SSL / TLS changes

Bug #1882967 reported by Jason Boyer on 2020-06-10
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Wishlist
Unassigned

Bug Description

This is a wishlist item to start some discussion around making 2 changes to Evergreen's handling of TLS.
1, given the existence of LetsEncrypt and the fact that encrypted communications aren't that large a drain on modern hardware, TLS should simply be required and assumed across the board. This could be reflected in our sample configs.

2, Enforcing #1 should also be the responsibility of apache or nginx, not OpenILS::WWW::EGCatLoader. (This is essentially the case already in many installations because redirects are so easy.) This would allow proxying to be simpler because you only need to manage certs in a single place (nginx, haproxy, whatevs) and could then use HTTP on the backend. Standing up a local test server would be significantly simpler, though Chrome's insistence on a TLS connection for localhost websocket connections is beyond our control. (Maybe more testing with FF? just requires changing wss:// to ws://...)

What do folks think?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers