Make openSUSE the first distribution to support LetsEncrypt/ACME natively, in order to provide easy TLS encryption for all services. openSUSE users should be able to
- Request certificates for associated host names and keep them up-to-date.
- Use these certificate to configure their services (e.g. web, mail, etc).
- Evaluate yast2-certificate-management for fitness. Decide on whether to extend it or write a new module.
- Make use of an existing ACME client. Evaluate e.g. certbot, acmetool, dehydrated for fitness. YaST modules should not provide new functionality, only integration
- Extend yast2-http-server, yast2-mail, etc accordingly
Call for collaborators
Knowledge of either Ruby, YaST-Internals and ACME/TLS/X509 is useful, but not strictly necessary. I will give an introduction on the TLS related topics on Tuesday. It would be nice to have a YaST expert on the team.
- Set Security Headers such as HTTP Strict Transport Security.
- Set Certificate Pinning Header (https://tools.ietf.org/html/rfc7469). This requires creating backup keys to be useful. Might not even be a good idea (https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead).
- Update the crypto parameters in Apache/Postfix/etc. Lets talk to security folks about that.
- Discuss whether and how to approach this from the SUSE Manager end.
A default setup should achieve an A/A+ rating on ssllabs.com
Looking for mad skills in:
Nothing? Add some keywords!