[OPEN-ILS-GENERAL] Disabling SSL in Evergreen ILS
Francisco Javier Guel M.
xaviers_jordan at hotmail.com
Thu Mar 30 11:31:41 EDT 2017
Hi all.
Regards from México. As Mike said, letsencrypt could work for Evergreen as an option.
In a Evergreen testing server for 2.12.0 EG version, I already installed a LetsEncrypt certificate and It is working fine.
https://biblos.ipicyt.edu.mx/eg/opac/home
Rgds
Atentamente.
Francisco Javier Guel Mendoza
________________________________
De: Open-ils-general <open-ils-general-bounces at list.georgialibraries.org> en nombre de Mike Rylander <mrylander at gmail.com>
Enviado: jueves, 30 de marzo de 2017 08:40 a. m.
Para: Evergreen Discussion Group
Asunto: Re: [OPEN-ILS-GENERAL] Disabling SSL in Evergreen ILS
Hi,
There are several relatively simple services (some entirely
in-browser) that can get certs from Let's Encrypt available at
https://letsencrypt.org/docs/client-options/ . If have control over
many client options - Let's Encrypt<https://letsencrypt.org/docs/client-options/>
letsencrypt.org
Let’s Encrypt uses the ACME protocol to verify that you control a given domain name and to issue you a certificate. To get a Let’s Encrypt certificate, you’ll ...
DNS for your domain, you could set up an external DNS entry for the
name of the internal server and receive a cert, then use internal
(split-brain) DNS to use that name for a private IP and make use of
the cert you generate. These certs are fairly short-lived, but once
DNS is set up, the update process is easy.
HTH,
--
Mike Rylander
| President
| Equinox Open Library Initiative
| phone: 1-877-OPEN-ILS (673-6457)
| email: miker at equinoxinitiative.org
| web: http://equinoxinitiative.org
On Thu, Mar 30, 2017 at 10:19 AM, Josh Stompro
<stomproj at exchange.larl.org> wrote:
> StartSSL shouldn’t be used any more. They were banned from Chrome and
> Firefox early this year because of reasons including the fact that they were
> silently purchased by a Chinese company, and because they were issuing back
> dated certificates to get around the SHA-1 phase out. They also allowed
> users to get certificates for main domains if they could certify that they
> had control of subdomains.
>
>
>
> https://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/
[https://cdn.arstechnica.net/wp-content/uploads/2016/09/barricade-800x600.jpg]<https://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/>
Firefox ready to block certificate authority that ...<https://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/>
arstechnica.com
The organization that develops Firefox has recommended the browser block digital credentials issued by a China-based certificate authority for 12 months after ...
>
>
>
> Josh Stompro - LARL IT Director
>
>
>
> From: Open-ils-general
> [mailto:open-ils-general-bounces at list.georgialibraries.org] On Behalf Of
> Bill Ott
> Sent: Thursday, March 30, 2017 9:10 AM
> To: open-ils-general at list.georgialibraries.org
> Subject: Re: [OPEN-ILS-GENERAL] Disabling SSL in Evergreen ILS
>
>
>
> For single server implementations, there are also free certificates
> available from organizations like StartSSL.
>
>
>
> On 03/30/2017 10:04 AM, Rogan Hamby wrote:
>
> While SSL on an intranet may not be necessary it still isn't harmful. I may
> be of a paranoid bent but you can have security issues even on an intranet,
> especially large geographically distributed ones. And with the increasingly
> punitive behavior of browsers to punish non-encrypted connections in various
> ways (usually with warnings and such) I'd question if it would be easier to
> just implement the SSL for the intranet than try to pass around it.
>
>
>
>
>
>
> Rogan Hamby
>
> Data and Project Analyst
>
> Equinox Open Library Initiative
>
> phone: 1-877-OPEN-ILS (673-6457)
>
> email: rogan at EquinoxInitiative.org
>
> web: http://EquinoxInitiative.org
>
>
>
> On Thu, Mar 30, 2017 at 10:00 AM, Jason Stephenson <jason at sigio.com> wrote:
>
> I should add that the staff client requires SSL and there's no easy way
> to chagne that, so you can't completely disable SSL and expect things to
> still function properly.
>
>
>
>
> On 03/30/2017 09:23 AM, Jason Stephenson wrote:
>> Jayaraj,
>>
>> It would be done via the Apache configuration files. You'd move
>> everything from the SSL enabled vhost configurations to the non-SSL
>> vhosts, i.e everything from the port 443 configuration sections to the
>> port 80 configuration. Some of that configuration is duplicated, so only
>> the unique things need to go.
>>
>> There may also be some directives to force SSL on some locations. You'll
>> want to remove those also.
>>
>> I'm writing this from memory without looking at the files, which is
>> alway a bad thing to do, but I think that covers it.
>>
>> HtH,
>> Jason
>>
>> On 03/30/2017 04:16 AM, Jayaraj JR wrote:
>>> Hello,
>>>
>>> Greetings of the day !
>>>
>>> SSL or https is a better option as far as security is concerned. But the
>>> heightened security level may not be necessary at many times especially
>>> while using Evergreen in Intranet. Besides the browser often warns the
>>> user that entering to my account in evergreen catalog is dangerous if
>>> purchased SSL is not implemented. This may often create confusion for
>>> childern and beginning users who are not well versed with computers.
>>> They are very often advised to add security exception for accessing the
>>> library catalog.
>>>
>>> It would appreciable, if any option or configuration is available to
>>> disable the SSL and to use the full library catalog via http.
>>> Kindly advice the configuration to use my account in Evergreen catalog
>>> via http itself and not https
>>>
>>> --
>>> Thanks in Advance,
>>>
>>> Jayaraj J R
>>> Library Information Assistant
>>> IISER Thiruvananthapuram
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://libmail.georgialibraries.org/pipermail/open-ils-general/attachments/20170330/6ea64f32/attachment.html>
More information about the Open-ils-general
mailing list