They announced Let’s Encrypt certs issued after 1pm Pacific today are compatible with Windows XP. The longer explanation is here. But even after reading it, I have why. On its replies, there are a lot of pros and cons.
Tag: SSL
Update information Edit(Apr.11) Edit2(Jun.23) Edit3(Oct.13)
[2017.OCt.20] We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
【2016.7.19 update】
At this time, the script letsencrypt-win-simple doesn’t support the renewal of certificates on Apache Windows version, and the official client, that’s certbot, also doesn’t support Apache on Windows OS. So, I think I use the other script named letsencrypt.sh.☞‘Letsencrypt.sh on Windows-#1’
========================================================
The day before yesterday I wrote this. At the point I got a certificate only for o6asan.com from Let’s Encrypt.
The things among my server environment relate to the work is given below.
- Windows7 HE SP1 (x86)
- Apache2.4.x with VC14
Update information Edit(Mar.14)
I installed a Certificate of Let’s Encrypt because of くりくりさん’s comments and it was successful. But I’ve not understood very well, yet. How can I renew the certificate? What procedures do I need to have SAN support certificate? I found ‘HOW TO’ for Exchange 2016, but mine is Apache.
I should study more about Let’s Encrypt.
Edit(Mar.14):
I posted the article “How to install a Let’s Encrypt Certificate supports SAN to Apache on Windows”.
Categories
Vulnerability DROWN.
After reading ‘DROWN SSLv2 Vulnerability Rears Ugly Head, Puts One-Third of HTTPS Servers At Risk’, I checked my server by The DROWN Attack and DROWN Scanner. Vulnerability DROWN is related to OpenSSL Security Advisory [1st March 2016].
Categories
Memorandum #16.
Steffen released a new version of Apache 2.4.18 which was built with OpenSSL 1.0.2f on February 11, so I updated my web server Apache to it on the day before yesterday. Its ChangeLog says it was built with nghttp2 1.5.0, however, Steffen already gave nghttp2 1.6.0(MSVC release) though nghttp2’s releases are like a waterfall. You should use it at least instead of nghttp2 1.5.0. The ChangeLog of nghttp2 1.6.0. You can download mod_http2 1.1.0 & nghttp2 1.6.0 from here. If you install Apache2.4.x at the first time, see “To create a Wamp-like Web Server in Windows7-#1”. Now I use a VC14 version of Apache which requires VC14.
Categories
Memorandum #15.
As PHP7.0.3 was released, I updated to it the day before yesterday. Here is ChangeLog. My server OS is Windows7 HE SP1 x86, so I downloaded php-7.0.3-Win32-VC14-x86.zip.
The new php.ini-production doesn’t have difference from 7.0.2’s except some comments. If you need more information about php.ini configuration, see ‘Migrating from PHP 5.5.16 to PHP 5.6.0 on Windows’.
Categories
Building h2load on Cygwin.
Update information Edit(2016.Jan.4) Edit2(Feb.7) Edit3(Jun.18)
Actually, Cygwin has libev and nghttp2 packages now. So, you can use h2load feature even if you don’t build nghttp2 by yourself. Nevertheless, if you build nghttp2 on Cygwin, you need to build the Jansson and the spdylay before building it because Cygwin doesn’t have their packages. But, according to the current trend, I think you don’t need the spdylay package. (2016.6.18)
—————————————————————————————————————————————————
Now, I have two zip files. One is H2LOAD_dll_package_x86.zip, another is H2LOAD_dll_package_x64.zip. If you download one of them, you can do the test by h2load on your Windows PC. Run cmd.exe and do like this.
> h2load -n100000 -c100 -m10 https://localhost
If you do this test, you should create your own local server. Because the test might be a cyber attack for the server if you set numbers too high as values of -n -c -m. Be careful.
I wrote like this before:‘I don’t know why, but it looks like telling Apache without HTTP/2 is faster. Gee!’. This time, I had interesting results. See HTTPS with HTTP/2 and HTTPS without HTTP/2. The test tells that the server supports HTTP/2 is good at dealing with concurrent streams than the server doesn’t support HTTP/2. This is one of HTTP/2 features.
I’ll write about my hard work to get these files (^_^;).
[Caution]: The steps blow give the files contained by H2LOAD_dll_package_x64.zip. If you want to have the files for x86 PC, you have to do all steps by setup-x86.exe on a Windows x86 PC.
Continued from this post. As I finished preparing for supporting HTTP/2, I re-edited my httpd.conf and httpd-ssl.conf.
On the httpd.conf, I un-commented the next line.
LoadModule http2_module modules/mod_http2.so
On the httpd-ssl.conf, I added the next line just after <VirtualHost o6asan.com:443>.
Protocols h2 http/1.1
h2 is HTTP/2 with TLS and h2c is HTTP/2 without TLS. I don’t use h2c on the server.
Reboot Apache to enable Http/2. That’s it.
Continued from this post. As I use Sub-directory type of WordPress multisite network, the steps of moving entire WordPress sites to HTTPS might be slightly different from single type cases.
I used this opportunity to change some other things.
Update information Edit(Nov.2) Edit2(Nov.6) Edit3(2017.Jun.206)
They released Apache 2.4.17 on Oct 13 and Steffen released the same version at ApacheLounge on Oct 12. The version has mod_http2 for its core module and Steffen’s version was built with nghttp2 v1.3.4. See ChangeLog. So, I can test HTTP/2 on my server now. Yes! Just test. Because they say “This module is experimental.”