Page 1 of 2
Setting up SSL for clipperz.bit
Posted: Wed Mar 12, 2014 9:11 am
by mbarulli
Hi there,
i'm trying to add SSL support to domain clipperz.bit using a self-signed certificate.
The first configuration I've tried used the "fingerprint" field, with both Sha1 and md5.
Code: Select all
{
"ns": ["ns1.domaincoin.net", "ns2.domaincoin.net"],
"fingerprint": ["27:6B:76:B0:43:08:41:94:88:CB:7A:8C:46:BF:EF:8C:19:D7:A3:76", "7F:2F:49:0F:D3:DC:71:5D:B7:14:40:58:89:95:2A:64"]
}
But the proxy we've been using to access .bit domains (178.32.31.43:8888 via the FoxyProxy Chrome extension) replied with an error (ERR_TUNNEL_CONNECTION_FAILED).
Then we changed approach, inspired by
this thread and by the fact that the "fingerprint" field was marked as "deprecated" and switched to:
Code: Select all
{
"ns": ["ns1.domaincoin.net", "ns2.domaincoin.net"],
"tls": {
"sha1": ["27:6B:76:B0:43:08:41:94:88:CB:7A:8C:46:BF:EF:8C:19:D7:A3:76"],
"enforce": "*"
}
}
This time the proxy just answered that the page was not available.
We are a bit lost ...
Any help would be very welcome!
What are you using to navigate .bit domains?
Is FoxyProxy + 178.32.31.43 a reliable solution?
(that we can suggest to our users as well)
Any example configuration we can learn from?
Many thanks,
Marco
Re: Setting up SSL for clipperz.bit
Posted: Wed Mar 12, 2014 10:54 am
by domob
Great that you want to use .bit with TLS support! The first option you had (with "fingerprint") seems correct. Note that AFAIK you can not use .bit's TLS support with a browsing proxy, instead you should try it with the FreeSpeechMe extension. The second option ("tls") is newer, but not yet implemented, and so I think you should stick with the first for now.
Try reverting to the "fingerprint" value and testing with FreeSpeechMe instead of a proxy. (Or ask here for others to test it after changing the name back.)
Re: Setting up SSL for clipperz.bit
Posted: Wed Mar 12, 2014 11:14 am
by mbarulli
Thanks domob!
I'm going to install FreeSpeechMe and revert to "fingerprint".
I'll keep you updated.
Btw, is it ok to list both SHA1 and MD5?
Re: Setting up SSL for clipperz.bit
Posted: Wed Mar 12, 2014 1:13 pm
by domob
mbarulli wrote:Thanks domob!
I'm going to install FreeSpeechMe and revert to "fingerprint".
I'll keep you updated.
Good luck with that!
mbarulli wrote:Btw, is it ok to list both SHA1 and MD5?
Ah, I missed that. You should only list SHA-1 (it doesn't harm to list MD5, too, but it will be interpreted as allowed alternative SHA-1 hash which can never be matched by any certificate). I think mid-term we are switching to SHA-256, but for now only SHA-1 hashes are supported.
Re: Setting up SSL for clipperz.bit
Posted: Wed Mar 12, 2014 4:04 pm
by mbarulli
I've now removed MD5, but unfortunately I just discovered that awesome FreeSpeechMe does not work on a Mac.
Is there anyone out there that is willing to try reaching
https://clipperz.bit ? THANKS!
It would be also great to know which setup (proxy, add-ons, ...) you used.
Btw,
http://clipperz.bit works just fine.
Re: Setting up SSL for clipperz.bit
Posted: Thu Mar 13, 2014 7:11 am
by domob
mbarulli wrote:I've now removed MD5, but unfortunately I just discovered that awesome FreeSpeechMe does not work on a Mac.
Is there anyone out there that is willing to try reaching
https://clipperz.bit ? THANKS!
It would be also great to know which setup (proxy, add-ons, ...) you used.
Btw,
http://clipperz.bit works just fine.
For me, neither one works at the moment. Also:
Code: Select all
$ nmcontrol dns getIp4 clipperz.bit
ERROR:
Presumably that has something to do with your nameservers (ns?.domaincoin.net). If you have a single static IP, you should add it directly to the name instead of using the "ns" fields. Is that the case or do you have multiple / changing IPs?
Re: Setting up SSL for clipperz.bit
Posted: Thu Mar 13, 2014 9:36 am
by mbarulli
If you have a single static IP, you should add it directly to the name instead of using the "ns" fields. Is that the case or do you have multiple / changing IPs?
Quite right. I've now switched to the "ip" parameter. Waiting for propagation to the blockchain.
Re: Setting up SSL for clipperz.bit
Posted: Thu Mar 13, 2014 9:50 am
by mbarulli
Current configuration is:
Code: Select all
{
"ip": "46.149.20.251",
"fingerprint": "27:6B:76:B0:43:08:41:94:88:CB:7A:8C:46:BF:EF:8C:19:D7:A3:76"
}
Are you getting the same results?
Re: Setting up SSL for clipperz.bit
Posted: Thu Mar 13, 2014 9:57 am
by domob
mbarulli wrote:Current configuration is:
Code: Select all
{
"ip": "46.149.20.251",
"fingerprint": "27:6B:76:B0:43:08:41:94:88:CB:7A:8C:46:BF:EF:8C:19:D7:A3:76"
}
Note that this works for clipperz.bit but not
www.clipperz.bit. I suggest you use
Code: Select all
{
"ip": "46.149.20.251",
"map": {"*": "46.149.20.251"},
"fingerprint": "27:6B:76:B0:43:08:41:94:88:CB:7A:8C:46:BF:EF:8C:19:D7:A3:76"
}
instead, which resolves every subdomain to this IP. (But that depends on what you really want.)
mbarulli wrote:
Are you getting the same results?
No, for me both work and the TLS certificate is correctly verified by FreeSpeechMe. As far as I can tell, the configuration is now fully functional.
Re: Setting up SSL for clipperz.bit
Posted: Thu Mar 13, 2014 1:41 pm
by mbarulli
Thanks for the good news domob!
I really appreciate your help.
I definitely need to find a convenient and reliable way to browse .bit domains on my Mac ...