From: Aleksey Avdeev <solo@solin.spb.ru> To: ALT Linux Team development discussions <devel@lists.altlinux.org> Subject: [devel] I: apache2-mod_ssl{,-compat}: Изменения настроек SSL. Date: Tue, 15 Jan 2013 22:21:35 +0400 Message-ID: <50F59E2F.7030300@solin.spb.ru> (raw) [-- Attachment #1: Type: text/plain, Size: 3493 bytes --] Приветствую. Я планирую перевести дефолтные настройки apache2-mod_ssl{,-compat} на использование общесистемного хранилища сертификатов /var/lib/ssl. (Сейчас apache2-mod_ssl использует своё внутреннее хранилище, /etc/httpd2/conf/ssl.*.) Пока планирую сделать в /etc/httpd2/conf/sites-available/default_https{-compat,}.conf такие настройки (в значениях помеченных "????" я неуверен): # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. Keep # in mind that if you have both an RSA and a DSA certificate you # can configure both in parallel (to also allow the use of DSA # ciphers, etc.) SSLCertificateFile "/var/lib/ssl/certs/server.crt" #SSLCertificateFile "/var/lib/ssl/certs/server-dsa.crt" # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile "/var/lib/ssl/private/server.key" #SSLCertificateKeyFile "/var/lib/ssl/private/server-dsa.key" # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile "/var/lib/ssl/certs/ca-root.pem" ?????????????????????????????? # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath "/var/lib/ssl/certs" #SSLCACertificateFile "/var/lib/ssl/certs/ca-root.pem" ?????????????????????????????? # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath "/var/lib/ssl/certs" #SSLCARevocationFile "/var/lib/ssl/certs/ca-bundle.crl" ???????????????????????????????? При этом я исхожу из: 1. Сертификат сервера и его ключ -- /var/lib/ssl/certs/server.crt и /var/lib/ssl/private/server.key. Файлы будут создаваться при старте сервера, если их нет, а mod_ssl будет грузится. (Может быть осмысленнее использовать www.*, вместо server.*?) 2. /var/lib/ssl/certs/ca-root.pem -- сертификат CA. Если я правильно понял (из анализа системы, не знаю где оно у нас задокументировано), то именно он используется в нашем домене. Основной вопрос: насколько планируемое, для наших условий, правильно? -- С уважением. Алексей. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 900 bytes --]
next reply other threads:[~2013-01-15 18:21 UTC|newest] Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top 2013-01-15 18:21 Aleksey Avdeev [this message] 2013-01-15 18:47 ` Dmitry V. Levin 2013-01-15 19:20 ` Aleksey Avdeev 2013-01-15 21:28 ` Dmitry V. Levin 2013-01-15 21:37 ` Aleksey Avdeev 2013-01-17 18:21 ` Michael Shigorin 2013-01-16 0:45 ` Alexei Takaseev 2013-01-26 10:12 ` Aleksey Avdeev 2013-02-05 10:37 ` Aleksey Avdeev
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=50F59E2F.7030300@solin.spb.ru \ --to=solo@solin.spb.ru \ --cc=devel@lists.altlinux.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Team development discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \ devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru public-inbox-index devel Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.devel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git