HTTPS support about website HOT 12 CLOSED

The webserver is hosted on the same server where Kontalk Beta server is hosted (beta.kontalk.net), however port 443 is used by the server itself for future support for corporate proxy connections through HTTPS tunneling. I really don't know what we could do about it if we don't get another IP address for the server (which DigitalOcean doesn't provide) or moving the website to another server.
However... I could probably proxy Tigase through Apache and make it tunnel to Tigase when requests come to the default virtual host or to beta.kontalk.net. I will do some experiments.
Please note that certificate will be issued by CACert.org, so no support for the major browsers, sorry (we can't afford it).

from website.

Hi, thanks for all the precisions, I was just curious about the https. It's ok for CACert, maybe when Mozilla will launch let's encrypt it will be easier. Never someone should have to pay for a https website. I myself run website with an autogenerated self signed certificate. So people have to click the scary "connection unsecure" warning.

Just a curious question: when 3.0.1 will go live, will you change the server name beta.kontalk.net to something else?

from website.

Server name will remain beta.kontalk.net. It's the actual server name, it's called "beta" because it's the second server (although the first one wasn't "alpha" but "prime", but you know... naming :-).

from website.

Please note that certificate will be issued by CACert.org, so no support for the major browsers, sorry (we can't afford it).

Why not just use StartSSL, a CA included in all important browsers, which also provides free certificates? Or wait until Let's Encrypt is ready and use certs from there.

from website.

@rguk we've actually migrated to StartSSL recently, so no certificate trust problem.

from website.

https://www.kontalk.org/ still delivers a wrong certificate (wrong domain). As it's valid for https://www.kontalk.net/ I can go to https://www.kontalk.net/, but this connection also times out. The same with https://beta.kontalk.net and if I ignore the wrong-domain-warning of https://www.kontalk.org/ it does not connect too.

from website.

Oh I'm sorry I didn't mean I've fixed the issue. I meant that we changed our certificate authority.

from website.

Okay, as I saw you finally enabled HTTPS there.
However your TLS config is still bad and you should really improve it.

FYI I've created a ruleset for the Kontalk domains.

from website.

Thanks @rugk. I've tried to improve it today but the server runs Debian Squeeze which is quite old and has Apache 2.2.16. I'll need to upgrade that first because for a start ECDH/ECDSA is not supported by that version.

from website.

Well... keeping software up-to-date is not a bad idea. 😉

You have to use at least Apache 2.4 to use a modern cipher suite.

from website.

BTW translate.kontalk.org still uses a CAcert cert.

And you still do not seem to have updated Apache and your TLS config.

from website.

Thanks @rugk, I know. I'm having troubles following all the Kontalk stuff because of some life and work issues. Besides, translate.kontalk.org is hosted on an old Debian version so it needs special care to update Apache.

from website.