You are viewing a plain text version of this content. The canonical link for it is here.
Posted to test-dev@httpd.apache.org by Aaron Bannert <aa...@ebuilt.com> on 2001/08/07 01:21:33 UTC
Re: cvs commit: httpd-test/flood config.h.in configure.in flood_net_ssl.c
On Mon, Aug 06, 2001 at 11:16:43PM -0000, jerenkrantz@apache.org wrote:
> jerenkrantz 01/08/06 16:16:43
>
> Modified: flood config.h.in configure.in flood_net_ssl.c
> Log:
> Add OpenSSL locking routines (doesn't seem to be used, but they say you
> should have it - okay...)
>
> Update configure to have randfile (/tmp/.rnd) and cafile (/tmp/certs.pem)
> to pass to OpenSSL. These files must exist (and be valid) or OpenSSL is
> going to throw a hissy fit. Also, use OpenSSL 0.9.6b by default.
On new flood installs, will these files have to be created? What are their
contents? If we're going to be this unportable, I'm going to start using
pthread_ calls ;)
-aaron
Re: cvs commit: httpd-test/flood config.h.in configure.in flood_net_ssl.c
Posted by Aaron Bannert <aa...@ebuilt.com>.
> Go blame OpenSSL. They require these two files.
>
> /tmp/.rnd must be ~1024 bits of random data (some platforms don't need
> it, but Solaris does).
> /tmp/certs.pem must be all valid CAs that you are willing to accept.
>
> This is slightly better than having it rely on either:
> 1) Constants in the flood_net_ssl.c file (RANDFILE was before)
> 2) Constants in the OpenSSL code (CAFILE was before)
>
> If you don't like the paths I specified, go change it at configure
> time. =-) -- justin
That's fine, make sure to document this requirement somewhere, both
so new users know what to do and so that users of systems that don't
have /tmp know what's going on. Also, I should mention that it is probably
a bad thing in terms of security to be using /tmp for the location
of a random file. For now it's NBD, document it so we don't forget about it.
-aaron
Re: cvs commit: httpd-test/flood config.h.in configure.in flood_net_ssl.c
Posted by Justin Erenkrantz <je...@ebuilt.com>.
On Mon, Aug 06, 2001 at 04:21:33PM -0700, Aaron Bannert wrote:
> On Mon, Aug 06, 2001 at 11:16:43PM -0000, jerenkrantz@apache.org wrote:
> > jerenkrantz 01/08/06 16:16:43
> >
> > Modified: flood config.h.in configure.in flood_net_ssl.c
> > Log:
> > Add OpenSSL locking routines (doesn't seem to be used, but they say you
> > should have it - okay...)
> >
> > Update configure to have randfile (/tmp/.rnd) and cafile (/tmp/certs.pem)
> > to pass to OpenSSL. These files must exist (and be valid) or OpenSSL is
> > going to throw a hissy fit. Also, use OpenSSL 0.9.6b by default.
>
> On new flood installs, will these files have to be created? What are their
> contents? If we're going to be this unportable, I'm going to start using
> pthread_ calls ;)
Go blame OpenSSL. They require these two files.
/tmp/.rnd must be ~1024 bits of random data (some platforms don't need
it, but Solaris does).
/tmp/certs.pem must be all valid CAs that you are willing to accept.
This is slightly better than having it rely on either:
1) Constants in the flood_net_ssl.c file (RANDFILE was before)
2) Constants in the OpenSSL code (CAFILE was before)
If you don't like the paths I specified, go change it at configure
time. =-) -- justin