Author: dj
Date: 2009-04-09 00:01:57 -0600 (Thu, 09 Apr 2009)
New Revision: 7816
Removed:
trunk/BOOK/postlfs/security/rootcerts.xml
Modified:
trunk/BOOK/general.ent
trunk/BOOK/introduction/welcome/changelog.xml
trunk/BOOK/postlfs/security/openssl.xml
trunk/BOOK/postlfs/security/security.xml
Log:
Moved root certificates handling to OpenSSL page.
Modified: trunk/BOOK/general.ent
===================================================================
--- trunk/BOOK/general.ent 2009-04-09 04:24:19 UTC (rev 7815)
+++ trunk/BOOK/general.ent 2009-04-09 06:01:57 UTC (rev 7816)
@@ -3,13 +3,13 @@
$Date$
-->
-<!ENTITY day "26"> <!-- Always 2 digits -->
-<!ENTITY month "03"> <!-- Always 2 digits -->
+<!ENTITY day "09"> <!-- Always 2 digits -->
+<!ENTITY month "04"> <!-- Always 2 digits -->
<!ENTITY year "2009">
<!ENTITY copyrightdate "2001-&year;">
<!ENTITY copyholder "The BLFS Development Team">
<!ENTITY version "svn-&year;&month;&day;">
-<!ENTITY releasedate "March &day;th, &year;">
+<!ENTITY releasedate "April &day;th, &year;">
<!ENTITY pubdate "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
<!ENTITY blfs-version "svn"> <!-- svn|[release #] -->
<!ENTITY lfs-version "development"> <!--
version|testing|unstable|development] -->
@@ -60,6 +60,7 @@
<!-- Chapter 4 -->
<!ENTITY openssl-version "0.9.8j">
+<!ENTITY ca-bundle-version "20090409">
<!ENTITY gnutls-version "1.6.3">
<!ENTITY cracklib-version "2.8.13">
<!ENTITY linux-pam-version "1.0.3">
Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml 2009-04-09 04:24:19 UTC
(rev 7815)
+++ trunk/BOOK/introduction/welcome/changelog.xml 2009-04-09 06:01:57 UTC
(rev 7816)
@@ -41,6 +41,16 @@
-->
<listitem>
+ <para>April 9th, 2009</para>
+ <itemizedlist>
+ <listitem>
+ <para>[dj] - Removed Root Certificates page and added ca-bundle
+ instructions to OpenSSL page.</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+
+ <listitem>
<para>March 26th, 2009</para>
<itemizedlist>
<listitem>
Modified: trunk/BOOK/postlfs/security/openssl.xml
===================================================================
--- trunk/BOOK/postlfs/security/openssl.xml 2009-04-09 04:24:19 UTC (rev
7815)
+++ trunk/BOOK/postlfs/security/openssl.xml 2009-04-09 06:01:57 UTC (rev
7816)
@@ -8,8 +8,11 @@
<!ENTITY openssl-download-ftp
"ftp://ftp.openssl.org/source/openssl-&openssl-version;.tar.gz";>
<!ENTITY openssl-md5sum "a5cb5f6c3d11affb387ecf7a997cac0c">
<!ENTITY openssl-size "3.7 MB">
- <!ENTITY openssl-buildsize "45 MB">
- <!ENTITY openssl-time "1.2 SBU (additional 0.3 SBU to run the test
suite)">
+ <!ENTITY ca-bundle-download
"http://anduin.linuxfromscratch.org/files/BLFS/BLFS-ca-bundle-&ca-bundle-version;.tar.bz2";>
+ <!ENTITY ca-bundle-size "192 KB">
+ <!ENTITY ca-bundle-md5sum "a5e85c3df9ef9a192eb5e5cdf94ebb72">
+ <!ENTITY openssl-buildsize "47 MB">
+ <!ENTITY openssl-time "1.3 SBU (additional 0.3 SBU to run the test
suite)">
]>
<sect1 id="openssl" xreflabel="OpenSSL-&openssl-version;">
@@ -50,6 +53,15 @@
<para>Download size: &openssl-size;</para>
</listitem>
<listitem>
+ <para>CA Bundle Download: <ulink url="&ca-bundle-download;"/></para>
+ </listitem>
+ <listitem>
+ <para>CA Bundle size: &ca-bundle-size;</para>
+ </listitem>
+ <listitem>
+ <para>CA Bundle MD5 sum: &ca-bundle-md5sum;</para>
+ </listitem>
+ <listitem>
<para>Estimated disk space required: &openssl-buildsize;</para>
</listitem>
<listitem>
@@ -69,7 +81,7 @@
<bridgehead renderas="sect4">Recommended</bridgehead>
<para role="recommended"><xref linkend="bc"/>(if you run the test suite
- during the build) and <xref linkend="rootcerts"/></para>
+ during the build)</para>
<bridgehead renderas="sect4">Optional</bridgehead>
<para role="optional"><xref linkend="mitkrb"/> or
@@ -87,6 +99,7 @@
the following commands:</para>
<screen><userinput>patch -Np1 -i
../openssl-&openssl-version;-fix_manpages-1.patch &&
+tar -vxf ../BLFS-ca-bundle-&ca-bundle-version;.tar.bz2 &&
./config --prefix=/usr \
--openssldir=/etc/ssl \
shared \
@@ -114,11 +127,25 @@
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
/usr/share/doc/openssl-&openssl-version;</userinput></screen>
+ <para>While still the <systemitem class="username">root</systemitem> user,
+ create a single file that contains all of the installed
certificates:</para>
+
+<screen role="root"><userinput>for pem in /etc/ssl/certs/*.pem
+do
+ cat $pem
+ echo ""
+done > /etc/ssl/ca-bundle.crt</userinput></screen>
+
</sect2>
<sect2 role="commands">
<title>Command Explanations</title>
+ <para>
+ <command>tar -vxf ../BLFS-ca-bundle-&ca-bundle-version;.tar.bz2</command>:
+ OpenSSL no longer includes any root certificates. This package adds root
+ certificates as provided by mozilla.org.</para>
+
<para><parameter>shared</parameter>: This parameter forces the creation of
shared libraries along with the static libraries.</para>
@@ -147,11 +174,18 @@
<command>./config</command> command, this switch will enable
use of <filename>libz.so</filename> for compression/decompression.</para>
-->
- <para><command>cp -v -r certs /etc/ssl</command>: This package no longer
- ships CA certificates. This commands installs documentation and sample
- certificates as examples should one want to create/install their own
- certificates.</para>
+ <para><command>cp -v -r certs /etc/ssl</command>: This installs both the
+ sample certificates and documentation included with OpenSSL, and the
+ certificates that were extrated from the BLFS-ca-bundle-&ca-bundle-version;
+ package.</para>
+ <para><command>for pem in /etc/ssl/certs/*.pem...</command>: This group of
+ commands creates a single-file certificate bundle
+ (<filename>/etc/ssl/ca-bundle.crt</filename>) that is usable by many
+ other software packages. <filename>ca-bundle.crt</filename> should be
+ recreated anytime that a certificate is added to
+ <filename class="directory">/etc/ssl/certs</filename>.</para>
+
</sect2>
<sect2 role="configuration">
Deleted: trunk/BOOK/postlfs/security/rootcerts.xml
===================================================================
--- trunk/BOOK/postlfs/security/rootcerts.xml 2009-04-09 04:24:19 UTC (rev
7815)
+++ trunk/BOOK/postlfs/security/rootcerts.xml 2009-04-09 06:01:57 UTC (rev
7816)
@@ -1,51 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [
- <!ENTITY % general-entities SYSTEM "../../general.ent">
- %general-entities;
-]>
-
-<sect1 id="rootcerts" xreflabel="Root Certificates">
- <?dbhtml filename="rootcerts.html"?>
-
- <sect1info>
- <othername>$LastChangedBy$</othername>
- <date>$Date$</date>
- </sect1info>
-
- <title>Root Certificates</title>
-
- <indexterm zone="rootcerts">
- <primary sortas="e-cabundle">ca-bundle.crt</primary>
- </indexterm>
-
- <para>The <filename>ca-bundle.crt</filename> file contains public
- certificates from trusted root certificate authorities (CAs). CAs guarantee
- the authenticity of a host by issuing certificates that contain both the name
- of the host and the owner's name, and are signed using the CA's private key.
- In turn, a matching public key is provided by the CA that can be used to
- verify the authenticity of any SSL certificate that is signed by that CA. The
- list of CA certificates (with public keys) included in ca-bundle.crt
- are provided by mozilla.org, and undergo an annual investigation and
- auditing process, so that they can be trusted for general use.</para>
-
- <para>The list of certificates is stored in PEM format, and is generated from
- a DER formatted file, <filename>certdata.txt</filename>, that ships with
- Mozilla products. A <ulink
-
url="http://cvs.fedoraproject.org/viewvc/rpms/ca-certificates/devel/mkcabundle.pl?view=co";>
- script</ulink> provided by RedHat converts the upstream
- <filename>certdata.txt</filename> from DER to PEM format, so that it is
- usable by applications that utilize SSL/TLS encryption. Additional trusted
- CAs can be added to the <filename>ca-bundle.crt</filename> by appending the
- CA's public certificate (in PEM format) to the file.</para>
-
- <para>Download a recent version of <ulink
- url="&files-anduin;/ca-bundle.crt">ca-bundle.crt</ulink> and place it into
- the <filename class="directory">/etc/ssl</filename> directory and make
- the file world readable by issuing the following commands as the
- <systemitem class="username">root</systemitem> user:</para>
-
-<screen role="root"><userinput>install -v -d /etc/ssl &&
-install -m644 ca-bundle.crt /etc/ssl</userinput></screen>
-
-</sect1>
Modified: trunk/BOOK/postlfs/security/security.xml
===================================================================
--- trunk/BOOK/postlfs/security/security.xml 2009-04-09 04:24:19 UTC (rev
7815)
+++ trunk/BOOK/postlfs/security/security.xml 2009-04-09 06:01:57 UTC (rev
7816)
@@ -39,7 +39,6 @@
of critical files (defined by the administrator) and then regenerates those
"signatures" and compares for files that have been changed.</para>
- <xi:include xmlns:xi="http://www.w3.org/2003/XInclude"; href="rootcerts.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude"; href="openssl.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude"; href="gnutls.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude"; href="cracklib.xml"/>
--
http://linuxfromscratch.org/mailman/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
