Re: [Sks-devel] HKPS + ssl + nginx

[Alain Wolf]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On 31.07.2015 at 01:05, Mike Forbes wrote:

> So now begins the task of trying to make HKPS and SSL and SKS all work
> together.
> 
> Currently we're serving up our main pgp pages with our own SSL cert
> (https://pgp.net.nz)
> 
> If we were to serve this using the HKPS cert I imagine it would throw
> a certificate warning for most people who haven't imported the
> hkps.pool.sks-keyservers.net CA.
> 
> My question is, how have other people managed to get HKPS working
> together with their own SSL certs?
> 
> Our nginx config pushes all requests on port 80 to 443, then has a
> location section for /pks that points to the locally running sks
> daemon on 127.0.0.1:11371
> 
> I'd love to hear how others have managed this.
> 

I haven't tried it, as I don't have any SKS cert.
But an additional virtual nginx server using
*hkps.pool.sks-keyservers.net* as *servername* on port 443 and the
appropriate *ssl_certificate* and *ssl_certificate_key* should probably
do it.

Probably should be the default, so any client can use it, and browsers
can get to the one with your own cert by SNI.

Personally I use *Public-Key-Pins* and *Strict-Transport-Security*
instead of HTTP redirects, as we are not really sure how the various
pgp-clients handle the HTTP redirects.

-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJVvN6xXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNTEwNjBDN0RBNDY3QzM3OTVCQkREMUJG
MDhEOUJERDEzMDg2MTEzAAoJEPCNm90TCGETr5EIAJz3CQxG/V+48JLgtlXqenRu
xj3isl/oueYLkQKamECDZ6wd7/M2ODox2t8rbSY61M33yR/lWpe/Vjpr8CBPVL+e
DFxfUAPyQYtpIpQLEi0YUEqMUQAutIkZViwTgoe787OmW/CKqBBU8H3CVUsCF4yb
UHNexmPgcMfStJH60e1XrlRP4l3CMohWPwB7YFygbUa+R0XNGlW3Cmal24NUlsPP
B18hP16IqxPCBuGxq3IwySBub/LU8ggypCCBCpi7WfWwBXBLl3DePoYFVqgtHo6e
QVTUpm/gcwhbTIoY6Yj95pqm3iRJkz+wgrfv09wyu3vUFTe9ZC9CyiH642zGYRE=
=UyBv
-----END PGP SIGNATURE-----