SSL cert/key location
Farkas Levente
lfarkas at bppiac.hu
Wed Dec 22 12:38:36 UTC 2004
Axel Thimm wrote:
> On Tue, Dec 21, 2004 at 09:28:28PM +0100, Enrico Scholz wrote:
>
>>dwmw2 at infradead.org (David Woodhouse) writes:
>>
>>>>exim-4.43-3
>>>>* Thu Dec 16 2004 David Woodhouse <dwmw2 at redhat.com> 4.43-3
>>>>- Demonstrate SASL auth configuration in default config file
>>>>- Enable TLS and provide certificate if necessary
>>>>- Don't reject all GB2312 charset mail by default
>>>
>>>This enables TLS on incoming and outgoing mail by default -- some
>>>feedback from testing would be appreciated.
>>
>>To repeat my arguments from bugs #141479, #143392 and #143393:
>>
>>* the /usr filesystem (inclusive /usr/share/ssl) can be shared between
>> several hosts; when there are multiple servers, every one would use
>> the same certificate. This will not work because CN must match the DNS
>> name
>>
>>* the sharing happens in >90% of all cases over an unencrypted
>> network-filesystem (NFS). So, an attacker could easily get the
>> SSL key.
>>
>>A better place for the certificates would be somewhere under /etc.
>
>
> Indeed, I always wondered why the certificates had been put under
> /usr/share/ssl and by whom. The FHS had been quite strict on this from
> the very beginning.
>
> /etc seems a rather sane place. Perhaps /etc/ssl/?
agree!
the first think what i used to do is
mkdir /etc/ssl
mv /usr/share/ssl/* /etc/ssl/
rm -rf /usr/share/ssl
ln -s /etc/ssl /usr/share/
these are the only configuration files which are not under /etc. why???
--
Levente "Si vis pacem para bellum!"
More information about the fedora-devel-list
mailing list