From: Aleksey Avdeev <solo@solin.spb.ru>
To: ALT Linux Team development discussions <devel@lists.altlinux.org>
Cc: ALT Linux Sisyphus discussions <sisyphus@lists.altlinux.org>
Subject: Re: [sisyphus] [devel] I: apache2-mod_ssl{,-compat}: Изменения настроек SSL.
Date: Sat, 26 Jan 2013 14:12:08 +0400
Message-ID: <5103ABF8.5080204@solin.spb.ru> (raw)
In-Reply-To: <50F59E2F.7030300@solin.spb.ru>
[-- Attachment #1: Type: text/plain, Size: 5471 bytes --]
15.01.2013 22:21, Aleksey Avdeev пишет:
> Приветствую.
>
> Я планирую перевести дефолтные настройки apache2-mod_ssl{,-compat} на
> использование общесистемного хранилища сертификатов /var/lib/ssl.
> (Сейчас apache2-mod_ssl использует своё внутреннее хранилище,
> /etc/httpd2/conf/ssl.*.)
Содержащий данные изменения apache2-2.2.22-alt15 ушёл в Сизиф (см.
<http://git.altlinux.org/tasks/archive/done/_85/88057/logs/events.7.1.log>):
теперь при старте/рестарте сервера в /var/lib/ssl, средствами
cert-sh-functions, создаётся ключ и сертификат с именем httpd2, если
выполняются условия:
1. Существует /etc/httpd2/conf/mods-enabled/ssl.load (модуль ssl грузится).
2. Существует как минимум один файл (ссылка) из
/etc/httpd2/conf/sites-enabled/{000-,}default_https{,-compat}.conf (т.
е. используется что-то из
/etc/httpd2/conf/sites-available/default_https{-compat,}.conf).
3. В файлах п. 2 значения SSLCertificate{,Key}File соответствуют
умолчальным.
>
> Пока планирую сделать в
> /etc/httpd2/conf/sites-available/default_https{-compat,}.conf такие
> настройки (в значениях помеченных "????" я неуверен):
Сделано:
>
> # Server Certificate:
> # Point SSLCertificateFile at a PEM encoded certificate. If
> # the certificate is encrypted, then you will be prompted for a
> # pass phrase. Note that a kill -HUP will prompt again. Keep
> # in mind that if you have both an RSA and a DSA certificate you
> # can configure both in parallel (to also allow the use of DSA
> # ciphers, etc.)
> SSLCertificateFile "/var/lib/ssl/certs/server.crt"
> #SSLCertificateFile "/var/lib/ssl/certs/server-dsa.crt"
SSLCertificateFile "/var/lib/ssl/certs/httpd2.cert"
#SSLCertificateFile "/var/lib/ssl/certs/httpd2-dsa.cert"
>
> # Server Private Key:
> # If the key is not combined with the certificate, use this
> # directive to point at the key file. Keep in mind that if
> # you've both a RSA and a DSA private key you can configure
> # both in parallel (to also allow the use of DSA ciphers, etc.)
> SSLCertificateKeyFile "/var/lib/ssl/private/server.key"
> #SSLCertificateKeyFile "/var/lib/ssl/private/server-dsa.key"
SSLCertificateKeyFile "/var/lib/ssl/private/httpd2.key"
#SSLCertificateKeyFile "/var/lib/ssl/private/httpd2-dsa.key"
Для обеспечения преемственности настроек, при обновлении
apache2-mod_ssl{,-compat} <= 2.2.22-alt14 запускается триггер, который
при условиях (должны выполняться все):
1. Существовании старых сертификата и ключа (файлов
/etc/httpd2/conf/ssl.{crt/server.crt,key/server.key}).
2. Замены старого конфига
/etc/httpd2/conf/sites-available/default_https{-compat,}.conf на новый
(за счёт %config(noreplace), такое происходит только если поставленный
из пакета файл не редактировался).
В файлах /etc/httpd2/conf/sites-available/default_https{-compat,}.conf
для SSLCertificateKeyFile и SSLCertificateKeyFile сохраняется
использование старых значений:
# New certificate file
#SSLCertificateFile "/var/lib/ssl/certs/httpd2.cert"
# Old certificate file
SSLCertificateFile "/etc/httpd2/conf/ssl.crt/server.crt"
#SSLCertificateFile "/var/lib/ssl/certs/httpd2-dsa.cert"
и
# New certificate key file
#SSLCertificateKeyFile "/var/lib/ssl/private/httpd2.key"
# Old certificate key file
SSLCertificateKeyFile "/etc/httpd2/conf/ssl.key/server.key"
#SSLCertificateKeyFile "/var/lib/ssl/private/httpd2-dsa.key"
За счёт этого сохраняется использование старых ключа и сертификата (и
новые при этом не создаются).
>
> # Server Certificate Chain:
> # Point SSLCertificateChainFile at a file containing the
> # concatenation of PEM encoded CA certificates which form the
> # certificate chain for the server certificate. Alternatively
> # the referenced file can be the same as SSLCertificateFile
> # when the CA certificates are directly appended to the server
> # certificate for convinience.
> #SSLCertificateChainFile "/var/lib/ssl/certs/ca-root.pem"
#SSLCertificateChainFile "/var/lib/ssl/certs/ca-root.pem"
>
> # Certificate Authority (CA):
> # Set the CA certificate verification path where to find CA
> # certificates for client authentication or alternatively one
> # huge file containing all of them (file must be PEM encoded)
> # Note: Inside SSLCACertificatePath you need hash symlinks
> # to point to the certificate files. Use the provided
> # Makefile to update the hash symlinks after changes.
> #SSLCACertificatePath "/var/lib/ssl/certs"
> #SSLCACertificateFile "/var/lib/ssl/certs/ca-root.pem"
#SSLCACertificatePath "/var/lib/ssl/certs"
#SSLCACertificateFile "/var/lib/ssl/certs/ca-root.pem"
>
> # Certificate Revocation Lists (CRL):
> # Set the CA revocation path where to find CA CRLs for client
> # authentication or alternatively one huge file containing all
> # of them (file must be PEM encoded)
> # Note: Inside SSLCARevocationPath you need hash symlinks
> # to point to the certificate files. Use the provided
> # Makefile to update the hash symlinks after changes.
> #SSLCARevocationPath "/var/lib/ssl/certs"
> #SSLCARevocationFile "/var/lib/ssl/certs/ca-bundle.crl"
#SSLCARevocationPath "/var/lib/ssl/certs"
#SSLCARevocationFile "/var/lib/ssl/certs/ca-bundle.crl"
PS: В бранчи данный вариант отправлю примерно через неделю (если
проблемы не выплывут).
--
С уважением. Алексей.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 900 bytes --]
next parent reply other threads:[~2013-01-26 10:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-26 10:12 ` Aleksey Avdeev [this message]
2013-02-05 10:37 ` Aleksey Avdeev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5103ABF8.5080204@solin.spb.ru \
--to=solo@solin.spb.ru \
--cc=devel@lists.altlinux.org \
--cc=sisyphus@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Sisyphus discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/sisyphus/0 sisyphus/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 sisyphus sisyphus/ http://lore.altlinux.org/sisyphus \
sisyphus@altlinux.ru sisyphus@altlinux.org sisyphus@lists.altlinux.org sisyphus@lists.altlinux.ru sisyphus@lists.altlinux.com sisyphus@linuxteam.iplabs.ru sisyphus@list.linux-os.ru
public-inbox-index sisyphus
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.sisyphus
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git