[website] https enabled for springrts.com!

[website] https enabled for springrts.com!

Happenin' news on what is happening in the community. Content releases, new tutorials, other cool stuff.
abma
Spring Developer
Posts: 3798
Joined: 01 Jun 2009, 00:08

[website] https enabled for springrts.com!

Post by abma »

with a lot of help of dansan and tim, we got a ssl-certificate from startssl and enabled https for https://springrts.com:

apache config is this:

Code: Select all

        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLHonorCipherOrder on
        SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
                            EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \
                            DHE-RSA-AES128-SHA256 \
                            !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
i hopefully fixed all pages which embeded still http images/resources, if you find some, please report in this thread.

ssl lab results are "A" atm, so should be ok.



https is optional but very likely this will change in the future, but there is no concrete plan for that yet.

any suggestions?

aaah, surfing on springrts.com feels much better :-)
Last edited by abma on 09 Feb 2015, 20:08, edited 1 time in total.
Reason: added DHE-RSA-AES128-SHA256
malric
Posts: 521
Joined: 30 Dec 2005, 22:22

Re: [website] https enabled for springrts.com!

Post by malric »

I get the following error on Arch Linux with Firefox 35.0.1

Code: Select all

Unable to Connect Securely

Firefox cannot guarantee the safety of your data on springrts.com because it uses SSLv3, a broken security protocol.
Advanced info: ssl_error_no_cypher_overlap
and then it links to this page https://support.mozilla.org/en-US/kb/wh ... es-firefox
dansan
Server Owner & Developer
Posts: 1203
Joined: 29 May 2010, 23:40

Re: [website] https enabled for springrts.com!

Post by dansan »

SSLv3 is deactivated on the server. Either your browser is broken or you are behind a corporate firewall that does mitm attacks.

Please check, that the SSL-certificate that is sent to you by springrts.com has the following properties:

Code: Select all

SHA-256 Fingerprint:	A5 19 86 94 0E 10 FF 81 BF CF D4 12 12 79 FA 47
6F 41 03 26 0A DE 0F 57 FB 02 AE 7F DE AD FA 85

SHA-1 Fingerprint: 	C6 C6 BB 95 A0 E0 12 D9 6E 74 4C ED E8 9E A7 DB
2F 4F 09 3D

Validity: 04.02.2015 - 05.02.2016
malric
Posts: 521
Joined: 30 Dec 2005, 22:22

Re: [website] https enabled for springrts.com!

Post by malric »

Checked (this time on another computer, different network/OS) through the command line (see here http://pastebin.com/94pnuJdM) and the fingerprints seem good.

Still, the browser on this other computer (Firefox 31.4.0 on CentOS 6.6), for the url "https://springrts.com" gives the following message:

Code: Select all

Secure Connection Failed

An error occurred during a connection to springrts.com. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
Something similar happens in Konqueror and on Internet Explorer 8 (on some remote computer).

(note: I do not need https that much, would like to use it if available, I just check as I think but I think that if you put some effort to set this up it is nice to give feedback if it does not work).
abma
Spring Developer
Posts: 3798
Joined: 01 Jun 2009, 00:08

Re: [website] https enabled for springrts.com!

Post by abma »

for internet explorer 8 this error message is ok, as it doesn't support TLS1.2. in firefox >31.3 it should work. is tls disabled in firefox?

in firefox, can you please open about:config and check the value of "security.tls.version.max" ? (should be set to the default, "3")

no clue about Konqueror.
malric
Posts: 521
Joined: 30 Dec 2005, 22:22

Re: [website] https enabled for springrts.com!

Post by malric »

Thanks! That fixed the problem. No clue why it was set to 1 (did not set it myself). Will check on the other computer, might be the same issue.
abma
Spring Developer
Posts: 3798
Joined: 01 Jun 2009, 00:08

Re: [website] https enabled for springrts.com!

Post by abma »

after looking into log files it seems very few people uses https. to get some feedback i've made a "light" enforcement to use it by sending out https:// links in notification emails, hopefully users don't have trouble using it.
User avatar
smoth
Posts: 22309
Joined: 13 Jan 2005, 00:46

Re: [website] https enabled for springrts.com!

Post by smoth »

Why do I care about https when I browse and post here? Not being negative but I don't have a lot of sensitive info here
gajop
Moderator
Posts: 3051
Joined: 05 Aug 2009, 20:42

Re: [website] https enabled for springrts.com!

Post by gajop »

You will know that this is the official site, and not an attempt of phishing/MITM. This is pretty important, especially if we desire donations, and expect you to entrust us with your forum credentials.
User avatar
Forboding Angel
Evolution RTS Developer
Posts: 14673
Joined: 17 Nov 2005, 02:43

Re: [website] https enabled for springrts.com!

Post by Forboding Angel »

Wouldn't donations be in the form of a paypal button anyway? At which point I'm taken to paypal.com anyway.

Don't get me wrong, https is a good thing, but at the same time, unless you redirect all http traffic to https, it's usefulness is somewhat dubious.
gajop
Moderator
Posts: 3051
Joined: 05 Aug 2009, 20:42

Re: [website] https enabled for springrts.com!

Post by gajop »

Yes, but, also, if someone created a phishing site they could have a PayPal button that is linked with a different account.
User avatar
Forboding Angel
Evolution RTS Developer
Posts: 14673
Joined: 17 Nov 2005, 02:43

Re: [website] https enabled for springrts.com!

Post by Forboding Angel »

True, but one would assume that the donor would pay attention to who they are donating to.
User avatar
Anarchid
Posts: 1384
Joined: 30 Nov 2008, 04:31

Re: [website] https enabled for springrts.com!

Post by Anarchid »

True, but one would assume that the donor would pay attention to who they are donating to.
And that's why phishing doesn't actually ever work. What crazy world it would be if there was such an industry! Preposterous.
User avatar
PicassoCT
Journeywar Developer & Mapper
Posts: 10450
Joined: 24 Jan 2006, 21:12

Re: [website] https enabled for springrts.com!

Post by PicassoCT »

I really cant understand, why in such a sane and well organized world filled with sentient people- anyone would waste any time at all on such mordor-in-the-sky szenario. Clearly, the need for discussion, is proof that such a need doesent exist and thus needs to be fullfilled.

What entices me even more though is - where is the protection goal? We are all rather blank and run-down characters, engaging in a non-profitable endavour. The only valuables we posses are stored on git-hub. So a stick up job, with us, is - lets say, easy to accomplish, when it comes to carrying the loot?

Thus i propose, we keep what we got, but dont worry any further on wether the NSA cheats when playing ("They do. Always did. League of ColdWar went down cause of that")
User avatar
qray
Posts: 377
Joined: 02 Feb 2009, 18:49

Re: [website] https enabled for springrts.com!

Post by qray »

Tried it, surfed several pages (forum, wiki, media, front), works like a charm. Thanks!
Encryption is always good (even is data is not the most sensitive).

Tried https also on springfiles, but get this message:

Code: Select all

springfiles.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for JJ (Error code: sec_error_unknown_issuer)
Would it be a problem to get there a proper certificate, too?
abma
Spring Developer
Posts: 3798
Joined: 01 Jun 2009, 00:08

Re: [website] https enabled for springrts.com!

Post by abma »

Don't get me wrong, https is a good thing, but at the same time, unless you redirect all http traffic to https, it's usefulness is somewhat dubious.
agreed, but: its not enforced yet to find possible bugs/problems first.
User avatar
Jools
XTA Developer
Posts: 2816
Joined: 23 Feb 2009, 16:29

Re: [website] https enabled for springrts.com!

Post by Jools »

You need to redirect from http to https: a lot of people don't type in the url by hand, but they follow a link either from forum or their history...
abma
Spring Developer
Posts: 3798
Joined: 01 Jun 2009, 00:08

Re: [website] https enabled for springrts.com!

Post by abma »

><((((*>


maybe what i wrote in the first post is very unclear, in other words:

https is enabled for testing purposes, if everything is fine it will be enforced and a 301 redirect from http to https configured. but for that, no concrete plan (= exact date) exists as it depends on the problems found.

route is to enforce https for:

0. notification emails (done 5.2.2015)
1. startpage (done 6.2.2015)
2. /phpbb (done 9.2.2015)
3. /wiki (done 16.2.2015)
4. /mantis (done 16.2.2015)
5. whole springrts.com server
SirMaverick
Posts: 834
Joined: 19 May 2009, 21:10

Re: [website] https enabled for springrts.com!

Post by SirMaverick »

https is optional but very likely this will change in the future, but there is no concrete plan for that yet.
Very good.
any suggestions?
You could also use https://www.letsencrypt.org/ as CA once it's available.
Post Reply

Return to “Community Blog”