[devel] I: apache2-mod_ssl{,-compat}: Изменения настроек SSL.

[Aleksey Avdeev <solo@solin.spb.ru>]

[-- Attachment #1: Type: text/plain, Size: 3493 bytes --]

Приветствую.

  Я планирую перевести дефолтные настройки apache2-mod_ssl{,-compat} на
использование общесистемного хранилища сертификатов /var/lib/ssl.
(Сейчас apache2-mod_ssl использует своё внутреннее хранилище,
/etc/httpd2/conf/ssl.*.)

  Пока планирую сделать в
/etc/httpd2/conf/sites-available/default_https{-compat,}.conf такие
настройки (в значениях помеченных "????" я неуверен):

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
SSLCertificateFile "/var/lib/ssl/certs/server.crt"
#SSLCertificateFile "/var/lib/ssl/certs/server-dsa.crt"

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile "/var/lib/ssl/private/server.key"
#SSLCertificateKeyFile "/var/lib/ssl/private/server-dsa.key"

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile "/var/lib/ssl/certs/ca-root.pem"
                          ??????????????????????????????

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "/var/lib/ssl/certs"
#SSLCACertificateFile "/var/lib/ssl/certs/ca-root.pem"
                       ??????????????????????????????

#   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCARevocationPath "/var/lib/ssl/certs"
#SSLCARevocationFile "/var/lib/ssl/certs/ca-bundle.crl"
                      ????????????????????????????????

  При этом я исхожу из:

1. Сертификат сервера и его ключ -- /var/lib/ssl/certs/server.crt и
/var/lib/ssl/private/server.key. Файлы будут создаваться при старте
сервера, если их нет, а mod_ssl будет грузится. (Может быть осмысленнее
использовать www.*, вместо server.*?)

2. /var/lib/ssl/certs/ca-root.pem -- сертификат CA. Если я правильно
понял (из анализа системы, не знаю где оно у нас задокументировано), то
именно он используется в нашем домене.

  Основной вопрос: насколько планируемое, для наших условий, правильно?

-- 

С уважением. Алексей.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 900 bytes --]