r7816 - in trunk/BOOK: . introduction/welcome postlfs/security

dj at linuxfromscratch.org dj at linuxfromscratch.org
Wed Apr 8 23:01:57 PDT 2009


Author: dj
Date: 2009-04-09 00:01:57 -0600 (Thu, 09 Apr 2009)
New Revision: 7816

Removed:
   trunk/BOOK/postlfs/security/rootcerts.xml
Modified:
   trunk/BOOK/general.ent
   trunk/BOOK/introduction/welcome/changelog.xml
   trunk/BOOK/postlfs/security/openssl.xml
   trunk/BOOK/postlfs/security/security.xml
Log:
Moved root certificates handling to OpenSSL page.

Modified: trunk/BOOK/general.ent
===================================================================
--- trunk/BOOK/general.ent	2009-04-09 04:24:19 UTC (rev 7815)
+++ trunk/BOOK/general.ent	2009-04-09 06:01:57 UTC (rev 7816)
@@ -3,13 +3,13 @@
 $Date$
 -->
 
-<!ENTITY day          "26">                   <!-- Always 2 digits -->
-<!ENTITY month        "03">                   <!-- Always 2 digits -->
+<!ENTITY day          "09">                   <!-- Always 2 digits -->
+<!ENTITY month        "04">                   <!-- Always 2 digits -->
 <!ENTITY year         "2009">
 <!ENTITY copyrightdate "2001-&year;">
 <!ENTITY copyholder   "The BLFS Development Team">
 <!ENTITY version      "svn-&year;&month;&day;">
-<!ENTITY releasedate  "March &day;th, &year;">
+<!ENTITY releasedate  "April &day;th, &year;">
 <!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
 <!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->
 <!ENTITY lfs-version  "development">          <!-- version|testing|unstable|development] -->
@@ -60,6 +60,7 @@
 <!-- Chapter 4 -->
 
 <!ENTITY openssl-version              "0.9.8j">
+<!ENTITY ca-bundle-version            "20090409">
 <!ENTITY gnutls-version               "1.6.3">
 <!ENTITY cracklib-version             "2.8.13">
 <!ENTITY linux-pam-version            "1.0.3">

Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml	2009-04-09 04:24:19 UTC (rev 7815)
+++ trunk/BOOK/introduction/welcome/changelog.xml	2009-04-09 06:01:57 UTC (rev 7816)
@@ -41,6 +41,16 @@
 
 -->
     <listitem>
+      <para>April 9th, 2009</para>
+      <itemizedlist>
+        <listitem>
+          <para>[dj] - Removed Root Certificates page and added ca-bundle
+          instructions to OpenSSL page.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
+    <listitem>
       <para>March 26th, 2009</para>
       <itemizedlist>
         <listitem>

Modified: trunk/BOOK/postlfs/security/openssl.xml
===================================================================
--- trunk/BOOK/postlfs/security/openssl.xml	2009-04-09 04:24:19 UTC (rev 7815)
+++ trunk/BOOK/postlfs/security/openssl.xml	2009-04-09 06:01:57 UTC (rev 7816)
@@ -8,8 +8,11 @@
   <!ENTITY openssl-download-ftp  "ftp://ftp.openssl.org/source/openssl-&openssl-version;.tar.gz">
   <!ENTITY openssl-md5sum        "a5cb5f6c3d11affb387ecf7a997cac0c">
   <!ENTITY openssl-size          "3.7 MB">
-  <!ENTITY openssl-buildsize     "45 MB">
-  <!ENTITY openssl-time          "1.2 SBU (additional 0.3 SBU to run the test suite)">
+  <!ENTITY ca-bundle-download    "http://anduin.linuxfromscratch.org/files/BLFS/BLFS-ca-bundle-&ca-bundle-version;.tar.bz2">
+  <!ENTITY ca-bundle-size        "192 KB">
+  <!ENTITY ca-bundle-md5sum      "a5e85c3df9ef9a192eb5e5cdf94ebb72">
+  <!ENTITY openssl-buildsize     "47 MB">
+  <!ENTITY openssl-time          "1.3 SBU (additional 0.3 SBU to run the test suite)">
 ]>
 
 <sect1 id="openssl" xreflabel="OpenSSL-&openssl-version;">
@@ -50,6 +53,15 @@
         <para>Download size: &openssl-size;</para>
       </listitem>
       <listitem>
+        <para>CA Bundle Download: <ulink url="&ca-bundle-download;"/></para>
+      </listitem>
+      <listitem>
+        <para>CA Bundle size: &ca-bundle-size;</para>
+      </listitem>
+      <listitem>
+        <para>CA Bundle MD5 sum: &ca-bundle-md5sum;</para>
+      </listitem>
+      <listitem>
         <para>Estimated disk space required: &openssl-buildsize;</para>
       </listitem>
       <listitem>
@@ -69,7 +81,7 @@
 
     <bridgehead renderas="sect4">Recommended</bridgehead>
     <para role="recommended"><xref linkend="bc"/>(if you run the test suite
-    during the build) and <xref linkend="rootcerts"/></para>
+    during the build)</para>
 
     <bridgehead renderas="sect4">Optional</bridgehead>
     <para role="optional"><xref linkend="mitkrb"/> or
@@ -87,6 +99,7 @@
     the following commands:</para>
 
 <screen><userinput>patch -Np1 -i ../openssl-&openssl-version;-fix_manpages-1.patch &&
+tar -vxf ../BLFS-ca-bundle-&ca-bundle-version;.tar.bz2 &&
 ./config --prefix=/usr         \
          --openssldir=/etc/ssl \
          shared                \
@@ -114,11 +127,25 @@
 cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
     /usr/share/doc/openssl-&openssl-version;</userinput></screen>
 
+    <para>While still the <systemitem class="username">root</systemitem> user,
+    create a single file that contains all of the installed certificates:</para>
+
+<screen role="root"><userinput>for pem in /etc/ssl/certs/*.pem
+do
+   cat $pem
+   echo ""
+done > /etc/ssl/ca-bundle.crt</userinput></screen>
+
   </sect2>
 
   <sect2 role="commands">
     <title>Command Explanations</title>
 
+    <para>
+    <command>tar -vxf ../BLFS-ca-bundle-&ca-bundle-version;.tar.bz2</command>:
+    OpenSSL no longer includes any root certificates.  This package adds root
+    certificates as provided by mozilla.org.</para>
+
     <para><parameter>shared</parameter>: This parameter forces the creation of
     shared libraries along with the static libraries.</para>
 
@@ -147,11 +174,18 @@
     <command>./config</command> command, this switch will enable 
     use of <filename>libz.so</filename> for compression/decompression.</para> -->
 
-    <para><command>cp -v -r certs /etc/ssl</command>: This package no longer
-    ships CA certificates. This commands installs documentation and sample
-    certificates as examples should one want to create/install their own
-    certificates.</para>
+    <para><command>cp -v -r certs /etc/ssl</command>: This installs both the
+    sample certificates and documentation included with OpenSSL, and the
+    certificates that were extrated from the BLFS-ca-bundle-&ca-bundle-version;
+    package.</para>
 
+    <para><command>for pem in /etc/ssl/certs/*.pem...</command>: This group of
+    commands creates a single-file certificate bundle 
+    (<filename>/etc/ssl/ca-bundle.crt</filename>) that is usable by many
+    other software packages.  <filename>ca-bundle.crt</filename> should be
+    recreated anytime that a certificate is added to
+    <filename class="directory">/etc/ssl/certs</filename>.</para>
+
   </sect2>
 
   <sect2 role="configuration">

Deleted: trunk/BOOK/postlfs/security/rootcerts.xml
===================================================================
--- trunk/BOOK/postlfs/security/rootcerts.xml	2009-04-09 04:24:19 UTC (rev 7815)
+++ trunk/BOOK/postlfs/security/rootcerts.xml	2009-04-09 06:01:57 UTC (rev 7816)
@@ -1,51 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
-   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-  <!ENTITY % general-entities SYSTEM "../../general.ent">
-  %general-entities;
-]>
-
-<sect1 id="rootcerts"  xreflabel="Root Certificates">
-  <?dbhtml filename="rootcerts.html"?>
-
-  <sect1info>
-    <othername>$LastChangedBy$</othername>
-    <date>$Date$</date>
-  </sect1info>
-
-  <title>Root Certificates</title>
-
-  <indexterm zone="rootcerts">
-    <primary sortas="e-cabundle">ca-bundle.crt</primary>
-  </indexterm>
-
-  <para>The <filename>ca-bundle.crt</filename> file contains public
-  certificates from trusted root certificate authorities (CAs).  CAs guarantee
-  the authenticity of a host by issuing certificates that contain both the name
-  of the host and the owner's name, and are signed using the CA's private key.
-  In turn, a matching public key is provided by the CA that can be used to
-  verify the authenticity of any SSL certificate that is signed by that CA. The
-  list of CA certificates (with public keys) included in ca-bundle.crt
-  are provided by mozilla.org, and undergo an annual investigation and
-  auditing process, so that they can be trusted for general use.</para>
-
-  <para>The list of certificates is stored in PEM format, and is generated from
-  a DER formatted file, <filename>certdata.txt</filename>, that ships with
-  Mozilla products. A <ulink
-  url="http://cvs.fedoraproject.org/viewvc/rpms/ca-certificates/devel/mkcabundle.pl?view=co">
-  script</ulink> provided by RedHat converts the upstream
-  <filename>certdata.txt</filename> from DER to PEM format, so that it is
-  usable by applications that utilize SSL/TLS encryption.  Additional trusted
-  CAs can be added to the <filename>ca-bundle.crt</filename> by appending the
-  CA's public certificate (in PEM format) to the file.</para>
-
-  <para>Download a recent version of <ulink
-  url="&files-anduin;/ca-bundle.crt">ca-bundle.crt</ulink> and place it into
-  the <filename class="directory">/etc/ssl</filename> directory and make
-  the file world readable by issuing the following commands as the 
-  <systemitem class="username">root</systemitem> user:</para>
-
-<screen role="root"><userinput>install -v -d /etc/ssl &&
-install -m644 ca-bundle.crt /etc/ssl</userinput></screen>
-
-</sect1>

Modified: trunk/BOOK/postlfs/security/security.xml
===================================================================
--- trunk/BOOK/postlfs/security/security.xml	2009-04-09 04:24:19 UTC (rev 7815)
+++ trunk/BOOK/postlfs/security/security.xml	2009-04-09 06:01:57 UTC (rev 7816)
@@ -39,7 +39,6 @@
   of critical files (defined by the administrator) and then regenerates those
   "signatures" and compares for files that have been changed.</para>
 
-  <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="rootcerts.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="openssl.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="gnutls.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="cracklib.xml"/>




More information about the blfs-book mailing list