En:HOWTO make YaCy allow SSL connections

Aus YaCyWiki
Wechseln zu: Navigation, Suche

Flag-germany.gif Von dieser Seite existiert auch eine deutsche Version.

Few people are aware that http is a plain-text protocol. Thus; it is generally a very good idea to use SSL to add slightly more security to the connection between you and YaCy.

YaCy over HTTPS

There is something on the german version of this page about

  • SSL3,
  • TLS1 and
  • TLS1.1.

and that text much likely indicates above list is supported.

HOWTO make YaCy speak HTTPS

Using a Java-generated certificate

Sun's Java JDK (and JRE) come with a program called keytool.

You can use this program to make a SSL keypair with the following commands:

1. Change into YaCy's directory.

cd <YaCy-Dir>/DATA/SETTINGS

2. Run this command:

(if you can't find your "keytool" then find /opt/sun-jdk* -iname keytool or locate keytool, it may not in the default path but lurking somewhere such as /opt/sun-jdk-1.5.0.08/jre/bin/keytool)

keytool -keystore mySrvKeystore -genkey -keyalg RSA -alias mycert

Keytool will ask you for all sorts of information. You will be asked for a password. Remember this password.

Now stop YaCy. Wait until it shuts down.

Now open the configuration file:

vim DATA/SETTINGS/yacy.conf

And put these settings 

keyStore=DATA/SETTINGS/mySrvKeystore
keyStorePassword=myverysecretpassword

right before the # EOF (or change both already existing entries in the file).

Using a CA Cert or other authority cert

You can get a free CA Cert from CA Cert. Their certificates are not included in most major browsers, but it is the commonly used SSL standard for not-verisign-taxed SSL certs.

YaCy needs this cert to be in PKCS12 format.

1.) Run this command:

openssl pkcs12 -export -out keystore.pkcs12 -passout pass:passwordforyacysconfig -in servercert-from-cacert.crt -inkey yourprivateserver.key

2.) Copy the new file keystore.pkcs12 to DATA/SETTINGS/ and order YaCy to use it by editing DATA/SETTINGS/yacy.conf: 

pkcs12ImportFile=DATA/SETTINGS/keystore.pkcs12
pkcs12ImportPwd=passwordforyacysconfig

It must be noted that YaCy totally freaks out if you set "pkcs12ImportPwd" without setting "pkcs12ImportFile". If you make this horrible mistake then YaCy will start everything but http-related threads and crawl away while refusing to have anything to do with you, in which case you must kill -9 it.

Now connect

Go to the configuration page: http://localhost:8090/ConfigBasic.html, scroll down to option 4 and enable SSL (and restart YaCy).

Congratulations. You can now use your YaCy by going to https://<IP>:<Port> By default YaCy uses port 8443 for HTTPS. To change the port you can modify the config entry port.ssl

People who haven't manually installed CA Cert's root certificate in their browsers will get a warning message asking them to accept your key. This is normal. Everybody, including you, will get this warning if you used keytool.

Abgerufen von „https://wiki.yacy.net/index.php?title=En:HOWTO_make_YaCy_allow_SSL_connections&oldid=22389