I find the link https://osmocom.org/news/ quite valuable, but it's not easy to get there. I would expect a "News" link on http://osmocom.org to point there, so I placed one.
We do have a "Planet" link -> http://planet.osmocom.org/ , which is currently broken. Firefox outright refuses to display it: the certificate is invalid/unknown/expired and the site is marked as "only show when secure", so one cannot add a security exception (fail: that should be the user's choice!). Chromium redirects to https://admin-trac.openmoko.org/trac/ ... doesn't match. So I took the liberty to remove the "Planet" link -- for now?
All this by editing, in our redmine jail, file /usr/local/www/redmine-3.2.3/plugins/impressum_plugin/init.rb
Feedback welcome!
~N
On Mon, Jan 09, 2017 at 04:12:27PM +0100, Neels Hofmeyr wrote:
I find the link https://osmocom.org/news/ quite valuable, but it's not easy to get there. I would expect a "News" link on http://osmocom.org to point there, so I placed one.
Thanks.
We do have a "Planet" link -> http://planet.osmocom.org/ , which is currently broken. Firefox outright refuses to display it: the certificate is invalid/unknown/expired and the site is marked as "only show when secure", so one cannot add a security exception (fail: that should be the user's choice!). Chromium redirects to https://admin-trac.openmoko.org/trac/ ... doesn't match. So I took the liberty to remove the "Planet" link -- for now?
?!? the link you indicate is http, not https. How and why would this lead to a certificat error? I can access the site via http without trouble from firefox and chrome. So please bring it back, thanks :)
Also, where does the 'marking' you indicate come from?
On 9 Jan 2017, at 18:24, Harald Welte laforge@gnumonks.org wrote:
Hi!
?!? the link you indicate is http, not https. How and why would this lead to a certificat error? I can access the site via http without trouble from firefox and chrome. So please bring it back, thanks :)
Also, where does the 'marking' you indicate come from?
I might have caused it by briefly enabling HTTP Strict Transport Security[1] for all of osmocom.org (and apparently with a too big max-age) to try to score better in the then new mozilla tool...
HSTS informs the browser that certain (sub-)domains should only be accessed through TLS and to do that for a period of time.
sorry
holger
[1] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
On Mon, Jan 09, 2017 at 06:24:57PM +0100, Harald Welte wrote:
We do have a "Planet" link -> http://planet.osmocom.org/ , which is currently broken.
?!? the link you indicate is http, not https. How and why would this lead to a certificat error? I can access the site via http without trouble from firefox and chrome. So please bring it back, thanks :)
Tried again. First I thought it's the https-everywhere plugin, but even when I completely uninstall that plugin, my firefox still gets redirected to https://planet.osmocom.org -- so I guess it's Holger's fault :)
Indeed, when I use Chromium and enter http://planet.osmocom.org I can see the page. With https:// I get redirected to https://admin-trac.openmoko.org/trac/. +1 for fixing the https.
I put "Planet" back in there.
~N
Hi all,
On Jan 9, 2017 6:12 PM, "Neels Hofmeyr" nhofmeyr@sysmocom.de wrote:
We do have a "Planet" link -> http://planet.osmocom.org/ , which is currently broken. Firefox outright refuses to display it: the certificate is invalid/unknown/expired and the site is marked as "only show when secure", so one cannot add a security exception (fail: that should be the user's choice!). Chromium redirects to https://admin-trac.openmoko.org/trac/ ... doesn't match. So I took the liberty to remove the "Planet" link -- for now
Speaking of HTTPS - is there a plan to use something like letsencrypt to generate a valid certificate? I remember it was discussed, but not sure what was decided.
We'd be happy to help set it up (we're using it on our web sites with nginx), but it's quite straightforward to setup. The "trickiest" part is to setup a script to automatically renew the certificate and restart your web server.
Please excuse typos. Written with a touchscreen keyboard.
-- Regards, Alexander Chemeris CEO Fairwaves, Inc. https://fairwaves.co
On 9 Jan 2017, at 19:24, Alexander Chemeris alexander.chemeris@gmail.com wrote:
Hi!
We'd be happy to help set it up (we're using it on our web sites with nginx), but it's quite straightforward to setup. The "trickiest" part is to setup a script to automatically renew the certificate and restart your web server.
thank you for the offer. What domains are missing? In theory we should have:
osmocom.org www.osmocom.org bb.osmocom.org sdr.osmocom.org openbsc.osmocom.org gmr.osmocom.org tetra.osmocom.org security.osmocom.org lists.osmocom.org projects.osmocom.org ftp.osmocom.org patchwork.osmocom.org gerrit.osmocom.org jenkins.osmocom.org git.osmocom.org cgit.osmocom.org
holger
Hi Holger,
As mentioned by Neels - https://planet.osmocom.org don't seem to have a valid certificate (I've only checked from my phone so far, though).
Please excuse typos. Written with a touchscreen keyboard.
-- Regards, Alexander Chemeris CEO Fairwaves, Inc. https://fairwaves.co
On Jan 9, 2017 9:40 PM, "Holger Freyther" holger@freyther.de wrote:
On 9 Jan 2017, at 19:24, Alexander Chemeris alexander.chemeris@gmail.com
wrote:
Hi!
We'd be happy to help set it up (we're using it on our web sites with
nginx), but it's quite straightforward to setup. The "trickiest" part is to setup a script to automatically renew the certificate and restart your web server.
thank you for the offer. What domains are missing? In theory we should have:
osmocom.org www.osmocom.org bb.osmocom.org sdr.osmocom.org openbsc.osmocom.org gmr.osmocom.org tetra.osmocom.org security.osmocom.org lists.osmocom.org projects.osmocom.org ftp.osmocom.org patchwork.osmocom.org gerrit.osmocom.org jenkins.osmocom.org git.osmocom.org cgit.osmocom.org
holger
Dear all,
On Mon, Jan 09, 2017 at 09:50:52PM +0300, Alexander Chemeris wrote:
As mentioned by Neels - https://planet.osmocom.org don't seem to have a valid certificate (I've only checked from my phone so far, though).
planet.osmocom.org is running on the same planet installation as planet.openmoko.org and planet.netfilter.org, as I didn't see the point in maintaining three different planet installations for the different projects as I worked on them.
There probably was never any intention to have planet.osmocom.org be reachable via https, at least not consciously and not by me. It is probably simply an artefact of some other https service running on the same IP address, completely unrelated.
If somebody wants to migrate the planet configuration to the osmocom.org setup, let me know, I can create a tar-ball of the configuration and the planet version that is used to generate it.
I really don't think that it is a good idea to change configuration on the planet.{openmoko,netfilter}.org server to include a certificate for osmocom.org.
An alternative solution might be a reverse proxy, with a https-proxy at the osmocom server, which then forwards wia http to the real server (openmoko)?
I also do think we have more pressing needs in the project than to spend time on this, as the planet is a public web site anyway, with no cookies, log-in or user authentication being transmitted. So yes, there is a chance of people doing MITM and modifying the content of the planet, but is that really a threat that we care about? Am I missing something?
Regards, Harald
On 9 Jan 2017, at 20:22, Harald Welte laforge@gnumonks.org wrote:
Dear all,
Hi!
There probably was never any intention to have planet.osmocom.org be reachable via https, at least not consciously and not by me. It is probably simply an artefact of some other https service running on the same IP address, completely unrelated.
my apologies for temporarily adding HSTS without fully understanding the consequences. Time will solve it (and make browsers expire it but I don't remember the max-age that I used)
An alternative solution might be a reverse proxy, with a https-proxy at the osmocom server, which then forwards wia http to the real server (openmoko)?
This might be a neat solution to fix-up the HSTS issue I caused. I would not want to separate the three planes but playing proxy sounds reasonable.
Shall I create a ticket for you updating the DNS to point to the usual CNAME for our Osmocom webservices?
thank you
holger
Hi Holger,
On Tue, Jan 10, 2017 at 09:13:40PM +0100, Holger Freyther wrote:
my apologies for temporarily adding HSTS without fully understanding the consequences. Time will solve it (and make browsers expire it but I don't remember the max-age that I used)
absolutely no issue at all, don't worry. I didn't even know HSTS existed....
Shall I create a ticket for you updating the DNS to point to the usual CNAME for our Osmocom webservices?
sure, feel free to do that once the proxy is running. Thanks!
-
Alexander Chemeris -
Harald Welte -
Holger Freyther -
Neels Hofmeyr