[OPEN-ILS-GENERAL] Disabling SSL in Evergreen ILS

Ben Shum ben at evergreener.net
Thu Mar 30 10:42:20 EDT 2017 

I'd suggest getting free SSL certificates from Let's Encrypt --
https://letsencrypt.org/

There's been some discussion in the past on this subject on the
Evergreen dev mailing list:
http://list.georgialibraries.org/pipermail/open-ils-dev/2016-June/010153.html

While I'd be curious to see how that would affect a primarily intranet
based Evergreen system (meaning, I think you'd still want to have a
FQDN hostname for your Evergreen system and not a local hostname or IP
address used internally), I think that they offer a good service for
SSL certificates.

I imagine there's plenty more thoughts or suggestions on the subject
since that time.

-- Ben

On Thu, Mar 30, 2017 at 10:19 AM, Josh Stompro
<stomproj at exchange.larl.org> wrote:
> StartSSL shouldn’t be used any more.  They were banned from Chrome and
> Firefox early this year because of reasons including the fact that they were
> silently purchased by a Chinese company, and because they were issuing back
> dated certificates to get around the SHA-1 phase out.  They also allowed
> users to get certificates for main domains if they could certify that they
> had control of subdomains.
>
>
>
> https://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/
>
>
>
> Josh Stompro - LARL IT Director
>
>
>
> From: Open-ils-general
> [mailto:open-ils-general-bounces at list.georgialibraries.org] On Behalf Of
> Bill Ott
> Sent: Thursday, March 30, 2017 9:10 AM
> To: open-ils-general at list.georgialibraries.org
> Subject: Re: [OPEN-ILS-GENERAL] Disabling SSL in Evergreen ILS
>
>
>
> For single server implementations, there are also free certificates
> available from organizations like StartSSL.
>
>
>
> On 03/30/2017 10:04 AM, Rogan Hamby wrote:
>
> While SSL on an intranet may not be necessary it still isn't harmful.  I may
> be of a paranoid bent but you can have security issues even on an intranet,
> especially large geographically distributed ones.  And with the increasingly
> punitive behavior of browsers to punish non-encrypted connections in various
> ways (usually with warnings and such) I'd question if it would be easier to
> just implement the SSL for the intranet than try to pass around it.
>
>
>
>
>
>
> Rogan Hamby
>
> Data and Project Analyst
>
> Equinox Open Library Initiative
>
> phone:  1-877-OPEN-ILS (673-6457)
>
> email:  rogan at EquinoxInitiative.org
>
> web:  http://EquinoxInitiative.org
>
>
>
> On Thu, Mar 30, 2017 at 10:00 AM, Jason Stephenson <jason at sigio.com> wrote:
>
> I should add that the staff client requires SSL and there's no easy way
> to chagne that, so you can't completely disable SSL and expect things to
> still function properly.
>
>
>
>
> On 03/30/2017 09:23 AM, Jason Stephenson wrote:
>> Jayaraj,
>>
>> It would be done via the Apache configuration files. You'd move
>> everything from the SSL enabled vhost configurations to the non-SSL
>> vhosts, i.e everything from the port 443 configuration sections to the
>> port 80 configuration. Some of that configuration is duplicated, so only
>> the unique things need to go.
>>
>> There may also be some directives to force SSL on some locations. You'll
>> want to remove those also.
>>
>> I'm writing this from memory without looking at the files, which is
>> alway a bad thing to do, but I think that covers it.
>>
>> HtH,
>> Jason
>>
>> On 03/30/2017 04:16 AM, Jayaraj JR wrote:
>>> Hello,
>>>
>>> Greetings of the day !
>>>
>>> SSL or https is a better option as far as security is concerned. But the
>>> heightened security level may not be necessary at many times especially
>>> while using Evergreen in Intranet. Besides the browser often warns the
>>> user that entering to my account in evergreen catalog is dangerous if
>>> purchased SSL is not implemented. This may often create confusion for
>>> childern and beginning users who are not well versed with computers.
>>> They are very often advised to add security exception for accessing the
>>> library catalog.
>>>
>>> It would appreciable, if any option or configuration is available to
>>> disable the SSL and to use the full library catalog via http.
>>> Kindly advice the configuration to use my account in Evergreen catalog
>>> via http itself and not https
>>>
>>> --
>>> Thanks in Advance,
>>>
>>> Jayaraj J R
>>> Library Information Assistant
>>> IISER Thiruvananthapuram
>
>
>
>



-- 
Benjamin Shum
Evergreener

More information about the Open-ils-general mailing list