SSL-Certificate for osm.org

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL-Certificate for osm.org

André Riedel
We've got a bug report at the Chemnitzer Linux-Tage. osm.org should be
added as alternative name in the openstreetmap.org certificate. This
is important for the link shortener.

https://osm.org/go/0MIaEuZzQ-?m=

Best greetings from Chemnitz
André

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

Tom Hughes-3
On 21/03/16 06:16, André Riedel wrote:

> We've got a bug report at the Chemnitzer Linux-Tage. osm.org should be
> added as alternative name in the openstreetmap.org certificate. This
> is important for the link shortener.
>
> https://osm.org/go/0MIaEuZzQ-?m=

Do we actually generate that name anywhere? or have you just assumed
that you can change it to https?

Tom

--
Tom Hughes ([hidden email])
http://compton.nu/

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

André Riedel
2016-03-21 8:06 GMT+01:00 Tom Hughes <[hidden email]>:
> Do we actually generate that name anywhere? or have you just assumed that
> you can change it to https?

OSM does not generate https links, but other tools will do it or
change existing ones.

The guy who told it to us probably assumed such a behaviour. But I
would support his thoughts.

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

Tom Hughes-3
On 21/03/16 07:50, André Riedel wrote:
> 2016-03-21 8:06 GMT+01:00 Tom Hughes <[hidden email]>:
>> Do we actually generate that name anywhere? or have you just assumed that
>> you can change it to https?
>
> OSM does not generate https links, but other tools will do it or
> change existing ones.

Well that would be wrong of them ;-)

> The guy who told it to us probably assumed such a behaviour. But I
> would support his thoughts.

I think we do have a certificate that has it, but we can't use it on the
main site because it will break JOSM.

The horribly backward Java certificate root authority list is the main
obstacle to most of our attempts to improve https support in fact.

Tom

--
Tom Hughes ([hidden email])
http://compton.nu/

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

Oleksiy Muzalyev
In reply to this post by Tom Hughes-3
On 21/03/16 08:06, Tom Hughes wrote:

> On 21/03/16 06:16, André Riedel wrote:
>
>> We've got a bug report at the Chemnitzer Linux-Tage. osm.org should be
>> added as alternative name in the openstreetmap.org certificate. This
>> is important for the link shortener.
>>
>> https://osm.org/go/0MIaEuZzQ-?m=
>
> Do we actually generate that name anywhere? or have you just assumed
> that you can change it to https?
>
> Tom
>
The same here, the SSL works correctly for www.openstreetmap.org , and
it does not work for www.osm.org

It is well known that SSL encrypts a web-page content, but it is less
understood that the SSL also encrypts the URL itself (except the domain
name). So with SSL (https://) people who monitor a LAN can see that
openstreetmap.org (or osm.org) were visited, but it is not possible to
see what part of the map was looked at, as anything after .org is
encrypted. I read about it and probably tested it with network analyzer
https://www.wireshark.org/

But SSL adds some additional load to web-servers. So if one just looks
at the map in general there is no sense to use https://, but if planning
a trip in a risky environment, for example for humanitarian workers, it
would be safer to use SSL.

brgds
Oleksiy

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

Frederik Ramm
In reply to this post by Tom Hughes-3
Hi,

On 03/21/2016 09:22 AM, Tom Hughes wrote:
> The horribly backward Java certificate root authority list is the main
> obstacle to most of our attempts to improve https support in fact.

Perhaps we could just ignore that? I'm a JOSM user myself but I don't
think that the rest of the world should suffer just because Java is
unhappy with our SSL.

I'm sure that JOSM users who desperately need SSL can find a workaround
(could one not e.g. have JOSM connect insecurely to localhost and then
reverse-proxy https://openstreetmap.org/ from there?)

Or perhaps there are alternative SSL stacks for Java that can be employed?

Bye
Frederik

--
Frederik Ramm  ##  eMail [hidden email]  ##  N49°00'09" E008°23'33"

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

Oleksiy Muzalyev
On 21.03.2016 10:26, Frederik Ramm wrote:

> Hi,
>
> On 03/21/2016 09:22 AM, Tom Hughes wrote:
>> The horribly backward Java certificate root authority list is the main
>> obstacle to most of our attempts to improve https support in fact.
> Perhaps we could just ignore that? I'm a JOSM user myself but I don't
> think that the rest of the world should suffer just because Java is
> unhappy with our SSL.
>
> I'm sure that JOSM users who desperately need SSL can find a workaround
> (could one not e.g. have JOSM connect insecurely to localhost and then
> reverse-proxy https://openstreetmap.org/ from there?)
>
> Or perhaps there are alternative SSL stacks for Java that can be employed?
>
> Bye
> Frederik
>
I would suggest contact engineers at Oracle who work on Java and explain
them the issue. Perhaps, it could be solved in two weeks via Java auto
update. The most widespread form of communication is misunderstanding.
Perhaps, they are just unaware of it.

I remember couple of years ago I wrote a message to DJI Corporation
asking to modify the gimbal of the camera on their drones, so that it
would be possible to tilt it directly down, vertically, 90 degrees, for
making images for mapping. Maybe it is a coincidence, or maybe there
were numerous similar requests, but on the Phantom 3 and 4, the camera
could be well tilted straight down (Controllable Range: pitch -90° to
+30°). And this feature became popular not only for mapping, but among
general aerial photographers and videographers.

brgds
Oleksiy

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

Tom Hughes-3
In reply to this post by Frederik Ramm
On 21/03/16 09:26, Frederik Ramm wrote:

> Or perhaps there are alternative SSL stacks for Java that can be employed?

No need for that, all it really needs is for the JOSM devs to be
prepared to make it use a custom root certificate set until such time as
Oracle get around to updating the default set... Basically doing the
sort of thing talked about here:

http://stackoverflow.com/questions/24555890/using-a-custom-truststore-in-java-as-well-as-the-default-one?lq=1

Which creates a custom trust manager that tries both the default trust
manager and a second one that has other roots loaded.

Tom

--
Tom Hughes ([hidden email])
http://compton.nu/

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

Дмитрий Киселев
In reply to this post by Oleksiy Muzalyev
As I understand, it's possible to add root CA to java
https://azure.microsoft.com/en-us/documentation/articles/java-add-certificate-ca-store/

Could it helps us to get https://osm.org works?

2016-03-21 14:49 GMT+05:00 Oleksiy Muzalyev <[hidden email]>:
On 21.03.2016 10:26, Frederik Ramm wrote:
Hi,

On 03/21/2016 09:22 AM, Tom Hughes wrote:
The horribly backward Java certificate root authority list is the main
obstacle to most of our attempts to improve https support in fact.
Perhaps we could just ignore that? I'm a JOSM user myself but I don't
think that the rest of the world should suffer just because Java is
unhappy with our SSL.

I'm sure that JOSM users who desperately need SSL can find a workaround
(could one not e.g. have JOSM connect insecurely to localhost and then
reverse-proxy https://openstreetmap.org/ from there?)

Or perhaps there are alternative SSL stacks for Java that can be employed?

Bye
Frederik

I would suggest contact engineers at Oracle who work on Java and explain them the issue. Perhaps, it could be solved in two weeks via Java auto update. The most widespread form of communication is misunderstanding. Perhaps, they are just unaware of it.

I remember couple of years ago I wrote a message to DJI Corporation asking to modify the gimbal of the camera on their drones, so that it would be possible to tilt it directly down, vertically, 90 degrees, for making images for mapping. Maybe it is a coincidence, or maybe there were numerous similar requests, but on the Phantom 3 and 4, the camera could be well tilted straight down (Controllable Range: pitch -90° to +30°). And this feature became popular not only for mapping, but among general aerial photographers and videographers.

brgds
Oleksiy


_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev



--
Thank you for your time. Best regards.
Dmitry.

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

Tom Hughes-3
In reply to this post by Oleksiy Muzalyev
On 21/03/16 09:49, Oleksiy Muzalyev wrote:

> I would suggest contact engineers at Oracle who work on Java and explain
> them the issue. Perhaps, it could be solved in two weeks via Java auto
> update. The most widespread form of communication is misunderstanding.
> Perhaps, they are just unaware of it.

Excuse me while I try to stop laughing.

As far as anybody can tell the Java Root Certificate Program is some
sort of black hole that applications go into but then nothing happens.

See for example https://forum.startcom.org/viewtopic.php?f=15&t=1815 
where there are five year old messages from StartCom people to the
effect that they are trying to get Oracle to add their root.

More recently letsecnrypt have applied but there has been no evidence of
anything happening.

Tom

--
Tom Hughes ([hidden email])
http://compton.nu/

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

Tom Hughes-3
In reply to this post by Tom Hughes-3
On 21/03/16 09:59, Tom Hughes wrote:
> On 21/03/16 09:26, Frederik Ramm wrote:
>
>> Or perhaps there are alternative SSL stacks for Java that can be
>> employed?
>
> No need for that, all it really needs is for the JOSM devs to be
> prepared to make it use a custom root certificate set until such time as
> Oracle get around to updating the default set... Basically doing the
> sort of thing talked about here:

Apparently JOSM did exactly this a week ago:

https://github.com/openstreetmap/operations/issues/55#issuecomment-199208093
https://josm.openstreetmap.de/changeset/9995/josm

Tom

--
Tom Hughes ([hidden email])
http://compton.nu/

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

Jukka Rahkonen-2
In reply to this post by Frederik Ramm
Hi,

Is the problem is that the OSM certificate, granted by GeoTrust Inc., is
not trusted by the default Java installation? Adding more trusted
certificates into the local Java keystore is not an impossible task,
especially if there was a manual page about how to do it.

-Jukka Rahkonen-




Frederik Ramm kirjoitti 2016-03-21 11:26:

> Hi,
>
> On 03/21/2016 09:22 AM, Tom Hughes wrote:
>> The horribly backward Java certificate root authority list is the main
>> obstacle to most of our attempts to improve https support in fact.
>
> Perhaps we could just ignore that? I'm a JOSM user myself but I don't
> think that the rest of the world should suffer just because Java is
> unhappy with our SSL.
>
> I'm sure that JOSM users who desperately need SSL can find a workaround
> (could one not e.g. have JOSM connect insecurely to localhost and then
> reverse-proxy https://openstreetmap.org/ from there?)
>
> Or perhaps there are alternative SSL stacks for Java that can be
> employed?
>
> Bye
> Frederik

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

Paul Hartmann-2
In reply to this post by Frederik Ramm
On 21.03.2016 10:26, Frederik Ramm wrote:
> Hi,
>
> On 03/21/2016 09:22 AM, Tom Hughes wrote:
>> The horribly backward Java certificate root authority list is the main
>> obstacle to most of our attempts to improve https support in fact.
>
> Perhaps we could just ignore that? I'm a JOSM user myself but I don't
> think that the rest of the world should suffer just because Java is
> unhappy with our SSL.

Support for custom certificates has been added to JOSM in version 9995.
So far, Let's encrypt and StartSSL is included.

(see https://josm.openstreetmap.de/ticket/12264)

> I'm sure that JOSM users who desperately need SSL can find a workaround
> (could one not e.g. have JOSM connect insecurely to localhost and then
> reverse-proxy https://openstreetmap.org/ from there?)

Default Server URL is https://api.openstreetmap.org/api. I.e. it would
break for every (pre 9995) user.

Best, Paul





_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: SSL-Certificate for osm.org

Oleksiy Muzalyev
In reply to this post by Tom Hughes-3
On 21.03.2016 11:06, Tom Hughes wrote:

> On 21/03/16 09:49, Oleksiy Muzalyev wrote:
>
>> I would suggest contact engineers at Oracle who work on Java and explain
>> them the issue. Perhaps, it could be solved in two weeks via Java auto
>> update. The most widespread form of communication is misunderstanding.
>> Perhaps, they are just unaware of it.
>
> Excuse me while I try to stop laughing.
>
> As far as anybody can tell the Java Root Certificate Program is some
> sort of black hole that applications go into but then nothing happens.
>
> See for example https://forum.startcom.org/viewtopic.php?f=15&t=1815 
> where there are five year old messages from StartCom people to the
> effect that they are trying to get Oracle to add their root.
>
> More recently letsecnrypt have applied but there has been no evidence
> of anything happening.
>
> Tom
>
I've met personally only one Oracle employee, Dave Stokes. Dave Stokes
is a MySQL Community Manager for Oracle and previously was the MySQL
Certification Manager for MySQL AB and Sun (
https://world2014.phparch.com/speakers/ ). He was a speaker at the
conference.

It was one the most helpful man I've ever met. He explained me and other
participants SQL query optimization,  common errors of DB installation
and administration, etc., answered clearly all questions, asked to write
asking other questions. He rides a motorbike as a hobby.

brgds
Oleksiy

_______________________________________________
dev mailing list
[hidden email]
https://lists.openstreetmap.org/listinfo/dev