r8900 - in trunk/BOOK: . general/genutils introduction/welcome postlfs/security

bdubbs at linuxfromscratch.org bdubbs at linuxfromscratch.org
Wed Oct 19 13:18:45 PDT 2011


Author: bdubbs
Date: 2011-10-19 14:18:40 -0600 (Wed, 19 Oct 2011)
New Revision: 8900

Added:
   trunk/BOOK/postlfs/security/cacerts.xml
Modified:
   trunk/BOOK/general.ent
   trunk/BOOK/general/genutils/bc.xml
   trunk/BOOK/introduction/welcome/changelog.xml
   trunk/BOOK/postlfs/security/openssl.xml
   trunk/BOOK/postlfs/security/security.xml
Log:
Add a separate page for CA certificates.
Update to openssl-1.0.0e.
Update to bc-1.06.95.


Modified: trunk/BOOK/general/genutils/bc.xml
===================================================================
--- trunk/BOOK/general/genutils/bc.xml	2011-09-06 07:07:12 UTC (rev 8899)
+++ trunk/BOOK/general/genutils/bc.xml	2011-10-19 20:18:40 UTC (rev 8900)
@@ -16,10 +16,10 @@
     <!-- <para>This package does not come with a test suite.</para> -->
     <!-- <para>To test the results, issue: <command>make check</command>.</para> -->
 
-  <!ENTITY bc-download-http "http://ftp.gnu.org/gnu/bc/bc-&bc-version;.tar.gz">
-  <!ENTITY bc-download-ftp "ftp://ftp.gnu.org/gnu/bc/bc-&bc-version;.tar.gz">
-  <!ENTITY bc-md5sum "d44b5dddebd8a7a7309aea6c36fda117">
-  <!ENTITY bc-size "273 KB">
+  <!ENTITY bc-download-http "&gnu-alpha-http;/bc/bc-&bc-version;.tar.bz2">
+  <!ENTITY bc-download-ftp "&gnu-alpha-ftp;/bc/bc-&bc-version;.tar.bz2">
+  <!ENTITY bc-md5sum "5126a721b73f97d715bb72c13c889035">
+  <!ENTITY bc-size "288 KB">
   <!ENTITY bc-buildsize "3 MB">
   <!ENTITY bc-time "less than 0.1 SBU (0.2 SBU if running the testsuite)">
 ]>
@@ -32,19 +32,19 @@
     <date>$Date$</date>
   </sect1info>
 
-  <title>Bc-&bc-version;</title>
+  <title>bc-&bc-version;</title>
 
   <indexterm zone="bc">
     <primary sortas="a-Bc">Bc</primary>
   </indexterm>
 
   <sect2 role="package">
-    <title>Introduction to Bc</title>
+    <title>Introduction to bc</title>
 
     <para>The <application>bc</application> package contains
     an arbitrary precision numeric processing language.</para>
 
-    &lfs67_checked;
+    &lfs70_checked;
 
     <bridgehead renderas="sect3">Package Information</bridgehead>
     <itemizedlist spacing="compact">
@@ -78,11 +78,7 @@
 
     <para>Install <application>bc</application> by running the following commands:</para>
 
-<screen><userinput>sed -i '/PROTO.*readline/d' bc/scan.l &&
-sed -i '/flex -I8/s/8//' configure &&
-sed -i '/stdlib/a #include <string.h>' lib/number.c &&
-sed -i 's/program.*save/static &/' bc/load.c &&
-./configure --prefix=/usr --with-readline &&
+<screen><userinput>./configure --prefix=/usr --with-readline &&
 make</userinput></screen>
 
     <para>To test <application>bc</application>, run the commands below.
@@ -100,7 +96,7 @@
 
   <sect2 role="commands">
     <title>Command Explanations</title>
-
+<!--
     <para><command>sed -i '/PROTO.*readline/d' bc/scan.l</command>: This
     command fixes the <application>Readline</application> library call.</para>
 
@@ -113,7 +109,7 @@
     <para><command>sed -i 's/program.*save/static &/' bc/load.c</command>:
     This command fixes a segfault when running <application>bc</application>
     with <command>bc -l</command>.</para>
-
+-->
     <para><parameter>--with-readline</parameter>: This option enables
     <application>Readline</application> support in interactive mode.</para>
 

Modified: trunk/BOOK/general.ent
===================================================================
--- trunk/BOOK/general.ent	2011-09-06 07:07:12 UTC (rev 8899)
+++ trunk/BOOK/general.ent	2011-10-19 20:18:40 UTC (rev 8900)
@@ -3,8 +3,8 @@
 $Date$
 -->
 
-<!ENTITY day          "06">                   <!-- Always 2 digits -->
-<!ENTITY month        "09">                   <!-- Always 2 digits -->
+<!ENTITY day          "19">                   <!-- Always 2 digits -->
+<!ENTITY month        "10">                   <!-- Always 2 digits -->
 <!ENTITY year         "2011">
 <!ENTITY copyrightdate "2001-&year;">
 <!ENTITY copyholder   "The BLFS Development Team">
@@ -24,6 +24,7 @@
 <!ENTITY downloads-project    "http://downloads.&lfs-domainname;">
 <!ENTITY sources-anduin-http  "http://anduin.&lfs-domainname;/sources/BLFS/svn">
 <!ENTITY sources-anduin-ftp   "ftp://anduin.&lfs-domainname;/BLFS/svn">
+<!ENTITY sources-anduin-other "ftp://anduin.&lfs-domainname;/BLFS">
 <!ENTITY files-anduin         "http://anduin.&lfs-domainname;/files/BLFS/svn">
 <!ENTITY hints-root           "http://www.&lfs-domainname;/hints">
 <!ENTITY patch-root           "http://www.&lfs-domainname;/patches/blfs/svn">
@@ -32,6 +33,8 @@
 <!-- <!ENTITY lfs-root             "http://www.&lfs-domainname;/lfs/view/&lfs-version;"> -->
 <!ENTITY lfs-root             "../../../../lfs/view/&lfs-version;">
 <!ENTITY lfs-dev              "../../../../lfs/view/development">
+<!ENTITY gnu-alpha-ftp        "ftp://alpha.gnu.org/gnu/">
+<!ENTITY gnu-alpha-http       "http://alpha.gnu.org/gnu/">
 <!ENTITY sourceforge-repo     "http://downloads.sourceforge.net">
 <!ENTITY sourceforge-repo2    "http://sourceforge.net">
 <!ENTITY gentoo-ftp-repo      "ftp://mirror.ovh.net/gentoo-distfiles/distfiles">
@@ -76,6 +79,10 @@
                               properly using an LFS-6.7 platform.</para>">
 <!ENTITY lfs67_built          "<para>This package is known to build using an LFS
                               6.7 platform but has not been tested.</para>">
+<!ENTITY lfs70_checked        "<para>This package is known to build and work
+                              properly using an LFS-7.0 platform.</para>">
+<!ENTITY lfs70_built          "<para>This package is known to build using an LFS
+                              7.0 platform but has not been tested.</para>">
 
 <!-- usage: <para>&lfssvn_checked;ccyymmdd&lfssvn_checked2;</para> -->
 <!ENTITY lfssvn_checked       "This package is known to build and work properly
@@ -92,7 +99,7 @@
 
 <!-- Chapter 4 -->
 
-<!ENTITY openssl-version              "1.0.0d">
+<!ENTITY openssl-version              "1.0.0e">
 <!-- The ca-bundle-version should be updated to match nss version -->
 <!ENTITY ca-bundle-version            "3.12.11.0">
 <!ENTITY gnutls-version               "2.10.2">
@@ -242,7 +249,7 @@
 -->
 
 <!-- Chapter 10 -->
-<!ENTITY bc-version                   "1.06">
+<!ENTITY bc-version                   "1.06.95">
 <!ENTITY rep-gtk-version              "0.18">
 <!ENTITY compface-version             "1.5.2">
 <!ENTITY imagemagick-version          "6.3.5">

Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml	2011-09-06 07:07:12 UTC (rev 8899)
+++ trunk/BOOK/introduction/welcome/changelog.xml	2011-10-19 20:18:40 UTC (rev 8900)
@@ -40,7 +40,23 @@
     </listitem>
 
 -->
+
     <listitem>
+      <para>October 19th, 2011</para>
+      <itemizedlist>
+        <listitem>
+          <para>[bdubbs] - Added separate page to generate CA certificates.</para>
+        </listitem>
+        <listitem>
+          <para>[bdubbs] - Updated to openssl-1.0.0e.</para>
+        </listitem>
+        <listitem>
+          <para>[bdubbs] - Updated to bc-1.06.95.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
+    <listitem>
       <para>September 6th, 2011</para>
       <itemizedlist>
         <listitem>

Added: trunk/BOOK/postlfs/security/cacerts.xml
===================================================================
--- trunk/BOOK/postlfs/security/cacerts.xml	                        (rev 0)
+++ trunk/BOOK/postlfs/security/cacerts.xml	2011-10-19 20:18:40 UTC (rev 8900)
@@ -0,0 +1,302 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+
+  <!ENTITY certhost              "http://mxr.mozilla.org">
+  <!ENTITY certdir               "/mozilla/source/security/nss/lib/ckfw/builtins">
+  <!ENTITY ca-bundle-download    "&certhost;&certdir;/certdata.txt?raw=1">
+  <!ENTITY ca-bundle-size        "1.2 MB">
+  <!ENTITY cacerts-buildsize     "1.2 MB">
+  <!ENTITY cacerts-time          "less than 0.1 SBU">
+]>
+
+<sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
+  <?dbhtml filename="cacerts.html"?>
+
+  <sect1info>
+    <othername>$LastChangedBy$</othername>
+    <date>$Date$</date>
+  </sect1info>
+
+  <title>Certificate Authority Certificates</title>
+
+  <para>The Public Key Inrastructure is used for many security issues in a
+  Linux system.  In order for a certificate to be trusted, it must be signed by
+  a trusted agent called a Certificate Authority (CA).  The certificates loaded
+  by this section are from the list on the Mozilla version control system and
+  formats it into a form used by <xref linkend='openssl'/>.  The certificates
+  can also be used by other applications either directly of indirectly through
+  <application>openssl</application>.</para>
+
+  &lfs70_checked;
+
+  <indexterm zone="cacerts">
+    <primary sortas="a-cacerts">Certificate Authority Certificates</primary>
+  </indexterm>
+
+  <sect2 role="package">
+    <title>Introduction to Certificate Authorities</title>
+
+   <bridgehead renderas="sect3">Package Information</bridgehead>
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>CA Certificate Download: <ulink url="&ca-bundle-download;"/></para>
+      </listitem>
+      <listitem>
+        <para>CA Bundle size: &ca-bundle-size;</para>
+      </listitem>
+      <listitem>
+        <para>Estimated disk space required: &cacerts-buildsize;</para>
+      </listitem>
+      <listitem>
+        <para>Estimated build time: &cacerts-time;</para>
+      </listitem>
+    </itemizedlist>
+
+    <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
+
+    <bridgehead renderas="sect4">Required</bridgehead>
+    <para role="required"><xref linkend="openssl"/></para>
+
+    <para condition="html" role="usernotes">User Notes:
+    <ulink url='&blfs-wiki;/cacerts'/></para>
+  </sect2>
+
+  <sect2 role="installation">
+    <title>Installation of Certificate Authority Certificates</title>
+
+    <para>First create a script to reformat a certificate into a
+    form needed by <application>openssl</application>.  As the <systemitem
+    class="username">root</systemitem> user:</para>
+
+  <screen><userinput>cat > /bin/make-cert.pl << "EOF"
+#!/usr/bin/perl -w
+
+# Used to generate PEM encoded files from Mozilla certdata.txt.
+# Run as ./mkcrt.pl > certificate.crt
+#
+# Parts of this script courtesy of RedHat (mkcabundle.pl)
+#
+# This script modified for use with single file data (tempfile.cer) extracted
+# from certdata.txt, taken from the latest version in the Mozilla NSS source.
+# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+#
+# Authors: DJ Lucas
+#          Bruce Dubbs
+
+my $certdata = './tempfile.cer';
+
+open( IN, "cat $certdata|" )
+    || die "could not open $certdata";
+
+my $incert = 0;
+
+while ( <IN> ) 
+{
+    if ( /^CKA_VALUE MULTILINE_OCTAL/ ) 
+    {
+        $incert = 1;
+        open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
+            || die "could not pipe to openssl x509";
+    } 
+    
+    elsif ( /^END/ && $incert ) 
+    {
+        close( OUT );
+        $incert = 0;
+        print "\n\n";
+    } 
+    
+    elsif ($incert) 
+    {
+        my @bs = split( /\\/ );
+        foreach my $b (@bs) 
+        {
+            chomp $b;
+            printf( OUT "%c", oct($b) ) unless $b eq '';
+        }
+    }
+}
+EOF
+
+chmod +x /bin/make-cert.pl</userinput></screen>
+
+   <para>The following script creates the certificates and a bundle of all the
+   certificates.  It creates a <filename class='directory'>./certs</filename>
+   directory and <filename>./BLFS-ca-bundle-${VERSION}.crt</filename>.  Again
+   create this script as the <systemitem class="username">root</systemitem>
+   user:</para>
+
+  <screen><userinput>cat > /bin/make-ca.sh << "EOF"
+#!/bin/bash
+# Begin make-ca.sh
+# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
+#
+# The file certdata.txt must exist in the local directory
+# Version number is obtained from the version of the data.
+#
+# Authors: DJ Lucas
+#          Bruce Dubbs
+
+certdata="certdata.txt"
+
+if [ ! -r $certdata ]; then
+  echo "$certdata must be in the local directory"
+  exit 1
+fi
+
+REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
+
+if [ -z "${REVISION}" ]; then
+  echo "$certfile has no 'Revision' in CVS_ID"
+  exit 1
+fi
+
+VERSION=$(echo $REVISION | cut -f2 -d" ")
+
+TEMPDIR=$(mktemp -d)
+TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
+BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
+CONVERTSCRIPT="make-cert.pl"
+SSLDIR="/etc/ssl"
+
+mkdir "${TEMPDIR}/certs"
+
+# Get a list of staring lines for each cert
+CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
+
+# Get a list of ending lines for each cert
+CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
+
+# Start a loop
+for certbegin in ${CERTBEGINLIST}; do
+  for certend in ${CERTENDLIST}; do
+    if test "${certend}" -gt "${certbegin}"; then
+      break
+    fi
+  done
+
+  # Dump to a temp file with the name of the file as the beginning line number
+  sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
+done
+
+unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend
+
+mkdir -p certs
+rm certs/*      # Make sure the directory is clean
+
+for tempfile in ${TEMPDIR}/certs/*.tmp; do
+  # Make sure that the cert is trusted...
+  grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
+    grep "CKT_NETSCAPE_TRUST_UNKNOWN" > /dev/null
+
+  if test "${?}" = "0"; then
+    # Throw a meaningful error and remove the file
+    cp "${tempfile}" tempfile.cer
+    "${CONVERTSCRIPT}" > tempfile.crt
+    keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
+    echo "Certificate ${keyhash} is not trusted!  Removing..."
+    rm -f tempfile.cer tempfile.crt "${tempfile}"
+    continue
+  fi
+
+  # If execution made it to here in the loop, the temp cert is trusted
+  # Find the cert data and generate a cert file for it
+
+  cp "${tempfile}" tempfile.cer
+  "${CONVERTSCRIPT}" > tempfile.crt
+  keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
+  mv tempfile.crt "certs/${keyhash}.pem"
+  rm -f tempfile.cer "${tempfile}"
+  echo "Created ${keyhash}.pem"
+done
+
+# Remove blacklisted files
+# MD5 Collision Proof of Concept CA
+if test -f certs/8f111d69.pem; then
+  echo "Certificate 8f111d69 is not trusted!  Removing..."
+  rm -f certs/8f111d69.pem
+fi
+
+# Finally, generate the bundle and clean up.
+cat certs/*.pem >  ${BUNDLE}
+rm -r "${TEMPDIR}"
+EOF
+
+chmod +x /bin/make-ca.sh</userinput></screen>
+
+   <para>The following commands will fetch the certificates and convert them to
+   the correct format.  If desired, a web browser may be used instead of
+   <application>wget</application> but the file will need to be saved with the
+   name <filename>certdata.txt</filename>.  These commands can be repeated as
+   necessary to update the CA Certificates.</para>
+
+   <screen><userinput>certhost='http://mxr.mozilla.org'                        &&
+certdir='/mozilla/source/security/nss/lib/ckfw/builtins' &&
+url="$certhost$certdir/certdata.txt?raw=1"               &&
+
+wget --output-document certdata.txt $url &&
+unset certhost certdir url               &&
+make-ca.sh</userinput></screen>
+
+   <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
+
+<screen><userinput>install -d ${SSLDIR}/certs        &&
+cp -v certs/*.pem ${SSLDIR}/certs &&
+c_rehash                          &&
+install ca-bundle.crt ${SSLDIR}</userinput></screen>
+
+   <para>Finally, clean up the current directory:</para>
+
+<screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
+
+  </sect2>
+
+  <sect2 role="content">
+    <title>Contents</title>
+
+    <segmentedlist>
+      <segtitle>Installed Programs</segtitle>
+      <segtitle>Installed Libraries</segtitle>
+      <segtitle>Installed Directories</segtitle>
+
+      <seglistitem>
+        <seg>make-ca.sh and make-cert.pl</seg>
+        <seg>None</seg>
+        <seg>/etc/ssl/certs</seg>
+      </seglistitem>
+    </segmentedlist>
+
+   <variablelist>
+      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
+      <?dbfo list-presentation="list"?>
+      <?dbhtml list-presentation="table"?>
+
+      <varlistentry id="make-ca">
+        <term><command>make-ca.sh</command></term>
+        <listitem>
+          <para>is a <application>bash</application> script that reformats
+          the <filename>certdata.txt</filename> file for use by
+          <application>openssl</application>.</para>
+          <indexterm zone="cacerts make-ca">
+            <primary sortas="b-make-ca">make-ca</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="make-cert">
+        <term><command>make-cert.pl</command></term>
+        <listitem>
+          <para>is a utility <application>perl</application> script that 
+          converts a single binary certificate (.der format) into .pem format.</para>
+          <indexterm zone="cacerts make-cert">
+            <primary sortas="b-make-cert">make-cert</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+   </variablelist>
+
+  </sect2>
+</sect1>


Property changes on: trunk/BOOK/postlfs/security/cacerts.xml
___________________________________________________________________
Added: svn:keywords
   + LastChangedBy Date

Modified: trunk/BOOK/postlfs/security/openssl.xml
===================================================================
--- trunk/BOOK/postlfs/security/openssl.xml	2011-09-06 07:07:12 UTC (rev 8899)
+++ trunk/BOOK/postlfs/security/openssl.xml	2011-10-19 20:18:40 UTC (rev 8900)
@@ -38,7 +38,7 @@
     <application>OpenSSH</application>, email applications and web browsers
     (for accessing HTTPS sites).</para>
 
-    &lfs65_checked;
+    &lfs70_checked;
 
     <bridgehead renderas="sect3">Package Information</bridgehead>
     <itemizedlist spacing="compact">
@@ -55,15 +55,6 @@
         <para>Download size: &openssl-size;</para>
       </listitem>
       <listitem>
-        <para>CA Bundle Download: <ulink url="&ca-bundle-download;"/></para>
-      </listitem>
-      <listitem>
-        <para>CA Bundle size: &ca-bundle-size;</para>
-      </listitem>
-      <listitem>
-        <para>CA Bundle MD5 sum: &ca-bundle-md5sum;</para>
-      </listitem>
-      <listitem>
         <para>Estimated disk space required: &openssl-buildsize;</para>
       </listitem>
       <listitem>
@@ -98,7 +89,6 @@
     the following commands:</para>
 
 <screen><userinput>patch -Np1 -i ../openssl-&openssl-version;-fix_manpages-1.patch &&
-tar -vxf ../BLFS-ca-bundle-&ca-bundle-version;.tar.bz2 &&
 
 ./config --prefix=/usr         \
          --openssldir=/etc/ssl \
@@ -108,42 +98,18 @@
 
     <para>To test the results, issue: <command>make test</command>.</para>
 
-    <!-- <para>To test the results, issue: <command>make test</command>.  Note that the
-    test results/output depend on the availability of /etc/ssl/openssl.cnf.  If
-    running the tests for the first time run the following as the
-    <systemitem class="username">root</systemitem> user before running the
-    tests:</para>
-
-<screen role="root"><userinput>install -v -m755 d /etc/ssl &&
-install -v ./apps/openssl.cnf /etc/ssl/</userinput></screen> -->
-
     <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
 
 <screen role="root"><userinput>make MANDIR=/usr/share/man install                &&
-cp -v -r certs /etc/ssl                           &&
 install -v -d -m755 /usr/share/doc/openssl-&openssl-version; &&
 cp      -v -r       doc/{HOWTO,README,*.{txt,html,gif}} \
                     /usr/share/doc/openssl-&openssl-version;</userinput></screen>
 
-    <para>While still the <systemitem class="username">root</systemitem> user,
-    create a single file that contains all of the installed certificates:</para>
-
-<screen role="root"><userinput>for pem in /etc/ssl/certs/*.pem
-do
-   cat $pem
-   echo ""
-done > /etc/ssl/ca-bundle.crt</userinput></screen>
-
   </sect2>
 
   <sect2 role="commands">
     <title>Command Explanations</title>
 
-    <para>
-    <command>tar -vxf ../BLFS-ca-bundle-&ca-bundle-version;.tar.bz2</command>:
-    <application>OpenSSL</application> no longer includes any root certificates.
-    This package adds root certificates as provided by mozilla.org.</para>
-
     <para><parameter>shared</parameter>: This parameter forces the creation of
     shared libraries along with the static libraries.</para>
 
@@ -168,22 +134,6 @@
     virtual hosts in Apache, while using only one IP address and one port for
     all virtual hosts.</para> -->
 
-    <!-- <para><option>zlib-dynamic</option>: When added to the
-    <command>./config</command> command, this switch will enable
-    use of <filename>libz.so</filename> for compression/decompression.</para> -->
-
-    <para><command>cp -v -r certs /etc/ssl</command>: This installs both the
-    sample certificates and documentation included with
-    <application>OpenSSL</application>, and the certificates that were extracted
-    from the BLFS-ca-bundle-&ca-bundle-version; package.</para>
-
-    <para><command>for pem in /etc/ssl/certs/*.pem...</command>: This group of
-    commands creates a single-file certificate bundle
-    (<filename>/etc/ssl/ca-bundle.crt</filename>) that is usable by many
-    other software packages.  <filename>ca-bundle.crt</filename> should be
-    recreated every time a new or updated certificate is added to
-    <filename class="directory">/etc/ssl/certs</filename>.</para>
-
   </sect2>
 
   <sect2 role="configuration">
@@ -203,14 +153,20 @@
     <sect3>
       <title>Configuration Information</title>
 
-      <para>Most people who just want to use <application>OpenSSL</application>
-      for providing functions to other programs such as
-      <application>OpenSSH</application> and web browsers won't need to worry
-      about configuring <application>OpenSSL</application>. Configuring
-      <application>OpenSSL</application> is an advanced topic and so those
-      who do would normally be expected to either know how to do it or to be
-      able to find out how to do it.</para>
+      <para>Most users will want to install Certificate Authority Certificates
+      for validataion of downloaded certificates.  For example, these
+      certificates are used by <xref linkend='firefox'/> or <xref
+      linkend='wget'/> when accessing secure (https protocol) sites.  To do this, 
+      follow the instructions from the <xref linkend='cacerts'/> page.</para> 
 
+      <para>Users who just want to use <application>OpenSSL</application> for
+      providing functions to other programs such as
+      <application>OpenSSH</application> and web browsers do not need to worry
+      about additional configuration. This is an advanced topic and so those
+      who do need it would normally be expected to either know how to properly
+      update <filename>/etc/ssl/openssl.cnf</filename> or be able to find out
+      how to do it.</para>
+
     </sect3>
 
   </sect2>

Modified: trunk/BOOK/postlfs/security/security.xml
===================================================================
--- trunk/BOOK/postlfs/security/security.xml	2011-09-06 07:07:12 UTC (rev 8899)
+++ trunk/BOOK/postlfs/security/security.xml	2011-10-19 20:18:40 UTC (rev 8900)
@@ -40,6 +40,7 @@
   "signatures" and compares for files that have been changed.</para>
 
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssl.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cacerts.xml"/> 
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnutls.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cracklib.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="linux-pam.xml"/>




More information about the blfs-book mailing list