN entries:
>
>   www.gpg4win.org (main address)
>   www.gpg4win.de
>   gpg4win.org
>   gpg4win.de
>   files.gpg4win.org
>   files.gpg4win.de
>
> With a lifetime of three years, this will cost us 640€ for a
> certificate from GeoTrust (see below for why we use GeoTrust).
>
> The certificate will be installed on the server that currently hosts
> files.gpg4win.org, so downloads from there will immediately become
> trusted without importing Intevation's CA.
>
> I will upgrade the server so it can offer TLS1.2, like Wald already
> does.
>
> As the content of www.gpg4win.org is generated into static files,
> moving the gpg4win website to this server is easy. Updating the
> website can be done by the same people who can publish new releases,
> but others can be added if needed, too.
>
> If there are no objections, I can start with this.
>
>
> = Future steps =
>
> The mailing lists are currently hosted on Wald. As most mails sent
> to and received from the list are transferred via unprotected SMTP
> connections, having SSL would be nice (especially for the Mailman
> web interface), but is less important than website and downloads.
>
> A possible solution could be to move the mailing lists to
> lists.gnupg.org, which already provides a certificate signed by a CA
> known to modern browsers.
>
> But this would not solve secure access to the web forums on Wald and
> most solutions for the forums would also provide a solution for the
> mailing list.
>
> I assume the most appropriate solution would be to buy a wildcard
> certificate for Wald, which would cost 1380€ for three years for the
> certificate and the additional required IPv4 IP, and solve or
> work around the FusionForge templating mechanism.
>
>
> = Comments on alternative CAs =
>
> Yes, there are cheaper CAs than GeoTrust, but it has some benefits
> that others can't offer us:
>
> - It is a well-known CA that is accepted by all relevant browsers
>   and other https clients.
> - A German reseller that sends us a single invoice for all
>   certificates we have bought, so our accounting does not run into
>   issues or has to pay a separate invoice for each certificate.
>   Despite having our own CA, we have bought many certificates for
>   customers and some of our other servers.
> - Because of this it can't happen that our credit card gets charged
>   beyond the monthly limit and will leave our CEO stranded somewhere :)
> - If things go wrong, we can call a real human!
> - We can buy certificates for domains or subdomains, that we do not
>   own. This applies to the gpg4win domains, too. GeoTrust will
>   contact the owner and ask for permission.
> - It is not Comodo, see e.g.
>   https://en.wikipedia.org/wiki/Comodo_Group#Certificate_hacking
>   so it is less likely that your sysadmin has marked it as
>   untrusted.
> - It is still cheaper than some other CAs which offer a similar
>   level of quality.
>
>
> Whew! That was long. Thanks for reading (or skimming). Feel free to
> contact me via this list (I subscribed some weeks ago) if you have
> questions or comments.
>
> Regards,
> Thomas Arendsen Hein
>
> --
> thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key:
> 0x5816791A
> Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B
> 18998
> Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
>
> _______________________________________________
> Gpg4win-users-en mailing list
> Gpg4win-users-en at wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151015/19685394/attachment.html>

More information about the Gpg4win-users-en mailing list