Difference between revisions of "Talk:OpenSSL"

From ArchWiki
Jump to: navigation, search
(Created page with "openssl has a default key size of 512 which is not recommended, nowadays CA only accepts 2048 and above")
 
(Plan: update)
 
(13 intermediate revisions by 4 users not shown)
Line 1: Line 1:
openssl has a default key size of 512 which is not recommended, nowadays CA only accepts 2048 and above
+
== updates/modifications suggestions ==
 +
 
 +
While the effort that went into this article is much appreciated, it seems it's a little out of date and the format/organization might could be improved. The example /etc/ssl/openssl.cnf doesn't match current default file which can make things confusing to newcomers. Also, trying to have the reader make in-depth customizations/disections to /etc/ssl/openssl.cnf might not be the best approach. It seems to me that one could show seperate explanations and configs for use cases/needs so readers could simply pick their use case, follow instructions and copy and paste one of the separate config files, if needed. Also, i experienced various issues trying to use current instructions and ended up making minor tweaks to /etc/ssl/openssl.cnf and running CA.sh to create my CA and cert, so the current artical ''may'' be currently, technically broken.
 +
 
 +
after overview, package info, etc...
 +
 
 +
use cases:
 +
 
 +
'''self signed cert:''' list uses and drawbacks. list steps to implement.
 +
 
 +
'''create cert request for supplying to CA's:''' basic description and list steps to implement. including copy of appropriately configured /etc/ssl/openssl.cnf
 +
 
 +
'''create local ca, create req, key, and cert and sign cert with said ca:''' description/uses and list steps to implement. either appropriately configured /etc/ssl/openssl.cnf and Makefile or instruct on using CA.sh/CA.pl scripts with /etc/ssl/openssl.cnf. If /etc/ssl/openssl.cnf + Makefile method, maybe a note on managing diff versions of /etc/ssl/openssl.cnf for the use cases using alt cnf file names. This way all three implementations could be achieved when needed from same server without having to redo everything. include note on postfix needing unencrypted key and how to get both encrypted and unencrypted results with whichever method is chosen. I decrypted key after generating with CA.sh, as i wasn't sure how to create unencrypted key using CA.sh script and was out of time/patience for more research.
 +
 
 +
I'm not a openssl expert and am brand new to wiki editing so i wasn't sure how best to help get this updated/modified. Any comments/suggestions by Arch elders/other end users are appreciated. [[User:ITwrx|ITwrx]] ([[User talk:ITwrx|talk]]) 16:09, 15 May 2015 (UTC)
 +
 
 +
:Hi, thanks for opening this item. It is a lot of input, I think it would be best to approach this in two steps: :First, we should make sure outdated parts of the article are marked, so that instructions are not confusing to users. If you can point to the sections which you found outdated, you can place a status template (e.g. out of date, accuracy, etc, see [[Help:Template#Article_status_templates]]). Can you do that?
 +
:Second, your ideas how to re-structure: The first two I find straight-forward how you write, the third should take a bit to figure how to improve the current article. <s>You don't mention it, but one thing I would like in this article is the coverage of changed certificate packaging.[https://www.archlinux.org/news/ca-certificates-update/] I think it's a good and flexible approach the devs found there, but it would be valuable for users to expand on that news a little in this article (where TBD). </s>
 +
:Another general point that should be considered: we want to avoid long config dumps in the wiki nowadays, because they can indeed outdate too quick (but a way will be found to get the context in).
 +
:Let's see, if other interested editors reply. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 18:45, 15 May 2015 (UTC)
 +
 
 +
== Plan ==
 +
 
 +
# Remove the ''ca section'' and ''Certificate authority'' because running a CA is a highly advanced topic for which one should consult the official documentation.
 +
# Move ''GOST engine support'' to a new ''Tips and tricks'' section.
 +
# Create a ''Certificate'' section below ''Generating keys''.
 +
## Remove the ''SSL introduction'' because Wikipedia does a better job at explaining and the definitions are at least partially wrong.
 +
## Merge the ''req section'' with ''Creating certificate signing requests'' and explain how to provide a temporary config file with {{ic|-config}}.
 +
## [DONE] Mention Let's Encrypt and link [[List of applications/Internet#ACME clients]].
 +
# [DONE] Create a <s>''TLS certificate'' redirect to ''OpenSSL#Certificate'' [[Template:TLS note]]</s> [[Server-side TLS]] article.
 +
# Make [[web server]] and [[:Category:Mail server|mail server]] articles link <s>''TLS certificate'' transclude [[Template:TLS note]] instead of duplicating it</s> [[OpenSSL#Certificates]] and [[Server-side TLS]].
 +
 
 +
What do you guys think?
 +
 
 +
--[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 17:57, 28 June 2018 (UTC)
 +
 
 +
:Since nobody responded in a week, I went ahead and made some changes. In particular [[Special:Diff/528878|I removed the sections containing only config snippets]] and created [[Template:TLS note]]. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 07:32, 6 July 2018 (UTC)
 +
 
 +
::I now also created [[Server-side TLS]], I am not so sure about [[Template:TLS note]] anymore. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 14:11, 6 July 2018 (UTC)
 +
 
 +
:::I reverted the pages where I added [[Template:TLS note]] and improved the Warnings manually. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 16:56, 6 July 2018 (UTC)

Latest revision as of 18:13, 6 July 2018

updates/modifications suggestions

While the effort that went into this article is much appreciated, it seems it's a little out of date and the format/organization might could be improved. The example /etc/ssl/openssl.cnf doesn't match current default file which can make things confusing to newcomers. Also, trying to have the reader make in-depth customizations/disections to /etc/ssl/openssl.cnf might not be the best approach. It seems to me that one could show seperate explanations and configs for use cases/needs so readers could simply pick their use case, follow instructions and copy and paste one of the separate config files, if needed. Also, i experienced various issues trying to use current instructions and ended up making minor tweaks to /etc/ssl/openssl.cnf and running CA.sh to create my CA and cert, so the current artical may be currently, technically broken.

after overview, package info, etc...

use cases:

self signed cert: list uses and drawbacks. list steps to implement.

create cert request for supplying to CA's: basic description and list steps to implement. including copy of appropriately configured /etc/ssl/openssl.cnf

create local ca, create req, key, and cert and sign cert with said ca: description/uses and list steps to implement. either appropriately configured /etc/ssl/openssl.cnf and Makefile or instruct on using CA.sh/CA.pl scripts with /etc/ssl/openssl.cnf. If /etc/ssl/openssl.cnf + Makefile method, maybe a note on managing diff versions of /etc/ssl/openssl.cnf for the use cases using alt cnf file names. This way all three implementations could be achieved when needed from same server without having to redo everything. include note on postfix needing unencrypted key and how to get both encrypted and unencrypted results with whichever method is chosen. I decrypted key after generating with CA.sh, as i wasn't sure how to create unencrypted key using CA.sh script and was out of time/patience for more research.

I'm not a openssl expert and am brand new to wiki editing so i wasn't sure how best to help get this updated/modified. Any comments/suggestions by Arch elders/other end users are appreciated. ITwrx (talk) 16:09, 15 May 2015 (UTC)

Hi, thanks for opening this item. It is a lot of input, I think it would be best to approach this in two steps: :First, we should make sure outdated parts of the article are marked, so that instructions are not confusing to users. If you can point to the sections which you found outdated, you can place a status template (e.g. out of date, accuracy, etc, see Help:Template#Article_status_templates). Can you do that?
Second, your ideas how to re-structure: The first two I find straight-forward how you write, the third should take a bit to figure how to improve the current article. You don't mention it, but one thing I would like in this article is the coverage of changed certificate packaging.[1] I think it's a good and flexible approach the devs found there, but it would be valuable for users to expand on that news a little in this article (where TBD).
Another general point that should be considered: we want to avoid long config dumps in the wiki nowadays, because they can indeed outdate too quick (but a way will be found to get the context in).
Let's see, if other interested editors reply. --Indigo (talk) 18:45, 15 May 2015 (UTC)

Plan

  1. Remove the ca section and Certificate authority because running a CA is a highly advanced topic for which one should consult the official documentation.
  2. Move GOST engine support to a new Tips and tricks section.
  3. Create a Certificate section below Generating keys.
    1. Remove the SSL introduction because Wikipedia does a better job at explaining and the definitions are at least partially wrong.
    2. Merge the req section with Creating certificate signing requests and explain how to provide a temporary config file with -config.
    3. [DONE] Mention Let's Encrypt and link List of applications/Internet#ACME clients.
  4. [DONE] Create a TLS certificate redirect to OpenSSL#Certificate Template:TLS note Server-side TLS article.
  5. Make web server and mail server articles link TLS certificate transclude Template:TLS note instead of duplicating it OpenSSL#Certificates and Server-side TLS.

What do you guys think?

--Larivact (talk) 17:57, 28 June 2018 (UTC)

Since nobody responded in a week, I went ahead and made some changes. In particular I removed the sections containing only config snippets and created Template:TLS note. --Larivact (talk) 07:32, 6 July 2018 (UTC)
I now also created Server-side TLS, I am not so sure about Template:TLS note anymore. --Larivact (talk) 14:11, 6 July 2018 (UTC)
I reverted the pages where I added Template:TLS note and improved the Warnings manually. --Larivact (talk) 16:56, 6 July 2018 (UTC)