r8915 - in trunk/BOOK: general/genlib introduction/welcome postlfs/security

bdubbs at linuxfromscratch.org bdubbs at linuxfromscratch.org
Sun Oct 23 18:06:28 PDT 2011


Author: bdubbs
Date: 2011-10-23 19:06:24 -0600 (Sun, 23 Oct 2011)
New Revision: 8915

Modified:
   trunk/BOOK/general/genlib/libxslt.xml
   trunk/BOOK/introduction/welcome/changelog.xml
   trunk/BOOK/postlfs/security/cacerts.xml
Log:
Add routine to remove out of date CA certificates.


Modified: trunk/BOOK/general/genlib/libxslt.xml
===================================================================
--- trunk/BOOK/general/genlib/libxslt.xml	2011-10-23 22:03:46 UTC (rev 8914)
+++ trunk/BOOK/general/genlib/libxslt.xml	2011-10-24 01:06:24 UTC (rev 8915)
@@ -34,8 +34,7 @@
     class="libraryfile">libxml2</filename> libraries to support
     XSLT files.</para>
 
-    &lfs65_checked;
-    <para>&lfssvn_checked;20101029&lfssvn_checked2;</para>
+    &lfs70_checked;
 
     <bridgehead renderas="sect3">Package Information</bridgehead>
     <itemizedlist spacing="compact">
@@ -90,16 +89,6 @@
 
   </sect2>
 
-  <!-- <sect2 role="commands">
-    <title>Command Explanations</title>
-
-    <para><command>sed -i "s/\$(PYTHON_SITE_PACKAGES)/'&'/"
-    configure</command>: The quotes around this variable were inadvertently
-    removed in this release. This command puts the quotes back in so that
-    the variable is not interpreted as a shell command.</para>
-
-  </sect2> -->
-
   <sect2 role="content">
     <title>Contents</title>
 

Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml	2011-10-23 22:03:46 UTC (rev 8914)
+++ trunk/BOOK/introduction/welcome/changelog.xml	2011-10-24 01:06:24 UTC (rev 8915)
@@ -45,6 +45,10 @@
       <para>October 23rd, 2011</para>
       <itemizedlist>
         <listitem>
+          <para>[bdubbs] - Add routine to remove out of date
+          CA certificates.</para>
+        </listitem>
+        <listitem>
           <para>[bdubbs] - Update to libxml2-2.7.8.</para>
         </listitem>
         <listitem>

Modified: trunk/BOOK/postlfs/security/cacerts.xml
===================================================================
--- trunk/BOOK/postlfs/security/cacerts.xml	2011-10-23 22:03:46 UTC (rev 8914)
+++ trunk/BOOK/postlfs/security/cacerts.xml	2011-10-24 01:06:24 UTC (rev 8915)
@@ -129,7 +129,7 @@
    create this script as the <systemitem class="username">root</systemitem>
    user:</para>
 
-  <screen><userinput>cat > /bin/make-ca.sh << "EOF"
+   <screen><userinput>cat > /bin/make-ca.sh << "EOF"
 #!/bin/bash
 # Begin make-ca.sh
 # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
@@ -227,6 +227,37 @@
 
 chmod +x /bin/make-ca.sh</userinput></screen>
 
+   <para>Add a short script to remove expired certifictes from a directory.
+   Again create this script as the <systemitem
+   class="username">root</systemitem> user:</para>
+
+  <screen><userinput>cat > /bin/remove-expired-certs.sh << "EOF"
+#!/bin/bash
+# Begin /bin/remove-expired-certs.sh
+
+OPENSSL=/usr/bin/openssl
+DIR=/etc/ssl/certs
+
+if [ $# -gt 0 ]; then
+  DIR="$1"
+fi
+
+certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
+today=$( date +%Y%m%d )
+
+for cert in $certs; do
+  notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
+  date=$( echo ${notafter} |  sed 's/^notAfter=//' )
+
+  if [ $( date -d "${date}" +%Y%m%d ) -lt ${today} ]; then
+     echo "${cert} is expired! Removing..."
+     rm -f "${cert}"
+  fi
+done
+EOF
+
+chmod +x /bin/remove-expired-certs.sh</userinput></screen>
+
    <para>The following commands will fetch the certificates and convert them to
    the correct format.  If desired, a web browser may be used instead of
    <application>wget</application> but the file will need to be saved with the
@@ -239,14 +270,17 @@
 
 wget --output-document certdata.txt $url &&
 unset certhost certdir url               &&
-make-ca.sh</userinput></screen>
+make-ca.sh                               &&
+remove-expired-certs.sh certs</userinput></screen>
 
    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
 
-<screen><userinput>install -d ${SSLDIR}/certs        &&
-cp -v certs/*.pem ${SSLDIR}/certs &&
-c_rehash                          &&
-install ca-bundle.crt ${SSLDIR}</userinput></screen>
+<screen><userinput>SSLDIR=/etc/ssl                                     &&
+install -d ${SSLDIR}/certs                          &&
+cp -v certs/*.pem ${SSLDIR}/certs                   &&
+c_rehash                                            &&
+install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &&
+unset SSLDIR</userinput></screen>
 
    <para>Finally, clean up the current directory:</para>
 
@@ -263,7 +297,7 @@
       <segtitle>Installed Directories</segtitle>
 
       <seglistitem>
-        <seg>make-ca.sh and make-cert.pl</seg>
+        <seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
         <seg>None</seg>
         <seg>/etc/ssl/certs</seg>
       </seglistitem>
@@ -296,6 +330,18 @@
           </indexterm>
         </listitem>
       </varlistentry>
+
+      <varlistentry id="remove-expired-certs">
+        <term><command>remove-expired-certs.sh</command></term>
+        <listitem>
+          <para>is a utility <application>perl</application> script that 
+          removed expired certificates fom a directory.  The defaut
+          directory is <filename class='directory'>/etc/ssl/ceerts</filename>.</para>
+          <indexterm zone="cacerts remove-expired-certs">
+            <primary sortas="b-remove-expired-certs">remove-expired-certs</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
    </variablelist>
 
   </sect2>




More information about the blfs-book mailing list