DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th August 2014
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, etc-Texas
Posts: 54
Thanked 0 Times in 0 Posts
Default Google (Tm) testing ranking websites higher w/SSL

Hi Folks
Will be looking into using SSL cert for our web severs.
We use Apache (chrooted) with (of course OpenBSD). for several
static websites.

Question:
For those of you using Apache (chrooted) [yes, i know NGINX is going to be the default soon]. Have any of you encountered problems while following the instructions for SSL server certificate RSA or DSA generation in ssl(8) for httpd Apache? Not having done this before and on production servers i am somewhat cautious.

As usual Thanks in Advance.
Reply With Quote
  #2   (View Single Post)  
Old 8th August 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,803
Thanked 214 Times in 189 Posts
Default

I've never had difficulty generating X.509 server certificates when following the instructions in the ssl(8) man page as general guidance. The process is the same regardless what web server you use. (I haven't used Apache in a number of years.)

I've found the openssl(1) man page far more daunting. The program does too many things, and those things it does do seem to be done in too many different ways.

Last edited by jggimi; 8th August 2014 at 03:32 PM. Reason: corrected link
Reply With Quote
  #3   (View Single Post)  
Old 8th August 2014
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
Spam Deminer
 
Join Date: Apr 2008
Location: NYC
Posts: 322
Thanked 31 Times in 25 Posts
Default

It's pretty straightforward. Not sure how Google (we used to not be evil) will deal with self-signed certs, which will give various errors with various browsers. Will they also get lower ratings than ones that use paid for certs? I'm not sure how much certs cost these days for individuals.
Reply With Quote
  #4   (View Single Post)  
Old 8th August 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,803
Thanked 214 Times in 189 Posts
Default

Self-signed certificates are primarily used for testing or personal sites, and are not designed for public-facing servers. Self-signed certificates, by design, are not issued by any Certificate Authority ("CA").

If a browser does not have a clear chain of trust from a trusted root CA through to the issuing CA, it will alert the user that the server is supplying an untrusted certificate.
Reply With Quote
  #5   (View Single Post)  
Old 8th August 2014
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
Spam Deminer
 
Join Date: Apr 2008
Location: NYC
Posts: 322
Thanked 31 Times in 25 Posts
Default

What I meant is, Will google treat self-signed cert sites as if they were not SSL encrypted, that is, giving them a lower rating?
Although, if SEO does matter to you, then my question is really superfluous, a site concerned about such things will have to use a CA.
Reply With Quote
  #6   (View Single Post)  
Old 8th August 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,803
Thanked 214 Times in 189 Posts
Default

Thanks. If I recall correctly frcc supports clients with a public facing server.
Reply With Quote
  #7   (View Single Post)  
Old 9th August 2014
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, etc-Texas
Posts: 54
Thanked 0 Times in 0 Posts
Default Google (Tm) testing ranking websites higher w/SSL

Yes, the question did relate to frcc sites facing the public.

I obviously overlooked the fact that Google(Tm) probably does rate self
certificates lower, (defeating the intent for self cert)

In fact a client's browser (mentioned above) would probably issue a warning for self generated certs
raising more alarm than none.

The question was generated to collect comments for problems encountered
when doing this on a production server for the first time. I now see the
process is straight forward. One would simply have to replace the self generated cert with
one from a CA per ssl(8). Just a matter of cost/benefit.

Thankyou

Last edited by frcc; 9th August 2014 at 03:04 AM. Reason: improve quality of reply
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
HIgher math Ninguem Off-Topic 6 5th February 2013 11:32 AM
Node.js 0.8 performs at a higher tempo J65nko News 0 27th June 2012 09:20 AM
Google open sources JavaScript testing tools J65nko News 0 3rd October 2011 09:13 AM
Mailserver for websites xCipherx FreeBSD Ports and Packages 4 13th April 2010 03:56 PM
OpenBSD-related websites bienc OpenBSD General 7 12th May 2008 09:15 PM


All times are GMT. The time now is 08:22 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick