En:HOWTO make YaCy allow SSL connections

Aus YaCyWiki

Wechseln zu: Navigation, Suche

Bild:flag-germany.gif Von dieser Seite existiert auch eine deutsche Version.

Few people are aware that http is a plain-text protocol. Thus; it is generally a very good idea to use SSL to add slightly more security to the connection between you and YaCy.

Inhaltsverzeichnis

[bearbeiten]

YaCy over HTTPS

There is something on the german version of this page about

  • SSL3,
  • TLS1 and
  • TLS1.1.

and that text much likely indicates above list is supported.

[bearbeiten]

HOWTO make YaCy speak HTTPS

[bearbeiten]

Using a Java-generated certificate

Sun's Java JDK (and JRE) come with a program called keytool.

You can use this program to make a SSL keypair with the following commands:

1. Change into YaCy's directory.

cd <YaCy-Dir>/DATA/SETTINGS

2. Run this command:

(if you can't find your "keytool" then find /opt/sun-jdk* -iname keytool or locate keytool, it may not in the default path but lurking somewhere such as /opt/sun-jdk-1.5.0.08/jre/bin/keytool)

keytool -keystore mySrvKeystore -genkey -keyalg RSA -alias mycert

Keytool will ask you for all sorts of information. You will be asked for a password. Remember this password.

Now stop YaCy. Wait until it shuts down.

Now open the configuration file:

vim DATA/SETTINGS/httpProxy.conf

And put these settings 

keyStore=DATA/SETTINGS/mySrvKeystore
keyStorePassword=myverysecretpassword

right before the # EOF (or change both already existing entries in the file).

[bearbeiten]

Using a CA Cert or other authority cert

You can get a free CA Cert from CA Cert. Their certificates are not included in most major browsers, but it is the commonly used SSL standard for not-verisign-taxed SSL certs.

YaCy needs this cert to be in PKCS12 format.

1.) Run this command:

openssl pkcs12 -export -out keystore.pkcs12 -passout pass:passwordforyacysconfig -in servercert-from-cacert.crt -inkey yourprivateserver.key

2.) Copy the new file keystore.pkcs12 to DATA/SETTINGS/ and order YaCy to use it by editing DATA/SETTINGS/httpProxy.conf: 

pkcs12ImportFile=DATA/SETTINGS/keystore.pkcs12
pkcs12ImportPwd=passwordforyacysconfig

It must be noted that YaCy totally freaks out if you set "pkcs12ImportPwd" without setting "pkcs12ImportFile". If you make this horrible mistake then YaCy will start everything but http-related threads and crawl away while refusing to have anything to do with you, in which case you must kill -9 it.

[bearbeiten]

Now connect

Congratulations. You can now use your YaCy by going to https://<IP>:<Port>

People who haven't manually installed CA Cert's root certificate in their browsers will get a warning message asking them to accept your key. This is normal. Everybody, including you, will get this warning if you used keytool.

Von "http://www.yacy-websearch.net/wiki/index.php/En:HOWTO_make_YaCy_allow_SSL_connections"
Persönliche Werkzeuge