[OPEN-ILS-GENERAL] Disabling SSL in Evergreen ILS

Adam Bowling abowling at emeralddata.net
Thu Mar 30 12:25:05 EDT 2017 

Agree that's Let's Encrypt is a good free service for internal use. Just 
thought I'd throw in the caveat here that I believe the certs are only good 
for 90 days, in case that matters to folks.

Thanks,
Adam

Adam B. Bowling
Emerald Data Networks
Technical Director
678.302.3000 x. 1010
678.302.3000 x. 1500 (Helpdesk)
www.emeralddata.net

-----Original Message-----
From: Open-ils-general 
[mailto:open-ils-general-bounces at list.georgialibraries.org] On Behalf Of Ben 
Shum
Sent: Thursday, March 30, 2017 10:42 AM
To: Evergreen Discussion Group <open-ils-general at list.georgialibraries.org>
Subject: Re: [OPEN-ILS-GENERAL] Disabling SSL in Evergreen ILS

I'd suggest getting free SSL certificates from Let's Encrypt --  
https://letsencrypt.org/

There's been some discussion in the past on this subject on the Evergreen 
dev mailing list:
http://list.georgialibraries.org/pipermail/open-ils-dev/2016-June/010153.html

While I'd be curious to see how that would affect a primarily intranet based 
Evergreen system (meaning, I think you'd still want to have a FQDN hostname 
for your Evergreen system and not a local hostname or IP address used 
internally), I think that they offer a good service for SSL certificates.

I imagine there's plenty more thoughts or suggestions on the subject since 
that time.

-- Ben

On Thu, Mar 30, 2017 at 10:19 AM, Josh Stompro <stomproj at exchange.larl.org> 
wrote:
> StartSSL shouldn’t be used any more.  They were banned from Chrome and
> Firefox early this year because of reasons including the fact that
> they were silently purchased by a Chinese company, and because they
> were issuing back dated certificates to get around the SHA-1 phase
> out.  They also allowed users to get certificates for main domains if
> they could certify that they had control of subdomains.
>
>
>
> https://arstechnica.com/security/2016/09/firefox-ready-to-block-certif
> icate-authority-that-threatened-web-security/
>
>
>
> Josh Stompro - LARL IT Director
>
>
>
> From: Open-ils-general
> [mailto:open-ils-general-bounces at list.georgialibraries.org] On Behalf
> Of Bill Ott
> Sent: Thursday, March 30, 2017 9:10 AM
> To: open-ils-general at list.georgialibraries.org
> Subject: Re: [OPEN-ILS-GENERAL] Disabling SSL in Evergreen ILS
>
>
>
> For single server implementations, there are also free certificates
> available from organizations like StartSSL.
>
>
>
> On 03/30/2017 10:04 AM, Rogan Hamby wrote:
>
> While SSL on an intranet may not be necessary it still isn't harmful.
> I may be of a paranoid bent but you can have security issues even on
> an intranet, especially large geographically distributed ones.  And
> with the increasingly punitive behavior of browsers to punish
> non-encrypted connections in various ways (usually with warnings and
> such) I'd question if it would be easier to just implement the SSL for the 
> intranet than try to pass around it.
>
>
>
>
>
>
> Rogan Hamby
>
> Data and Project Analyst
>
> Equinox Open Library Initiative
>
> phone:  1-877-OPEN-ILS (673-6457)
>
> email:  rogan at EquinoxInitiative.org
>
> web:  http://EquinoxInitiative.org
>
>
>
> On Thu, Mar 30, 2017 at 10:00 AM, Jason Stephenson <jason at sigio.com> 
> wrote:
>
> I should add that the staff client requires SSL and there's no easy
> way to chagne that, so you can't completely disable SSL and expect
> things to still function properly.
>
>
>
>
> On 03/30/2017 09:23 AM, Jason Stephenson wrote:
>> Jayaraj,
>>
>> It would be done via the Apache configuration files. You'd move
>> everything from the SSL enabled vhost configurations to the non-SSL
>> vhosts, i.e everything from the port 443 configuration sections to
>> the port 80 configuration. Some of that configuration is duplicated,
>> so only the unique things need to go.
>>
>> There may also be some directives to force SSL on some locations.
>> You'll want to remove those also.
>>
>> I'm writing this from memory without looking at the files, which is
>> alway a bad thing to do, but I think that covers it.
>>
>> HtH,
>> Jason
>>
>> On 03/30/2017 04:16 AM, Jayaraj JR wrote:
>>> Hello,
>>>
>>> Greetings of the day !
>>>
>>> SSL or https is a better option as far as security is concerned. But
>>> the heightened security level may not be necessary at many times
>>> especially while using Evergreen in Intranet. Besides the browser
>>> often warns the user that entering to my account in evergreen
>>> catalog is dangerous if purchased SSL is not implemented. This may
>>> often create confusion for childern and beginning users who are not well 
>>> versed with computers.
>>> They are very often advised to add security exception for accessing
>>> the library catalog.
>>>
>>> It would appreciable, if any option or configuration is available to
>>> disable the SSL and to use the full library catalog via http.
>>> Kindly advice the configuration to use my account in Evergreen
>>> catalog via http itself and not https
>>>
>>> --
>>> Thanks in Advance,
>>>
>>> Jayaraj J R
>>> Library Information Assistant
>>> IISER Thiruvananthapuram
>
>
>
>



--
Benjamin Shum
Evergreener

More information about the Open-ils-general mailing list