From owner-freebsd-current@freebsd.org Mon Jan 27 16:40:59 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 78B7A1FB9F5 for ; Mon, 27 Jan 2020 16:40:59 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 485wVL5cwqz4Ytw for ; Mon, 27 Jan 2020 16:40:58 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by mail-lj1-x229.google.com with SMTP id a13so11393402ljm.10 for ; Mon, 27 Jan 2020 08:40:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oWcMCK2P/gSZ59eqbdptTJW6v8KCzOjWKY6h/qBe4ng=; b=C1W/vmhcgkvDg1/sadrGvUC10Kknu+OF89pdU2/IYekHAtkJ1fM1QwGs6vKjRExo2Z +YFJI5Psn990mxewe6Sy9P/azyN/lGacqhT20pVYfKEnPkNohoND++oP5+1hH/NB4DIn jSBqUB077mcVg7cQpRrxEkflHNTj7rP3L3hx9ODiZNpjUx8Prej4b4xWvx/GHJmoI8CT DT9A3Ydvy0yiebBuQCp6u7yRtUrCLxuOjQ4tpxnLwWysFxKe1Yh/Rrexjlj9rVf4VE/w rs1ThCKmsYDOs96gEj1U0sKqNUQi2fEJgVChR2X9+KFGeQAJ8yrZgiWzvdYC8E4v2Dnu Letw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oWcMCK2P/gSZ59eqbdptTJW6v8KCzOjWKY6h/qBe4ng=; b=TpCJ/2NjPoDGfBSZsJ8p+GLP29iY2Dantr4aksTFJKWd8u4CYytHFxKU/1UAbV1yV/ kZdJj2V/6LsfjBPcERJCAIXySIViZliyGTINirmNiEmNiRrps58w2CddN3Vp8S3Ow8gA V8wAXdlcSNd67V1Fht7nQPdFiegcmA3JHNLLloffZLRut7IVkpXra0qns3zk1gjI0h+s +eH2/yqhZu+bKWuw2R6Tov9vPAZEMfj5nlTtn93J/ZAh4xQpoVoVepKz0kIg74xWFMqb 7lzFPQYcE60dy/h0WN7hOXC4kWKTTK9YO1ZA7wAKS1PtMjl3sRE+ouMK3kgdk2okb2EC shgQ== X-Gm-Message-State: APjAAAWoH+AkhEFk5pcQFGTNTFmtWeKpbebmbbfyrQhbCHQ4s1dO97vD pRr7UF5wne9nzEwyahMSl0jV73rYEjGhqzgTrt/j/A== X-Google-Smtp-Source: APXvYqzM3TTuyINk4MuGlTpLL03p+/M2mlxVZ3NaadBQ63EqmbgBouAG9NJ83Q1Ermt6KbhMA+EEoFjjDnWHjDQ3Eao= X-Received: by 2002:a2e:9013:: with SMTP id h19mr11121148ljg.223.1580143256820; Mon, 27 Jan 2020 08:40:56 -0800 (PST) MIME-Version: 1.0 References: <5be57c87-90fe-fcbe-ea37-bdb1bcff2da8@FreeBSD.org> In-Reply-To: From: Freddie Cash Date: Mon, 27 Jan 2020 08:40:45 -0800 Message-ID: Subject: Re: how to use the ktls To: Rick Macklem Cc: "freebsd-current@FreeBSD.org" X-Rspamd-Queue-Id: 485wVL5cwqz4Ytw X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=C1W/vmhc; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of fjwcash@gmail.com designates 2a00:1450:4864:20::229 as permitted sender) smtp.mailfrom=fjwcash@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[9.2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; IP_SCORE(0.00)[ip: (-9.24), ipnet: 2a00:1450::/32(-2.52), asn: 15169(-1.78), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jan 2020 16:40:59 -0000 On Sun, Jan 26, 2020 at 12:08 PM Rick Macklem wrote: > Oh, and for anyone out there... > What is the easiest freebie way to test signed certificates? > (I currently am using a self-signed certificate, but I need to test the > "real" version > at some point soon.) > Let's Encrypt is what you are looking for. Create real, signed, certificates, for free. They're only good for 90 days, but they are easy to renew. There's various script and programs out there for managing Let's Encrypt certificates (certbot, acme.sh, dehydrated, etc). There's a bunch of different bits available in the ports tree. We use dehydrated at work, using DNS for authenticating the cert requests, and have it full automated via cron, managing certs for 50-odd domains (school servers and firewalls). Works great. -- Freddie Cash fjwcash@gmail.com