You are viewing a plain text version of this content. The canonical link for it is here.

Posted to test-dev@httpd.apache.org by Aaron Bannert <aa...@ebuilt.com> on 2001/08/07 01:21:33 UTC

Re: cvs commit: httpd-test/flood config.h.in configure.in flood_net_ssl.c

On Mon, Aug 06, 2001 at 11:16:43PM -0000, jerenkrantz@apache.org wrote:
> jerenkrantz    01/08/06 16:16:43
> 
>   Modified:    flood    config.h.in configure.in flood_net_ssl.c
>   Log:
>   Add OpenSSL locking routines (doesn't seem to be used, but they say you
>   should have it - okay...)
>   
>   Update configure to have randfile (/tmp/.rnd) and cafile (/tmp/certs.pem)
>   to pass to OpenSSL.  These files must exist (and be valid) or OpenSSL is
>   going to throw a hissy fit.  Also, use OpenSSL 0.9.6b by default.

On new flood installs, will these files have to be created? What are their
contents? If we're going to be this unportable, I'm going to start using
pthread_ calls ;)

-aaron

Re: cvs commit: httpd-test/flood config.h.in configure.in flood_net_ssl.c

Posted by Aaron Bannert <aa...@ebuilt.com>.

> Go blame OpenSSL.  They require these two files.  
> 
> /tmp/.rnd must be ~1024 bits of random data (some platforms don't need
> it, but Solaris does).
> /tmp/certs.pem must be all valid CAs that you are willing to accept.
> 
> This is slightly better than having it rely on either:
> 1) Constants in the flood_net_ssl.c file (RANDFILE was before)
> 2) Constants in the OpenSSL code (CAFILE was before)
> 
> If you don't like the paths I specified, go change it at configure 
> time.  =-)  -- justin

That's fine, make sure to document this requirement somewhere, both
so new users know what to do and so that users of systems that don't
have /tmp know what's going on. Also, I should mention that it is probably
a bad thing in terms of security to be using /tmp for the location
of a random file. For now it's NBD, document it so we don't forget about it.

-aaron

Re: cvs commit: httpd-test/flood config.h.in configure.in flood_net_ssl.c

Posted by Justin Erenkrantz <je...@ebuilt.com>.

On Mon, Aug 06, 2001 at 04:21:33PM -0700, Aaron Bannert wrote:
> On Mon, Aug 06, 2001 at 11:16:43PM -0000, jerenkrantz@apache.org wrote:
> > jerenkrantz    01/08/06 16:16:43
> > 
> >   Modified:    flood    config.h.in configure.in flood_net_ssl.c
> >   Log:
> >   Add OpenSSL locking routines (doesn't seem to be used, but they say you
> >   should have it - okay...)
> >   
> >   Update configure to have randfile (/tmp/.rnd) and cafile (/tmp/certs.pem)
> >   to pass to OpenSSL.  These files must exist (and be valid) or OpenSSL is
> >   going to throw a hissy fit.  Also, use OpenSSL 0.9.6b by default.
> 
> On new flood installs, will these files have to be created? What are their
> contents? If we're going to be this unportable, I'm going to start using
> pthread_ calls ;)

Go blame OpenSSL.  They require these two files.  

/tmp/.rnd must be ~1024 bits of random data (some platforms don't need
it, but Solaris does).
/tmp/certs.pem must be all valid CAs that you are willing to accept.

This is slightly better than having it rely on either:
1) Constants in the flood_net_ssl.c file (RANDFILE was before)
2) Constants in the OpenSSL code (CAFILE was before)

If you don't like the paths I specified, go change it at configure 
time.  =-)  -- justin