You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2014/10/10 02:17:33 UTC

svn commit: r1630625 - /httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml

Author: trawick
Date: Fri Oct 10 00:17:33 2014
New Revision: 1630625

URL: http://svn.apache.org/r1630625
Log:
mod_ssl_ct: Update the doc for the recent sync with current OpenSSL 1.0.2
and Certificate Transparency tools, as well as a few other clarifications.

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml?rev=1630625&r1=1630624&r2=1630625&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml Fri Oct 10 00:17:33 2014
@@ -80,8 +80,8 @@ information does not have to also restar
 <note>This module is experimental for the following reasons:
 <ul>
   <li>Insufficient test and review</li>
-  <li>Reliance on an unreleased version of OpenSSL (1.0.2) for basic
-  operation</li>
+  <li>Reliance on an unreleased version of OpenSSL (1.0.2, Beta 3 or later) for
+  basic operation</li>
   <li>Incomplete <a href="#audit">off-line audit capability</a></li>
 </ul>
 
@@ -182,7 +182,10 @@ testing.</p>
 
     <dt>public key of the log</dt>
     <dd>A proxy must have the public key of the log in order to check the
-    signature in SCTs it receives which were obtained from the log.</dd>
+    signature in SCTs it receives which were obtained from the log.
+    <br />
+    A server must have the public key of the log in order to submit certificates
+    to it.</dd>
 
     <dt>general trust/distrust setting</dt>
     <dd>This is a mechanism to distrust or restore trust in a particular log,
@@ -229,20 +232,21 @@ testing.</p>
   <title>Off-line audit for proxy</title>
 
   <p>Experimental support for this is implemented in the <code>ctauditscts</code>
-  command (in the httpd source tree, not currently installed), which itself
-  relies on the <code>verify_single_proof.py</code> tool in the 
+  command, which itself relies on the <code>verify_single_proof.py</code> tool in the
   <em>certificate-transparency</em> open source project.  <code>ctauditscts</code>
   can parse data for off-line audit (enabled with the <directive module="mod_ssl_ct">
   CTAuditStorage</directive> directive) and invoke <code>verify_single_proof.py</code>.
-  However, <code>verify_single_proof.py</code> is not complete currently and does
-  not provide a way to identify audit failures.</p>
+  </p>
 
   <p>Here are rough notes for using <code>ctauditscts</code>:</p>
 
   <ul>
-    <li>Set <code>PYTHONPATH</code> to include the <code>src/python</code>
+    <li>Create a <em>virtualenv</em> using the <code>requirements.txt</code> file
+    from the <em>certificate-transparency</em> project and run the following steps
+    with that <em>virtualenv</em> activated.</li>
+    <li>Set <code>PYTHONPATH</code> to include the <code>python</code>
     directory within the <em>certificate-transparency</em> tools.</li>
-    <li>Set <code>PATH</code> to include the <code>src/python/ct/client/tools</code>
+    <li>Set <code>PATH</code> to include the <code>python/ct/client/tools</code>
     directory.</li>
     <li>Run <code>ctauditscts</code>, passing the value of the
     <directive>CTAuditStorage</directive> directive and, optionally, the path to
@@ -251,7 +255,7 @@ testing.</p>
   </ul>
 
   <p>The data saved for audit can also be used by other programs; refer to the
-  <code>ctauditscts</code> source code for details.</p>
+  <code>ctauditscts</code> source code for details on processing the data.</p>
 </section>
 
 <directivesynopsis>
@@ -289,7 +293,8 @@ testing.</p>
 
 <usage>
   <p><em>executable</em> is the full path to the log client tool, which is
-  normally file <code>src/client/ct</code> within the source tree of the 
+  normally file <code>cpp/client/ct</code> (or <code>ct.exe</code>) within the
+  source tree of the
   <a href="https://code.google.com/p/certificate-transparency/">
   certificate-transparency</a> open source project.</p>
 
@@ -298,7 +303,7 @@ testing.</p>
 
   <p>If this directive is not configured, server certificates cannot be
   submitted to logs in order to obtain SCTs; thus, only admin-managed
-  SCTs will be provided to clients.</p>
+  SCTs or SCTs in certificate extensions will be provided to clients.</p>
 </usage>
 </directivesynopsis>