diff options
| author | jlam <jlam> | 2000-09-12 14:05:16 +0000 |
|---|---|---|
| committer | jlam <jlam> | 2000-09-12 14:05:16 +0000 |
| commit | 922015af021c569bee918c744ed2bda330733aad (patch) | |
| tree | 4ad8fc65a0eb63de789f33e27b16ac5514d3aea3 /www | |
| parent | b006f530dff86aef8ccbdc997b69b4388f5bad3b (diff) | |
| download | pkgsrc-922015af021c569bee918c744ed2bda330733aad.tar.gz | |
Update ap-ssl to 2.6.6. Important fixes for memory leaks and segfaults.
Also make me the maintainer. Relevant changes from version 2.6.3:
-) Install ${sbindir}/mkcert.sh to ease generation of SSL certificates.
*) Fixed server restarts: Under non-DSO run-time situation, the
OpenSSL library was shutdown (and never re-initialized) and this
way caused segfaults on server restarts. This affected only
installations where mod_ssl+OpenSSL were built as a static module
instead of a DSO. This nasty bug was unfortunately introduced in
2.6.5 as a side-effect of an (otherwise correct) memory leak bugfix.
*) Various typo fixes in user manual.
*) Removed more memory leaks by freeing even more stuff
from the OpenSSL toolkit on module shutdown.
*) Added missing TLSv1, EXP40 and EXP56 keywords to
ssl_reference's documentation of SSLCipherSuite.
*) Added hints about MSIE workarounds (-SSLv3, !EXP56, etc.)
to the FAQ entry about MSIE errors.
*) Added !EXP56 to pre-configured SSLCipherSuite in order to avoid
MSIE5.x problems in advance.
*) Allow spaces in ServerRoot and SSLPassPhraseDialog arguments
which is especially important for the Win32 environment.
*) Fixed syntax errors in ssl_howto.wml: "Deny all" -> "Deny from all"
*) Removed a left-over ssl_scache_expire() call in ssl_scache_init()
which made the life of vendors complicated.
*) Allow more fine-tuned overriding of ap_server_root_relative calls
by providing the context of the call.
*) Added Equifax Secure CA certificates to ca-bundle.crt.
*) Let the pass phrase dialog force the prompt to occur only once
(no verification step), because mod_ssl uses the dialog only for
pass phrases which are required for reading private keys. This as a
side-effect should fix a problem under Win32 where a second prompt
occured for unknown reasons.
*) Added more compatibility to Stronghold v2's SSL_SessionCache.
*) Added two more EAPI hools under SSL_VENDOR: one for overriding
ap_server_root_relative calls and one for hooking into the server
configuration step.
*) Fixed SSL display for mod_status in `short report' situation.
*) Fixed memory leak caused by not-freed SSL_CTX in the HTTPS proxy
support (ssl_engine_ext.c/mod_proxy) under _NOT_ SSL_EXPERIMENTAL.
Diffstat (limited to 'www')
| -rw-r--r-- | www/ap-ssl/Makefile | 46 | ||||
| -rw-r--r-- | www/ap-ssl/files/README.mkcert | 23 | ||||
| -rw-r--r-- | www/ap-ssl/files/md5 | 4 | ||||
| -rw-r--r-- | www/ap-ssl/files/patch-sum | 5 | ||||
| -rw-r--r-- | www/ap-ssl/patches/patch-aa | 4 | ||||
| -rw-r--r-- | www/ap-ssl/patches/patch-ab | 450 | ||||
| -rw-r--r-- | www/ap-ssl/pkg/MESSAGE | 13 | ||||
| -rw-r--r-- | www/ap-ssl/pkg/PLIST | 8 |
8 files changed, 532 insertions, 21 deletions
diff --git a/www/ap-ssl/Makefile b/www/ap-ssl/Makefile index 713ae80d745..2ede4596933 100644 --- a/www/ap-ssl/Makefile +++ b/www/ap-ssl/Makefile @@ -1,12 +1,12 @@ -# $NetBSD: Makefile,v 1.20 2000/09/05 09:33:17 jlam Exp $ +# $NetBSD: Makefile,v 1.21 2000/09/12 14:05:16 jlam Exp $ # -DISTNAME= mod_ssl-2.6.3-1.3.12 -PKGNAME= ap-ssl-2.6.3 +DISTNAME= mod_ssl-2.6.6-1.3.12 +PKGNAME= ap-ssl-2.6.6 CATEGORIES= www MASTER_SITES= ftp://ftp.modssl.org/source/ -MAINTAINER= tron@netbsd.org +MAINTAINER= jlam@netbsd.org HOMEPAGE= http://www.modssl.org/ DEPENDS+= apache-1.3.12:../../www/apache @@ -15,8 +15,10 @@ BUILD_DEPENDS+= ${PERL5}:../../lang/perl5-base CONFLICTS= apache-1.3.[0123456789] apache-*modssl-* apache6-* -HAS_CONFIGURE= yes -USE_SSL= yes +HAS_CONFIGURE= defined +USE_SSL= defined + +MESSAGE_FILE= ${WRKDIR}/MESSAGE .include "../../mk/bsd.prefs.mk" @@ -31,19 +33,38 @@ fetch-depends: @${FALSE} .endif -CONFIGURE_ARGS+= --with-apxs=${PREFIX}/sbin/apxs --with-ssl=${SSLBASE} +CONFIGURE_ARGS+= --with-apxs=${PREFIX}/sbin/apxs +CONFIGURE_ARGS+= --with-ssl=${SSLBASE} .if defined(USE_RSAREF2) && ${USE_RSAREF2} == YES CONFIGURE_ARGS+= --with-rsa=${PREFIX}/lib .endif +post-extract: + @cd ${WRKSRC}/pkg.sslsup; ${MV} -f mkcert.sh mkcert.sh.in + +post-build: + ${SED} -e "s,@PREFIX@,${PREFIX},g" \ + < ${WRKSRC}/pkg.sslsup/mkcert.sh.in \ + > ${WRKSRC}/pkg.sslsup/mkcert.sh + post-install: - @${MV} ${PREFIX}/lib/httpd/libssl.so ${PREFIX}/lib/httpd/mod_ssl.so + @${SED} -e "s,@PREFIX@,${PREFIX},g" \ + < ${PKGDIR}/MESSAGE > ${MESSAGE_FILE} + @${SED} -e "s,@PREFIX@,${PREFIX},g" \ + < ${FILESDIR}/README.mkcert > ${WRKDIR}/README.mkcert + + @cd ${PREFIX}/lib/httpd; ${MV} -f libssl.so mod_ssl.so + ${INSTALL_SCRIPT} ${WRKSRC}/pkg.sslsup/mkcert.sh ${PREFIX}/sbin + ${INSTALL_DATA_DIR} ${PREFIX}/share/httpd/htdocs/manual/mod/mod_ssl - cd ${WRKSRC}/pkg.ssldoc && \ - ${INSTALL_DATA} *.html *.gif *.jpg ${PREFIX}/share/httpd/htdocs/manual/mod/mod_ssl/ + cd ${WRKSRC}/pkg.ssldoc && ${INSTALL_DATA} *.html *.gif *.jpg \ + ${PREFIX}/share/httpd/htdocs/manual/mod/mod_ssl ${INSTALL_DATA_DIR} ${PREFIX}/share/mod_ssl cd ${WRKSRC}/pkg.contrib && \ - ${INSTALL_SCRIPT} *.sh *.cgi ${PREFIX}/share/mod_ssl/ + ${INSTALL_SCRIPT} *.sh *.cgi ${PREFIX}/share/mod_ssl + ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/mod_ssl + ${INSTALL_DATA} ${WRKDIR}/README.mkcert ${PREFIX}/share/doc/mod_ssl + ${INSTALL_DATA} ${WRKSRC}/pkg.sslcfg/README.CRL \ `ls -1 ${WRKSRC}/pkg.sslcfg/*.crl | ${GREP} -v /server\.` \ ${PREFIX}/etc/httpd/ssl.crl @@ -56,5 +77,8 @@ post-install: ${INSTALL_DATA} ${WRKSRC}/pkg.sslcfg/README.KEY \ `ls -1 ${WRKSRC}/pkg.sslcfg/*.key | ${GREP} -v /server\.` \ ${PREFIX}/etc/httpd/ssl.key + ${INSTALL_DATA} ${WRKSRC}/pkg.sslcfg/README.PRM \ + `ls -1 ${WRKSRC}/pkg.sslcfg/*.prm | ${GREP} -v /server\.` \ + ${PREFIX}/etc/httpd/ssl.prm .include "../../mk/bsd.pkg.mk" diff --git a/www/ap-ssl/files/README.mkcert b/www/ap-ssl/files/README.mkcert new file mode 100644 index 00000000000..d2179db0391 --- /dev/null +++ b/www/ap-ssl/files/README.mkcert @@ -0,0 +1,23 @@ +$NetBSD: README.mkcert,v 1.1 2000/09/12 14:05:16 jlam Exp $ + +If you don't already have them, you will need to generate SSL certificates +and keys for your server before Apache will start with mod_ssl support. +You can do this with: + + @PREFIX@/sbin/mkcert.sh -t custom -a RSA + +If you already have an existing server certificate and key, you will need +to run: + + @PREFIX@/sbin/mkcert.sh -t existing -c /path/to/cert -k /path/to/key + +to generate new certificates from your existing ones. For a more detailed, +step-by-step description of how to generate SSL certificates, point your +browser at: + + @PREFIX@/share/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html + +After generating your SSL certificates, you should update the certificate +hashes with: + + cd @PREFIX@/etc/httpd/ssl.crt; make -f Makefile.crt update diff --git a/www/ap-ssl/files/md5 b/www/ap-ssl/files/md5 index 16edb3f466c..3066a3284df 100644 --- a/www/ap-ssl/files/md5 +++ b/www/ap-ssl/files/md5 @@ -1,3 +1,3 @@ -$NetBSD: md5,v 1.6 2000/04/21 02:17:40 explorer Exp $ +$NetBSD: md5,v 1.7 2000/09/12 14:05:16 jlam Exp $ -MD5 (mod_ssl-2.6.3-1.3.12.tar.gz) = b66b034d91079dcc7749de8f7ab98573 +MD5 (mod_ssl-2.6.6-1.3.12.tar.gz) = 573b4d89c1f203216a55fb5c2aece009 diff --git a/www/ap-ssl/files/patch-sum b/www/ap-ssl/files/patch-sum index 0af680a84ee..0c10be8309a 100644 --- a/www/ap-ssl/files/patch-sum +++ b/www/ap-ssl/files/patch-sum @@ -1,3 +1,4 @@ -$NetBSD: patch-sum,v 1.4 2000/06/02 23:34:31 jdolecek Exp $ +$NetBSD: patch-sum,v 1.5 2000/09/12 14:05:16 jlam Exp $ -MD5 (patch-aa) = b715f44591b0786fbbaea7683a5833cb +MD5 (patch-aa) = 685fc042385a78c4d961ded8ac806411 +MD5 (patch-ab) = c89fc044f617d8938cedeecf5319a509 diff --git a/www/ap-ssl/patches/patch-aa b/www/ap-ssl/patches/patch-aa index c4c3c375cf4..6c209cbcfe4 100644 --- a/www/ap-ssl/patches/patch-aa +++ b/www/ap-ssl/patches/patch-aa @@ -1,8 +1,8 @@ -$NetBSD: patch-aa,v 1.4 2000/06/02 23:34:31 jdolecek Exp $ +$NetBSD: patch-aa,v 1.5 2000/09/12 14:05:16 jlam Exp $ --- pkg.sslmod/libssl.module.orig Sat Jun 3 01:26:46 2000 +++ pkg.sslmod/libssl.module Sat Jun 3 01:26:58 2000 -@@ -418,7 +418,7 @@ ConfigStart +@@ -418,7 +418,7 @@ exit 1 fi fi diff --git a/www/ap-ssl/patches/patch-ab b/www/ap-ssl/patches/patch-ab new file mode 100644 index 00000000000..04811d675d2 --- /dev/null +++ b/www/ap-ssl/patches/patch-ab @@ -0,0 +1,450 @@ +$NetBSD: patch-ab,v 1.1 2000/09/12 14:05:16 jlam Exp $ + +--- pkg.sslsup/mkcert.sh.in.orig Sun Apr 16 05:21:24 2000 ++++ pkg.sslsup/mkcert.sh.in +@@ -5,35 +5,53 @@ + ## + + # parameters +-make="$1" +-mflags="$2" +-openssl="$3" +-support="$4" +-type="$5" +-algo="$6" +-crt="$7" +-key="$8" +-view="$9" +- +-# we can operate only inside the Apache 1.3 source +-# tree and only when mod_ssl+OpenSSL is actually configured. +-if [ ! -f "../README.configure" ]; then +- echo "mkcert.sh:Error: Cannot operate outside the Apache 1.3 source tree." 1>&2 +- echo "mkcert.sh:Hint: You have to stay inside apache_1.3.x/src." 1>&2 +- exit 1 +-fi +-if [ ".$openssl" = . ]; then +- echo "mkcert.sh:Error: mod_ssl/OpenSSL has to be configured before using this utility." 1>&2 +- echo "mkcert.sh:Hint: Configure mod_ssl with --enable-module=ssl in APACI, first." 1>&2 +- exit 1 ++parameters=`getopt a:c:t:k:v $*` ++if [ $# = 0 ]; then ++ cat << EOF ++Usage: ++ mkcert.sh [-t type] [-a algo] [-c crtfile ] [-k keyfile] [-v] ++ ++Options: ++ -t type Type of certificates to generate. Valid types are: ++ dummy self-signed Snake Oil cert ++ test test cert signed by Snake Oil CA ++ custom custom cert signed by own CA ++ existing existing cert ++ ++ -a algo Signature algorithm for generated certificate. Valid ++ algorithms are RSA or DSA. ++ ++ -c crtfile Path to an existing certificate ++ ++ -k keyfile Path to an existing key file ++ ++ -v Display the certificate and key, then exit. ++ ++EOF ++ exit 2 + fi + ++set -- $parameters ++for param; do ++ case $param in ++ -a) algo=$2 ;; ++ -c) crt=$2 ;; ++ -t) type=$2 ;; ++ -k) key=$2 ;; ++ -v) view=1 ;; ++ --) break ;; ++ esac ++ shift ++done ++ ++openssl="openssl" ++confdir=@PREFIX@/etc/httpd ++ + # configuration +-# WE ARE CALLED FROM THE PARENT DIR! +-sslcrtdir="../conf/ssl.crt" +-sslcsrdir="../conf/ssl.csr" +-sslkeydir="../conf/ssl.key" +-sslprmdir="../conf/ssl.prm" ++sslcrtdir="$confdir/ssl.crt" ++sslcsrdir="$confdir/ssl.csr" ++sslkeydir="$confdir/ssl.key" ++sslprmdir="$confdir/ssl.prm" + + # some optional terminal sequences + case $TERM in +@@ -93,11 +111,11 @@ + fi + + # find some random files +-# (do not use /dev/random here, because this device +-# doesn't work as expected on all platforms) +-randfiles='' ++# We will always generate a /tmp/randfile using /dev/urandom ++# before passing $randfile to openssl. ++randfiles='/tmp/randfile' + for file in /var/log/messages /var/adm/messages /var/log/system.log /var/wtmp \ +- /kernel /kernel/genunix /vmunix /vmlinuz /mach \ ++ /kernel /kernel/genunix /vmunix /vmlinuz /mach /netbsd \ + /etc/hosts /etc/group /etc/resolv.conf /bin/ls; do + if [ -r $file ]; then + if [ ".$randfiles" = . ]; then +@@ -112,7 +130,7 @@ + if [ -f $HOME/.rnd ]; then + RANDFILE="$HOME/.rnd" + else +- RANDFILE=".mkcert.rnd" ++ RANDFILE="/tmp/.mkcert.rnd" + (ps; date) >$RANDFILE + fi + export RANDFILE +@@ -156,12 +174,12 @@ + fi + echo "${T_MD}RESULT: Server Certification Files${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}" + echo " The PEM-encoded $algo private key file which you configure" + echo " with the 'SSLCertificateKeyFile' directive (automatically done" + echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}" + echo " The PEM-encoded X.509 certificate file which you configure" + echo " with the 'SSLCertificateFile' directive (automatically done" + echo " when you install via APACI)." +@@ -211,6 +229,7 @@ + echo "______________________________________________________________________" + echo "" + echo "${T_MD}STEP 1: Generating $algo private key (1024 bit) [server.key]${T_ME}" ++ (umask 077; head -500 /dev/urandom > randfile) + if [ ".$algo" = .RSA ]; then + if [ ".$randfiles" != . ]; then + $openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024 +@@ -238,10 +257,11 @@ + exit 1 + fi + fi ++ rm -f randfile + echo "______________________________________________________________________" + echo "" + echo "${T_MD}STEP 2: Generating X.509 certificate signing request [server.csr]${T_ME}" +- cat >.mkcert.cfg <<EOT ++ cat >/tmp/.mkcert.cfg <<EOT + [ req ] + default_bits = 1024 + distinguished_name = req_DN +@@ -265,7 +285,7 @@ + emailAddress_max = 40 + emailAddress_default = www@snakeoil.dom + EOT +- $openssl req -config .mkcert.cfg \ ++ $openssl req -config /tmp/.mkcert.cfg \ + -new \ + -key $sslkeydir/server.key \ + -out $sslcsrdir/server.csr +@@ -273,7 +293,7 @@ + echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 + exit 1 + fi +- rm -f .mkcert.cfg ++ rm -f /tmp/.mkcert.cfg + prompt="8. Certificate Validity (days) [365]:" + echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" + read days +@@ -287,8 +307,8 @@ + read certversion + extfile="" + if [ ".$certversion" = .3 -o ".$certversion" = . ]; then +- extfile="-extfile .mkcert.cfg" +- cat >.mkcert.cfg <<EOT ++ extfile="-extfile /tmp/.mkcert.cfg" ++ cat >/tmp/.mkcert.cfg <<EOT + extensions = x509v3 + [ x509v3 ] + subjectAltName = email:copy +@@ -296,13 +316,13 @@ + nsCertType = server + EOT + fi +- if [ ! -f .mkcert.serial ]; then +- echo '01' >.mkcert.serial ++ if [ ! -f /tmp/.mkcert.serial ]; then ++ echo '01' >/tmp/.mkcert.serial + fi + if [ ".$algo" = .RSA ]; then + $openssl x509 $extfile \ + -days $days \ +- -CAserial .mkcert.serial \ ++ -CAserial /tmp/.mkcert.serial \ + -CA $sslcrtdir/snakeoil-ca-rsa.crt \ + -CAkey $sslkeydir/snakeoil-ca-rsa.key \ + -in $sslcsrdir/server.csr -req \ +@@ -310,7 +330,7 @@ + else + $openssl x509 $extfile \ + -days $days \ +- -CAserial .mkcert.serial \ ++ -CAserial /tmp/.mkcert.serial \ + -CA $sslcrtdir/snakeoil-ca-dsa.crt \ + -CAkey $sslkeydir/snakeoil-ca-dsa.key \ + -in $sslcsrdir/server.csr -req \ +@@ -320,7 +340,7 @@ + echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 + exit 1 + fi +- rm -f .mkcert.cfg ++ rm -f /tmp/.mkcert.cfg + echo "Verify: matching certificate & key modulus" + modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'` + if [ ".$algo" = .RSA ]; then +@@ -387,22 +407,22 @@ + echo "" + echo "${T_MD}RESULT: Server Certification Files${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}" + echo " The PEM-encoded $algo private key file which you configure" + echo " with the 'SSLCertificateKeyFile' directive (automatically done" + echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}" + echo " The PEM-encoded X.509 certificate file which you configure" + echo " with the 'SSLCertificateFile' directive (automatically done" + echo " when you install via APACI)." + echo "" +- echo "o ${T_MD}conf/ssl.csr/server.csr${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.csr/server.csr${T_ME}" + echo " The PEM-encoded X.509 certificate signing request file which" + echo " you can send to an official Certificate Authority (CA) in order" + echo " to request a real server certificate (signed by this CA instead" + echo " of our demonstration-only Snake Oil CA) which later can replace" +- echo " the conf/ssl.crt/server.crt file." ++ echo " the $confdir/ssl.crt/server.crt file." + echo "" + echo "WARNING: Do not use this for real-life/production systems" + echo "" +@@ -448,6 +468,7 @@ + echo "______________________________________________________________________" + echo "" + echo "${T_MD}STEP 1: Generating $algo private key for CA (1024 bit) [ca.key]${T_ME}" ++ (umask 077; head -500 /dev/urandom > randfile) + if [ ".$algo" = .RSA ]; then + if [ ".$randfiles" != . ]; then + $openssl genrsa -rand $randfiles -out $sslkeydir/ca.key 1024 +@@ -475,10 +496,11 @@ + exit 1 + fi + fi ++ rm -f randfile + echo "______________________________________________________________________" + echo "" + echo "${T_MD}STEP 2: Generating X.509 certificate signing request for CA [ca.csr]${T_ME}" +- cat >.mkcert.cfg <<EOT ++ cat >/tmp/.mkcert.cfg <<EOT + [ req ] + default_bits = 1024 + distinguished_name = req_DN +@@ -502,7 +524,7 @@ + emailAddress_max = 40 + emailAddress_default = ca@snakeoil.dom + EOT +- $openssl req -config .mkcert.cfg \ ++ $openssl req -config /tmp/.mkcert.cfg \ + -new \ + -key $sslkeydir/ca.key \ + -out $sslcsrdir/ca.csr +@@ -510,7 +532,7 @@ + echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 + exit 1 + fi +- rm -f .mkcert.cfg ++ rm -f /tmp/.mkcert.cfg + prompt="8. Certificate Validity (days) [365]:" + echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" + read days +@@ -524,8 +546,8 @@ + read certversion + extfile="" + if [ ".$certversion" = .3 -o ".$certversion" = . ]; then +- extfile="-extfile .mkcert.cfg" +- cat >.mkcert.cfg <<EOT ++ extfile="-extfile /tmp/.mkcert.cfg" ++ cat >/tmp/.mkcert.cfg <<EOT + extensions = x509v3 + [ x509v3 ] + subjectAltName = email:copy +@@ -543,7 +565,7 @@ + echo "mkcert.sh:Error: Failed to generate self-signed CA certificate" 1>&2 + exit 1 + fi +- rm -f .mkcert.cfg ++ rm -f /tmp/.mkcert.cfg + echo "Verify: matching certificate & key modulus" + modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/ca.crt | sed -e 's;.*Modulus=;;'` + if [ ".$algo" = .RSA ]; then +@@ -564,6 +586,7 @@ + echo "______________________________________________________________________" + echo "" + echo "${T_MD}STEP 4: Generating $algo private key for SERVER (1024 bit) [server.key]${T_ME}" ++ (umask 077; head -500 /dev/urandom > randfile) + if [ ".$algo" = .RSA ]; then + if [ ".$randfiles" != . ]; then + $openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024 +@@ -588,10 +611,11 @@ + exit 1 + fi + fi ++ rm -f randfile + echo "______________________________________________________________________" + echo "" + echo "${T_MD}STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]${T_ME}" +- cat >.mkcert.cfg <<EOT ++ cat >/tmp/.mkcert.cfg <<EOT + [ req ] + default_bits = 1024 + distinguished_name = req_DN +@@ -615,7 +639,7 @@ + emailAddress_max = 40 + emailAddress_default = www@snakeoil.dom + EOT +- $openssl req -config .mkcert.cfg \ ++ $openssl req -config /tmp/.mkcert.cfg \ + -new \ + -key $sslkeydir/server.key \ + -out $sslcsrdir/server.csr +@@ -623,7 +647,7 @@ + echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 + exit 1 + fi +- rm -f .mkcert.cfg ++ rm -f /tmp/.mkcert.cfg + prompt="8. Certificate Validity (days) [365]:" + echo dummy | awk '{ printf("%s", prompt); }' "prompt=$prompt" + read days +@@ -637,8 +661,8 @@ + read certversion + extfile="" + if [ ".$certversion" = .3 -o ".$certversion" = . ]; then +- extfile="-extfile .mkcert.cfg" +- cat >.mkcert.cfg <<EOT ++ extfile="-extfile /tmp/.mkcert.cfg" ++ cat >/tmp/.mkcert.cfg <<EOT + extensions = x509v3 + [ x509v3 ] + subjectAltName = email:copy +@@ -646,12 +670,12 @@ + nsCertType = server + EOT + fi +- if [ ! -f .mkcert.serial ]; then +- echo '01' >.mkcert.serial ++ if [ ! -f /tmp/.mkcert.serial ]; then ++ echo '01' >/tmp/.mkcert.serial + fi + $openssl x509 $extfile \ + -days $days \ +- -CAserial .mkcert.serial \ ++ -CAserial /tmp/.mkcert.serial \ + -CA $sslcrtdir/ca.crt \ + -CAkey $sslkeydir/ca.key \ + -in $sslcsrdir/server.csr -req \ +@@ -660,7 +684,7 @@ + echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 + exit 1 + fi +- rm -f .mkcert.cfg ++ rm -f /tmp/.mkcert.cfg + echo "Verify: matching certificate & key modulus" + modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'` + if [ ".$algo" = .RSA ]; then +@@ -764,31 +788,31 @@ + echo "" + echo "${T_MD}RESULT: CA and Server Certification Files${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.key/ca.key${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.key/ca.key${T_ME}" + echo " The PEM-encoded $algo private key file of the CA which you can" + echo " use to sign other servers or clients. ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.crt/ca.crt${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.crt/ca.crt${T_ME}" + echo " The PEM-encoded X.509 certificate file of the CA which you use to" + echo " sign other servers or clients. When you sign clients with it (for" + echo " SSL client authentication) you can configure this file with the" + echo " 'SSLCACertificateFile' directive." + echo "" +- echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}" + echo " The PEM-encoded $algo private key file of the server which you configure" + echo " with the 'SSLCertificateKeyFile' directive (automatically done" + echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}" + echo " The PEM-encoded X.509 certificate file of the server which you configure" + echo " with the 'SSLCertificateFile' directive (automatically done" + echo " when you install via APACI)." + echo "" +- echo "o ${T_MD}conf/ssl.csr/server.csr${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.csr/server.csr${T_ME}" + echo " The PEM-encoded X.509 certificate signing request of the server file which" + echo " you can send to an official Certificate Authority (CA) in order" + echo " to request a real server certificate (signed by this CA instead" +- echo " of our own CA) which later can replace the conf/ssl.crt/server.crt" ++ echo " of our own CA) which later can replace the $confdir/ssl.crt/server.crt" + echo " file." + echo "" + echo "Congratulations that you establish your server with real certificates." +@@ -808,14 +832,26 @@ + echo "mkcert.sh: Cannot find certificate file: $crt" 1>&2 + exit 1 + fi ++ if [ $crt -ef $sslcrtdir/server.crt ]; then ++ mv -f $crt $crt.backup ++ crt="$crt.backup" ++ fi + if [ ".$key" != . ]; then + if [ ! -f "$key" ]; then + echo "mkcert.sh: Cannot find private key file: $key" 1>&2 + exit 1 + fi ++ if [ $key -ef $sslkeydir/server.key ]; then ++ mv -f $key $key.backup ++ key="$key.backup" ++ fi + cp $crt $sslcrtdir/server.crt + (umask 077; cp $key $sslkeydir/server.key) + else ++ if [ $crt -ef $sslcrtdir/server.crt ]; then ++ mv -f $crt $crt.backup ++ crt="$crt.backup" ++ fi + key=$crt + umask 077 + touch $sslkeydir/server.key +@@ -836,12 +872,12 @@ + fi + echo "${T_MD}RESULT: Server Certification Files${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.key/server.key${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.key/server.key${T_ME}" + echo " The PEM-encoded $algo private key file which you configure" + echo " with the 'SSLCertificateKeyFile' directive (automatically done" + echo " when you install via APACI). ${T_MD}KEEP THIS FILE PRIVATE!${T_ME}" + echo "" +- echo "o ${T_MD}conf/ssl.crt/server.crt${T_ME}" ++ echo "o ${T_MD}$confdir/ssl.crt/server.crt${T_ME}" + echo " The PEM-encoded X.509 certificate file which you configure" + echo " with the 'SSLCertificateFile' directive (automatically done" + echo " when you install via APACI)." diff --git a/www/ap-ssl/pkg/MESSAGE b/www/ap-ssl/pkg/MESSAGE index 613eb77a316..1d6462fe056 100644 --- a/www/ap-ssl/pkg/MESSAGE +++ b/www/ap-ssl/pkg/MESSAGE @@ -1,8 +1,15 @@ ============================================================================= -$NetBSD: MESSAGE,v 1.3 2000/09/06 05:52:50 jlam Exp $ +$NetBSD: MESSAGE,v 1.4 2000/09/12 14:05:16 jlam Exp $ -In order to start Apache with mod_ssl support, you need to run Apache with -"apachectl startssl" instead of "apachectl start". The SSL-specific +You will need to generate certificates and keys for your server before +Apache will start with mod_ssl support. Please read + + @PREFIX@/share/doc/mod_ssl/README.mkcert + +for more information on how to do this. + +In order to start Apache with mod_ssl support, you need to run Apache +with "apachectl startssl" instead of "apachectl start". The SSL-specific configuration parts of the default httpd.conf are bracketed by: <IfDefine SSL> diff --git a/www/ap-ssl/pkg/PLIST b/www/ap-ssl/pkg/PLIST index bd0de62c725..7bb6a993c5e 100644 --- a/www/ap-ssl/pkg/PLIST +++ b/www/ap-ssl/pkg/PLIST @@ -1,4 +1,5 @@ -@comment $NetBSD: PLIST,v 1.4 2000/07/21 16:59:31 tron Exp $ +@comment $NetBSD: PLIST,v 1.5 2000/09/12 14:05:17 jlam Exp $ +sbin/mkcert.sh etc/httpd/ssl.crl/Makefile.crl etc/httpd/ssl.crl/README.CRL etc/httpd/ssl.crt/Makefile.crt @@ -14,7 +15,11 @@ etc/httpd/ssl.key/snakeoil-ca-dsa.key etc/httpd/ssl.key/snakeoil-ca-rsa.key etc/httpd/ssl.key/snakeoil-dsa.key etc/httpd/ssl.key/snakeoil-rsa.key +etc/httpd/ssl.prm/README.PRM +etc/httpd/ssl.prm/snakeoil-ca-dsa.prm +etc/httpd/ssl.prm/snakeoil-dsa.prm lib/httpd/mod_ssl.so +share/doc/mod_ssl/README.mkcert share/mod_ssl/cca.sh share/mod_ssl/gid-mkcert.sh share/mod_ssl/loadcacert.cgi @@ -69,4 +74,5 @@ share/httpd/htdocs/manual/mod/mod_ssl/ssl_template.title-ref.gif share/httpd/htdocs/manual/mod/mod_ssl/ssl_template.title-toc.gif share/httpd/htdocs/manual/mod/mod_ssl/ssl_template.title-tutor.gif @dirrm share/httpd/htdocs/manual/mod/mod_ssl +@dirrm share/doc/mod_ssl @dirrm share/mod_ssl |