Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
Using OpenVPN, I can enable 2-way authentication with certificates, private keys and a CA-certificate.
In my understanding, this only provides authentication (the client is, who he says he is) but not authorization (access control). OpenVPN just assumes that a valid authentication is also an access authorization.
If I now run a second VPN server, using the same CA, will the clients of the first also have access to the second VPN?
If I want to avoid this - clients with keys/certs for the first VPN server should not be able to access the second VPN server (and reverse) - what are my options?
use a different CA for each server (ugly in my opinion)
use an access control list based on the common name (CN) (not so practical)
use firewall / iptables (not so practical)
Am I missing a way to somehow limit access of a certain client to a certain server?
Citing Jan Just Keijser from the OpenVPN forum
openvpn provides authentication, not access control (authorization), nor should it, in my opinion. The options you mention are the only options you have, unless you also want to throw in username+password control.
you could use a sub-CA (intermediary CA) ; each client cert would be signed by a specific sub-CA ; the clients need only the "root" CA to connect to a server, but the servers can allow access based on the sub-CA used for a client.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
I have a subdomain sub.domain.co.uk that points to my server ip address lets say 192.0.2.1 currently this just uses http.
I have a need to make this use https/ssl so I have purchased my SSL but my server host have advised I need to point my url sub.domain.co.uk to a different IP in order for the SSL to work so I can hook it up in IIS.
So now I need to point sub.domain.co.uk to 192.0.2.2
So the only way forward I can see is that I go into my DNS settings in 123 reg and change my sub.domain.co.uk A record from 192.0.2.1 to 192.0.2.2
And incurr the downtime/propagation that comes with that.
Am I missing something, is there a better way to do this without incurring downtime?
For example, could I just add a second A NAME, for the same sub domain, e.g...
sub 192.0.2.1
sub 192.0.2.2
and in IIS just point my SSL to the second one, or would that confuse browsers?
Any help appreciated in advance
I believe I have solved this myself after a little research.
So I have two websites in IIS with an SSL that are using * as the ip address, meaning use any unassigned ip's.
So when I tried to add the SSL to the second website it complains saying that cause issues with the bindings on the first.
So if I just tick the little box that says 'Require Server Name Indication' on my second IIS bindings (when applying the SSL) it works perfectly.
Great article on Server Name Indication below (SNI)
https://www.cloudflare.com/learning/ssl/what-is-sni/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
Due to a vulnerability in a WAF system we are required to rotate our SSL certificate on our website. we have to update the SSL certificate in several places.
My question, if I renew the SSL certificate from the CA and take time to deploy it on various servers. will this issue cause any outage on the site.
some of the places where I need to deploy:
WAF
Cloudfront
Nginx
As long as the old certificate is still valid (i.e. not expired and not revoked) it will continue to work so you can take some time to roll out the new certificate you've got. You can also run a mixed setup where some installations have the new certificate while others still have the old one.
While your specific use case is unknown it might be that due to the vulnerability the private key of the previous certificate was compromised which should (hopefully) lead to a quick revocation by the certificate. In this case you have to roll out the new certificates as fast as possible since due to the revocation clients might not accept the old certificate any longer.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I have hosted a website using VPS and pointed to it using DNS services of CloudFlare, The site is working properly. Now I am trying to install ssl provided by Lets Encrypt, I am able to complete the steps successfully but the site doesn't appear to be ssl enabled. Also when I completed the steps succesfully the process didn't generate any cert file.I have used the https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04 could anybody tell me were I might be going wrong.
CloudFlare supports using Let's Encrypt between CloudFlare and your origin; however you must use the --webroot argument when you run the Let's Encrypt binary.
By using the webroot authentication method, a temporary file is placed to validate your domain for the certificate. There is a guide on how to do this on the CloudFlare help centre: How to Validate a Let’s Encrypt Certificate on a Site Already Active on CloudFlare
By using this method, you are able to ensure the connection between CloudFlare and your origin web server is fully encrypted using Strict SSL.
Now you have https on your server.
So the communication vpc-cloudfare can use https.
Now you have to configure cloudfare to use https betwenn cloudfare and the browsers.
See https://www.cloudflare.com/ssl/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 9 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I own a domain at my DNS provider. I've pointed it to my house. My house keeps the IP address at the domain updated through dynamic DNS, so the A record always points to my IP address. I run OpenVPN at my house so I can connect from elsewhere. It's using a self-signed certificate. So, of course, I get SSL warnings when I connect.
My question is, Can I obtain an SSL certificate from StartSSL (free), set it up on OpenVPN, and get my browser to recognize the certificate as valid? For that matter, can I get any SSL certifcate to validate for any personal, development site I might set up at home in this situation? (OpenVPN.example.com, TestSite.example.com, etc)
(OpenVPN is not using port 443 or port 80, because I've heard that ISPs don't like it when you use those...)
The short answer is Yes. When creating a SSL certificate request you set the "common name" to the DNS name of the host. You can change the type of DNS record (e.g. A, CNAME, etc.) or record value (e.g. 192.168.1.2) at anytime as long as the record name (e.g. vpn.example.com) is the same.
For a browser to recognize a SSL certificate (not give warnings upon connection) a matching Certificate Authority (CA) must ship (or be manually added) to your browser or OS. To avoid SSL warnings with self-signed certificates you could instead provision a cert using a local/custom CA and install its root certificate on any necessary computers.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
Suppose I have an existing ldap and I want to integrate users from one or more existing external databases under a dn called
dn: ou=users,dc=example,dc=com
Is that possible?
EDIT:
Maybe I was a bit to vague:
I have external databases containing users which have to be integrated into ldap. I want to do this without having to add them to the ldap database.
I'm not sure what you mean by "integrating users" there. Is what you're trying to do something like this?
ldapsearch -h my.ldap.server -b ou=users,dc=example,dc=com "cn=somebody"
…where my.ldap.server is the LDAP server your applications are talking to, but the data you're seeking is on some other server under the naming context ou=users,dc=example,dc=com. And, you want my.ldap.server to interface with that server and bring the data? Transparent to your apps?
If that's the case, you can use an LDAP proxy which could relay the requests based on context rules. It can act as the single data source, providing a layer of abstraction between your LDAP clients and LDAP servers which may host different types of data.
Alternatively, you can use a virtual directory server product that can also act as a single data source. Virtual directory servers usually provide more features including support for multiple protocols, not just LDAP. They can also act as bridges which can interface with relational databases.
The first solution, LDAP Proxy, is usually quite sufficient if you are trying to virtualize only LDAP servers.