Re: [Sks-devel] HKPS configuration?

[Christian Reiß]

Hey,

I am not saying it can't be done. Yes it is possible with your setup,
but that some clients to not send vhost/domain data along with the
request and expect the hostname of the sks server to match the default
cert. So unless you are serving the hkps per default on your server you
might break compatibility with clients.

So, just up a new ip and serve all requests to that cert. Not really
stressing, eh? :)

-Chris.


""

On 11/02/14 16:34, Daniel Kahn Gillmor wrote:
> On 02/11/2014 10:27 AM, Christian Reiß wrote:
> 
>> hkps is basically a 443 to hkp forward - I am using nginx for that. Just
>> be SURE you do NOT use SNI or rely/ need a vhost/hostname as some
>> client/most clients (gnupg) do not send this information. It is actually
>> only feasible on a dedicated IP for SKS where Port 443 is solely used
>> for https/hkps.
> 
> actually, you do need SNI, if you want to be able to provide a different
> X.509 certificate to users who connect to it with different names.
> 
> zimmermann.mayfirst.org serves keys at both hkps://keys.mayfirst.org and
> hkps://hkps.pool.sks-keyservers.net from the same IP address, and uses a
> different X.509 certificate, depending on which host the client is
> connecting to.  This relies on the client using SNI.
> 
> All of this can be done on the same IP address as your existing hkp
> service, but on TCP port 443.
> 
>       --dkg
> 
> 
> 
> _______________________________________________
> Sks-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel
> 

-- 

 Christian Reiss - address@hidden       /"\  ASCII Ribbon
                                                  \ /    Campaign
 GPG Key: http://gpg.christian-reiss.de            X   against HTML
 Jabber : address@hidden                    / \   in eMails

 "It's better to reign in hell than to serve in heaven.",
                                        John Milton, Paradise lost.

signature.asc
Description: OpenPGP digital signature