SSL cert/key location

Wed Dec 22 12:38:36 UTC 2004

Axel Thimm wrote:
> On Tue, Dec 21, 2004 at 09:28:28PM +0100, Enrico Scholz wrote:
> 
>>dwmw2 at infradead.org (David Woodhouse) writes:
>>
>>>>exim-4.43-3
>>>>* Thu Dec 16 2004 David Woodhouse <dwmw2 at redhat.com> 4.43-3
>>>>- Demonstrate SASL auth configuration in default config file
>>>>- Enable TLS and provide certificate if necessary
>>>>- Don't reject all GB2312 charset mail by default
>>>
>>>This enables TLS on incoming and outgoing mail by default -- some
>>>feedback from testing would be appreciated.
>>
>>To repeat my arguments from bugs #141479, #143392 and #143393:
>>
>>* the /usr filesystem (inclusive /usr/share/ssl) can be shared between
>>  several hosts; when there are multiple servers, every one would use
>>  the same certificate. This will not work because CN must match the DNS
>>  name
>>
>>* the sharing happens in >90% of all cases over an unencrypted
>>  network-filesystem (NFS). So, an attacker could easily get the
>>  SSL key.
>>
>>A better place for the certificates would be somewhere under /etc.
> 
> 
> Indeed, I always wondered why the certificates had been put under
> /usr/share/ssl and by whom. The FHS had been quite strict on this from
> the very beginning.
> 
> /etc seems a rather sane place. Perhaps /etc/ssl/?

agree!
the first think what i used to do is
mkdir /etc/ssl
mv /usr/share/ssl/* /etc/ssl/
rm -rf /usr/share/ssl
ln -s /etc/ssl /usr/share/
these are the only configuration files which are not under /etc. why???

-- 
   Levente                               "Si vis pacem para bellum!"