Talk:OpenSSL

From ArchWiki
Jump to: navigation, search

updates/modifications suggestions

While the effort that went into this article is much appreciated, it seems it's a little out of date and the format/organization might could be improved. The example /etc/ssl/openssl.cnf doesn't match current default file which can make things confusing to newcomers. Also, trying to have the reader make in-depth customizations/disections to /etc/ssl/openssl.cnf might not be the best approach. It seems to me that one could show seperate explanations and configs for use cases/needs so readers could simply pick their use case, follow instructions and copy and paste one of the separate config files, if needed. Also, i experienced various issues trying to use current instructions and ended up making minor tweaks to /etc/ssl/openssl.cnf and running CA.sh to create my CA and cert, so the current artical may be currently, technically broken.

after overview, package info, etc...

use cases:

self signed cert: list uses and drawbacks. list steps to implement.

create cert request for supplying to CA's: basic description and list steps to implement. including copy of appropriately configured /etc/ssl/openssl.cnf

create local ca, create req, key, and cert and sign cert with said ca: description/uses and list steps to implement. either appropriately configured /etc/ssl/openssl.cnf and Makefile or instruct on using CA.sh/CA.pl scripts with /etc/ssl/openssl.cnf. If /etc/ssl/openssl.cnf + Makefile method, maybe a note on managing diff versions of /etc/ssl/openssl.cnf for the use cases using alt cnf file names. This way all three implementations could be achieved when needed from same server without having to redo everything. include note on postfix needing unencrypted key and how to get both encrypted and unencrypted results with whichever method is chosen. I decrypted key after generating with CA.sh, as i wasn't sure how to create unencrypted key using CA.sh script and was out of time/patience for more research.

I'm not a openssl expert and am brand new to wiki editing so i wasn't sure how best to help get this updated/modified. Any comments/suggestions by Arch elders/other end users are appreciated. ITwrx (talk) 16:09, 15 May 2015 (UTC)

Hi, thanks for opening this item. It is a lot of input, I think it would be best to approach this in two steps: :First, we should make sure outdated parts of the article are marked, so that instructions are not confusing to users. If you can point to the sections which you found outdated, you can place a status template (e.g. out of date, accuracy, etc, see Help:Template#Article_status_templates). Can you do that?
Second, your ideas how to re-structure: The first two I find straight-forward how you write, the third should take a bit to figure how to improve the current article. You don't mention it, but one thing I would like in this article is the coverage of changed certificate packaging.[1] I think it's a good and flexible approach the devs found there, but it would be valuable for users to expand on that news a little in this article (where TBD).
Another general point that should be considered: we want to avoid long config dumps in the wiki nowadays, because they can indeed outdate too quick (but a way will be found to get the context in).
Let's see, if other interested editors reply. --Indigo (talk) 18:45, 15 May 2015 (UTC)
With #Plan below, another approach was chosen. The above proposal can hardly be followed with the current structure now. If there are other proposals, it seems more efficient to open a new one. Closing. --Indigo (talk) 11:17, 1 December 2018 (UTC)

Plan

  1. Remove the ca section and Certificate authority because running a CA is a highly advanced topic for which one should consult the official documentation.
  2. Move GOST engine support to a new Tips and tricks section.
  3. Create a Certificate section below Generating keys.
    1. Remove the SSL introduction because Wikipedia does a better job at explaining and the definitions are at least partially wrong.
    2. Merge the req section with Creating certificate signing requests and explain how to provide a temporary config file with -config.
    3. [DONE] Mention Let's Encrypt and link List of applications/Internet#ACME clients.
  4. [DONE] Create a TLS certificate redirect to OpenSSL#Certificate Template:TLS note Server-side TLS article.
  5. Make web server and mail server articles link TLS certificate transclude Template:TLS note instead of duplicating it OpenSSL#Certificates and Server-side TLS.

What do you guys think?

--Larivact (talk) 17:57, 28 June 2018 (UTC)

Since nobody responded in a week, I went ahead and made some changes. In particular I removed the sections containing only config snippets and created Template:TLS note. --Larivact (talk) 07:32, 6 July 2018 (UTC)
I now also created Server-side TLS, I am not so sure about Template:TLS note anymore. --Larivact (talk) 14:11, 6 July 2018 (UTC)
I reverted the pages where I added Template:TLS note and improved the Warnings manually. --Larivact (talk) 16:56, 6 July 2018 (UTC)
The changes since this summer have been very substantial, not saying the previous information was necessarily relevant but to make sure this has been discussed and this is not purely the view of one person would give me more comfort, could you confirm? --- Kewl (talk) 14:47, 10 November 2018 (UTC)
This has not been discussed because nobody has replied. I announced the two major removals three months prior, the only thing I did not announce was the creation of Transport Layer Security, GnuTLS and mbed TLS. --Larivact (talk) 16:43, 13 November 2018 (UTC)
Hi, I know I am late to this. I have been trying to figure what in 3.1 replaced the [2] acronym explanations. The remove mentions wikipedia as replacement, but leaves no links (instead removes some too). Which link(s) were referred to? Transport Layer Security#Obtaining a certificate? --Indigo (talk) 11:21, 1 December 2018 (UTC)

Certificate trusts

Suggest adding a section on how to update certificate trusts? --Stimunix (talk) 23:59, 17 October, 2018

That should be added at Transport Layer Security#Trust management. --Larivact (talk) 19:57, 26 October 2018 (UTC)