[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]
Taroon-list Digest, Vol 15, Issue 6

From: "jiantao" <jtzhao cashq ac cn>
To: "taroon-list redhat com" <taroon-list redhat com>
Subject: Taroon-list Digest, Vol 15, Issue 6
Date: Tue, 10 May 2005 12:58:30 +0800
Send Taroon-list mailing list submissions to
	taroon-list redhat com

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.redhat.com/mailman/listinfo/taroon-list
or, via email, send a message with subject or body 'help' to
	taroon-list-request redhat com

You can reach the person managing the list at
	taroon-list-owner redhat com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Taroon-list digest..."


Today's Topics:

   1. RE: How to properly install and configure mod_ssl on RHEL 4?
      (Mike Kercher)
   2. Re: How to properly install and configure mod_ssl on RHEL 4?
      (John Haxby)
   3. Re: How to properly install and configure mod_ssl on RHEL 4?
      (Olaf Greve)
   4. Re: How to properly install and configure mod_ssl on RHEL 4?
      (Doug Stewart)
   5. RE: How to properly install and configure mod_ssl on RHEL 4?
      (Mike Kercher)
   6. Re: Scripting help please (Ed Wilts)
   7. RE: Scripting help please (Collins, Kevin  [MindWorks])
   8. Re: Scripting help please (John Haxby)
   9. Re: How to properly install and configure mod_ssl on RHEL 4?
      (Ed Wilts)


----------------------------------------------------------------------

Message: 1
Date: Wed, 4 May 2005 09:24:09 -0500
From: "Mike Kercher" <mike CamaroSS net>
Subject: RE: How to properly install and configure mod_ssl on RHEL 4?
To: "'Discussion of Red Hat Enterprise Linux 3 \(Taroon\)'"
	<taroon-list redhat com>
Message-ID: <200505041424 j44EO9Hx027160 avwall2 bladeware com>
Content-Type: text/plain;	charset="iso-8859-1"

 

-----Original Message-----
From: taroon-list-bounces redhat com [mailto:taroon-list-bounces redhat com]
On Behalf Of John Haxby
Sent: Wednesday, May 04, 2005 9:14 AM
To: Discussion of Red Hat Enterprise Linux 3 (Taroon)
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?

Olaf Greve wrote:

> ...indicated that something was amiss with the CA certificate.
>
> Yesterday evening it already dawned on me that I think it's necessary 
> to purchase a certificate (from companies such as Verisign). If so, 
> then I guess that's the missing link.

It's not necessary to buy a certificate (although it may be 
desirable).   In fact, it's not actually necessary to do anything at 
all.   If you've installed mod_ssl (and it installs by default anyway) 
then connecting to https://localhost with, say, firefox will work just fine.

Having said that you'll get dialog boxes popping up telling you that the
certificate isn't signed by a trusted authority and that it doesn' match 
the host you're connecting to.   That's because the certificate is 
self-signed and is for "localhost.localdomain".   A proper certificate 
comes from Verisign or similar and will cost you money -- the last one I 
bought was ?50, but that was a few years ago.   For most purposes you 
can get by with a self-signed certificate.   As it happens, I've just 
had to do this for an FC3 machine, but RHEL4 is the same.

This is an out-of-the-box installation, I didn't have to edit any
configuration files.  I didn't explicitly select mod_ssl for installation
either.

With firefox, the first dialog box that pops up starts "Unable to verify 
the identity of localhost.localdomain as a trusted site."   It goes on 
to offer some resonable causes and lets me accep the certificate 
temporarily.   Having done that I get another dialogue box saying that 
the machine I'm connecting to doesn't match the name on the certificate
(that is, localhost.localdomain) and lets me see the certificate and 
also lets me continue.   The certificate is the one that installs by 
default and it's issued to localhost.localdomain, in SomeOrganisation 
and signed by the issuer.   It was issued on 1-May-2005 which is when I 
installed the server.

To get the self-signed certificate:

    make -C/usr/share/ssl/certs testcert or
    make -C/etc/httpd/conf testcert

(The Makefile in /etc/httpd/conf is a symbolic link to the other one.)   
If you're not root you'll get an error, if you are it'll tell you 
there's nothing to do.   You need to remove the certificate, but not the 
key (if I'm not mistaken, the make rule for generating the key will want a
passphrase which will mean that you'll need to type the passphrase in every
time you restart apache).  so, delete /etc/httpd/conf/ssl.crt/server.crt (or
at least move out of the way) and re-run the make command and then restart
httpd.  If you reload the page in firefox now you'll only get the first
dialog box and you should accept the certificate permanently (having first
checked that it matches what you've just generated).  I don't need to tell
you that you should make sure that the hostname in the certificate matches
the hostname you connect to and that it should be the FQDN.

If, in a year's time you need to renew the certificate you'll need to change
the serial number (unless you change some of the other details).  
You'll need to edit the Makefile to do this (or run the openssl req 
command directly) to add a "-set_serial 1" parameter.   You won't 
remember that, but you might remember to do a "man req" and look it up
yourself.

As another poster said, "make -C/etc/httpd/conf certreq" will generate the
certificate request you'll need for a real certificate.  When I went through
this with Verisign they were quite picky about what you actually put in the
certificate fields so you'll need to read their web site (or 
the web site of their local representative, in my case, it's BT).   And 
it takes a couple of weeks from start to finish, so a self-signed
certificate is a good thing to get you going anyway.

Most software can be persuaded to accept a self-signed certificate.  The
various browsers, including curl, can be so persuaded.  Java can as 
well.   It depends on how much you want to make life easy compared to 
how much you're prepared to spend money :-)  It would be nice to be able to
get cheap (or even free) certificates for home servers and the like.

jch

--
Taroon-list mailing list
Taroon-list redhat com
http://www.redhat.com/mailman/listinfo/taroon-list

============================================================================
======

An SSL cert from http://www.rapidssl.com/index_ssl.htm is much cheaper that
350

Mike




------------------------------

Message: 2
Date: Wed, 4 May 2005 15:40:15 +0100
From: John Haxby <jch scalix com>
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
	<taroon-list redhat com>
Message-ID: <4278DECF 7080907 scalix com>
Content-Type: text/plain;	charset="ISO-8859-1";	format="flowed"

Mike Kercher wrote

>An SSL cert from http://www.rapidssl.com/index_ssl.htm is much cheaper that
>350
>  
>

I was hoping someone would come up with that sort of reply!

Of course, the more you pay for a certificate, the more users of the web 
site are likely to trust you.   I still think that a certificate should 
include the amount paid for it: someone prepared to pay, say, ?0,000 
for a certificate for a web site selling ink cartridges is much less 
likely to be behaving badly than someone doing the same with a $49 
certificate.  (Quite why Verisign certificates are $350 or ?50 is a bit 
of a mystery, considering the exchange rate.)

Self-signed certificates are fine for non-public web sites though.

jch



------------------------------

Message: 3
Date: Wed, 04 May 2005 16:48:35 +0200
From: Olaf Greve <o greve axis nl>
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
	<taroon-list redhat com>
Message-ID: <4278E0C3 4010200 axis nl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi all,

Tnx alot!

Indeed simply pointing the browser to https://localhost already does the 
trick.

The client themselves will request a signed certificate, so that's up to 
them to do.

Thanks for your help!

Cheers,
Olafo



------------------------------

Message: 4
Date: Wed, 04 May 2005 10:52:58 -0400
From: Doug Stewart <dstewart atl lmco com>
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
	<taroon-list redhat com>
Message-ID: <4278E1CA 1020609 atl lmco com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On a related-but-not-entirely-germane subject, anyone have any 
experience in https-protecting a single directory using Apache?  I would 
like to force all requests to a certain directory to use https and make 
the dir inaccessible via regular http.

Can it be done?


-- 
----------
Doug Stewart
Systems Administrator/Web Applications Developer
Lockheed Martin Advanced Technology Labs
dstewart atl lmco com



------------------------------

Message: 5
Date: Wed, 4 May 2005 09:53:25 -0500
From: "Mike Kercher" <mike CamaroSS net>
Subject: RE: How to properly install and configure mod_ssl on RHEL 4?
To: "'Discussion of Red Hat Enterprise Linux 3 \(Taroon\)'"
	<taroon-list redhat com>
Message-ID: <200505041453 j44ErP1L002358 avwall2 bladeware com>
Content-Type: text/plain;	charset="US-ASCII"

 

-----Original Message-----
From: taroon-list-bounces redhat com [mailto:taroon-list-bounces redhat com]
On Behalf Of Olaf Greve
Sent: Wednesday, May 04, 2005 9:49 AM
To: Discussion of Red Hat Enterprise Linux 3 (Taroon)
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?

Hi all,

Tnx alot!

Indeed simply pointing the browser to https://localhost already does the
trick.

The client themselves will request a signed certificate, so that's up to
them to do.

Thanks for your help!

Cheers,
Olafo

--
Taroon-list mailing list
Taroon-list redhat com
http://www.redhat.com/mailman/listinfo/taroon-list

===========================================================

Chances are, you'll end up doing it for them since you will need to generate
the CSR for the certificate.

Mike



------------------------------

Message: 6
Date: Wed, 4 May 2005 09:59:08 -0500
From: Ed Wilts <ewilts ewilts org>
Subject: Re: Scripting help please
To: Truejack <truejack gmail com>,	"Discussion of Red Hat Enterprise
	Linux 3 (Taroon)"	<taroon-list redhat com>
Message-ID: <20050504145908 GA10798 www ewilts org>
Content-Type: text/plain; charset=us-ascii

On Wed, May 04, 2005 at 06:34:30PM +0530, Truejack wrote:
> I need some scripting help please.
> 
> I have a file which has the following output.
> I need to change all the commas after the $ to a * (or any other
> character other than a comma).
> Only the commas after the $ need to be changed.
> 
> 109889-01 : 109353-04,109353-04 :  :  $ SUNWkvmx, SUNWkvm, SUNWctu, SUNWmdb

If you have the mysql package installed, you've got a fantastic tool
called replace.  In my opinion, this should be taken out of mysql and
bundled in a more common location like coreutils.  You don't need a
mysql server running - just the client package installed.

replace ', ' '* ' -- $filename

replace can process multiple files at once and does the changes in
place.

[ewilts corpftp2 ewilts]$ cat foo
109889-01 : 109353-04,109353-04 :  :  $ SUNWkvmx, SUNWkvm, SUNWctu, SUNWmdb
[ewilts corpftp2 ewilts]$ replace ', ' '* ' -- foo
foo converted
[ewilts corpftp2 ewilts]$ cat foo
109889-01 : 109353-04,109353-04 :  :  $ SUNWkvmx* SUNWkvm* SUNWctu* SUNWmdb

-- 
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts ewilts org
Member #1, Red Hat Community Ambassador Program



------------------------------

Message: 7
Date: Wed, 4 May 2005 08:02:55 -0700
From: "Collins, Kevin  [MindWorks]" <KCollins chevrontexaco com>
Subject: RE: Scripting help please
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
	<taroon-list redhat com>, "Truejack" <truejack gmail com>
Message-ID:
	<9AEA87EE3180D0409F0377B843FD90236E1971 connte2k2 con chevrontexaco net>
	
Content-Type: text/plain; charset=us-ascii

Useless use of cat! Try:

 perl -F\\$ -nae '$F[1] =~ s/,/*/g; print join("\$", @F)' file

Kevin

-----Original Message-----
From: taroon-list-bounces redhat com
[mailto:taroon-list-bounces redhat com] On Behalf Of Josh Kelley
Sent: Wednesday, May 04, 2005 6:20 AM
To: Truejack; Discussion of Red Hat Enterprise Linux 3 (Taroon)
Subject: Re: Scripting help please


Truejack wrote:

>I have a file which has the following output.
>I need to change all the commas after the $ to a * (or any other
>character other than a comma).
>Only the commas after the $ need to be changed.
>
>109889-01 : 109353-04,109353-04 :  :  $ SUNWkvmx, SUNWkvm, SUNWctu,
SUNWmdb
>  
>
cat file | perl -F\\$ -nae '$F[1] =~ s/,/*/g; print join("\$", @F)'

Josh Kelley

--
Taroon-list mailing list
Taroon-list redhat com
http://www.redhat.com/mailman/listinfo/taroon-list





------------------------------

Message: 8
Date: Wed, 4 May 2005 16:28:48 +0100
From: John Haxby <jch scalix com>
Subject: Re: Scripting help please
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
	<taroon-list redhat com>
Message-ID: <4278EA30 9090506 scalix com>
Content-Type: text/plain;	charset="ISO-8859-1";	format="flowed"

Collins, Kevin [MindWorks] wrote:

>Useless use of cat! Try:
>
> perl -F\\$ -nae '$F[1] =~ s/,/*/g; print join("\$", @F)' file
>  
>

I know I'm name dropping, but Brian Kernighan said the same thing some 
time ago ('83, I think, but it was a while ago.).   He was commenting on 
"cat xxx | yyy" vs "yyy < xxx" (or even "<xxx yyy").

Having thought about it, his conclusion was that you shouldn't worry 
about it.   With something like the perl script, the performance 
advantage is minimal.   On the other hand, "cat file | awk 
'fifty-line-awk-script'" is more likely to be readable than "awk 
'fifty-line-awk-script" file".   My personal style depends on how I'm 
feeling: I might like the challenge of using just the shell or just sed, 
or I might want to try a different approach.   Or I might be writing 
something that has to be maintained -- in which case clarity and 
readability move way up the list.

jch



------------------------------

Message: 9
Date: Wed, 4 May 2005 10:29:18 -0500
From: Ed Wilts <ewilts ewilts org>
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
	<taroon-list redhat com>
Message-ID: <20050504152918 GA11920 www ewilts org>
Content-Type: text/plain; charset=us-ascii

On Wed, May 04, 2005 at 10:52:58AM -0400, Doug Stewart wrote:
> On a related-but-not-entirely-germane subject, anyone have any 
> experience in https-protecting a single directory using Apache?  I would 
> like to force all requests to a certain directory to use https and make 
> the dir inaccessible via regular http.
> 
> Can it be done?

Sure - just put in a redirect.

I had something like this (which doesn't work anymore, so don't even
bother testing it!):

 Redirect /webmails https://webmail.ewilts.org/

I had then set up a virtual host for webmail.ewilts.org (the only
virtual host I had listening on port 443).

-- 
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts ewilts org
Member #1, Red Hat Community Ambassador Program



------------------------------

--
Taroon-list mailing list
Taroon-list redhat com
http://www.redhat.com/mailman/listinfo/taroon-list

End of Taroon-list Digest, Vol 15, Issue 6
******************************************
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]