Difference between revisions of "Talk:OpenSSL"

From ArchWiki
Jump to: navigation, search
(Created page with "openssl has a default key size of 512 which is not recommended, nowadays CA only accepts 2048 and above")
 
(updates/modifications suggestions: strike part of re, added a simple example to Security instead with https://wiki.archlinux.org/index.php?title=Security&diff=437895&oldid=437894)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
openssl has a default key size of 512 which is not recommended, nowadays CA only accepts 2048 and above
+
== updates/modifications suggestions ==
 +
 
 +
While the effort that went into this article is much appreciated, it seems it's a little out of date and the format/organization might could be improved. The example /etc/ssl/openssl.cnf doesn't match current default file which can make things confusing to newcomers. Also, trying to have the reader make in-depth customizations/disections to /etc/ssl/openssl.cnf might not be the best approach. It seems to me that one could show seperate explanations and configs for use cases/needs so readers could simply pick their use case, follow instructions and copy and paste one of the separate config files, if needed. Also, i experienced various issues trying to use current instructions and ended up making minor tweaks to /etc/ssl/openssl.cnf and running CA.sh to create my CA and cert, so the current artical ''may'' be currently, technically broken.
 +
 
 +
after overview, package info, etc...
 +
 
 +
use cases:
 +
 
 +
'''self signed cert:''' list uses and drawbacks. list steps to implement.
 +
 
 +
'''create cert request for supplying to CA's:''' basic description and list steps to implement. including copy of appropriately configured /etc/ssl/openssl.cnf
 +
 
 +
'''create local ca, create req, key, and cert and sign cert with said ca:''' description/uses and list steps to implement. either appropriately configured /etc/ssl/openssl.cnf and Makefile or instruct on using CA.sh/CA.pl scripts with /etc/ssl/openssl.cnf. If /etc/ssl/openssl.cnf + Makefile method, maybe a note on managing diff versions of /etc/ssl/openssl.cnf for the use cases using alt cnf file names. This way all three implementations could be achieved when needed from same server without having to redo everything. include note on postfix needing unencrypted key and how to get both encrypted and unencrypted results with whichever method is chosen. I decrypted key after generating with CA.sh, as i wasn't sure how to create unencrypted key using CA.sh script and was out of time/patience for more research.
 +
 
 +
I'm not a openssl expert and am brand new to wiki editing so i wasn't sure how best to help get this updated/modified. Any comments/suggestions by Arch elders/other end users are appreciated. [[User:ITwrx|ITwrx]] ([[User talk:ITwrx|talk]]) 16:09, 15 May 2015 (UTC)
 +
 
 +
:Hi, thanks for opening this item. It is a lot of input, I think it would be best to approach this in two steps: :First, we should make sure outdated parts of the article are marked, so that instructions are not confusing to users. If you can point to the sections which you found outdated, you can place a status template (e.g. out of date, accuracy, etc, see [[Help:Template#Article_status_templates]]). Can you do that?
 +
:Second, your ideas how to re-structure: The first two I find straight-forward how you write, the third should take a bit to figure how to improve the current article. <s>You don't mention it, but one thing I would like in this article is the coverage of changed certificate packaging.[https://www.archlinux.org/news/ca-certificates-update/] I think it's a good and flexible approach the devs found there, but it would be valuable for users to expand on that news a little in this article (where TBD). </s>
 +
:Another general point that should be considered: we want to avoid long config dumps in the wiki nowadays, because they can indeed outdate too quick (but a way will be found to get the context in).
 +
:Let's see, if other interested editors reply. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 18:45, 15 May 2015 (UTC)

Latest revision as of 13:18, 11 June 2016

updates/modifications suggestions

While the effort that went into this article is much appreciated, it seems it's a little out of date and the format/organization might could be improved. The example /etc/ssl/openssl.cnf doesn't match current default file which can make things confusing to newcomers. Also, trying to have the reader make in-depth customizations/disections to /etc/ssl/openssl.cnf might not be the best approach. It seems to me that one could show seperate explanations and configs for use cases/needs so readers could simply pick their use case, follow instructions and copy and paste one of the separate config files, if needed. Also, i experienced various issues trying to use current instructions and ended up making minor tweaks to /etc/ssl/openssl.cnf and running CA.sh to create my CA and cert, so the current artical may be currently, technically broken.

after overview, package info, etc...

use cases:

self signed cert: list uses and drawbacks. list steps to implement.

create cert request for supplying to CA's: basic description and list steps to implement. including copy of appropriately configured /etc/ssl/openssl.cnf

create local ca, create req, key, and cert and sign cert with said ca: description/uses and list steps to implement. either appropriately configured /etc/ssl/openssl.cnf and Makefile or instruct on using CA.sh/CA.pl scripts with /etc/ssl/openssl.cnf. If /etc/ssl/openssl.cnf + Makefile method, maybe a note on managing diff versions of /etc/ssl/openssl.cnf for the use cases using alt cnf file names. This way all three implementations could be achieved when needed from same server without having to redo everything. include note on postfix needing unencrypted key and how to get both encrypted and unencrypted results with whichever method is chosen. I decrypted key after generating with CA.sh, as i wasn't sure how to create unencrypted key using CA.sh script and was out of time/patience for more research.

I'm not a openssl expert and am brand new to wiki editing so i wasn't sure how best to help get this updated/modified. Any comments/suggestions by Arch elders/other end users are appreciated. ITwrx (talk) 16:09, 15 May 2015 (UTC)

Hi, thanks for opening this item. It is a lot of input, I think it would be best to approach this in two steps: :First, we should make sure outdated parts of the article are marked, so that instructions are not confusing to users. If you can point to the sections which you found outdated, you can place a status template (e.g. out of date, accuracy, etc, see Help:Template#Article_status_templates). Can you do that?
Second, your ideas how to re-structure: The first two I find straight-forward how you write, the third should take a bit to figure how to improve the current article. You don't mention it, but one thing I would like in this article is the coverage of changed certificate packaging.[1] I think it's a good and flexible approach the devs found there, but it would be valuable for users to expand on that news a little in this article (where TBD).
Another general point that should be considered: we want to avoid long config dumps in the wiki nowadays, because they can indeed outdate too quick (but a way will be found to get the context in).
Let's see, if other interested editors reply. --Indigo (talk) 18:45, 15 May 2015 (UTC)