INN commit: branches/2.5 (8 files)
INN Commit
rra at isc.org
Sat Jun 20 14:17:23 UTC 2009
Date: Saturday, June 20, 2009 @ 07:17:23
Author: iulius
Revision: 8525
* Change the default value for TLS certificates from <pathlib>
to <pathetc>.
* Add a default value to tlscapath: because it is required by
nnrpd when TLS is used.
* Improve the TLS documentation.
Modified:
branches/2.5/Makefile
branches/2.5/doc/pod/inn.conf.pod
branches/2.5/doc/pod/news.pod
branches/2.5/doc/pod/nnrpd.pod
branches/2.5/lib/innconf.c
branches/2.5/samples/inn.conf.in
branches/2.5/tests/data/upgrade/inn.conf.ok
branches/2.5/tests/data/upgrade/sasl.conf
--------------------------------+
Makefile | 16 ++++++++--------
doc/pod/inn.conf.pod | 8 ++++----
doc/pod/news.pod | 8 ++++++++
doc/pod/nnrpd.pod | 21 +++++++++++++++------
lib/innconf.c | 8 +++++---
samples/inn.conf.in | 6 +++---
tests/data/upgrade/inn.conf.ok | 8 ++++----
tests/data/upgrade/sasl.conf | 8 ++++----
8 files changed, 51 insertions(+), 32 deletions(-)
Modified: Makefile
===================================================================
--- Makefile 2009-06-20 14:15:20 UTC (rev 8524)
+++ Makefile 2009-06-20 14:17:23 UTC (rev 8525)
@@ -130,14 +130,14 @@
## Install a certificate for TLS/SSL support.
cert:
$(SSLBIN) req -new -x509 -nodes \
- -out $(D)$(PATHLIB)/cert.pem -days 366 \
- -keyout $(D)$(PATHLIB)/key.pem
- chown $(RUNASUSER) $(D)$(PATHLIB)/cert.pem
- chgrp $(RUNASGROUP) $(D)$(PATHLIB)/cert.pem
- chmod 640 $(D)$(PATHLIB)/cert.pem
- chown $(RUNASUSER) $(D)$(PATHLIB)/key.pem
- chgrp $(RUNASGROUP) $(D)$(PATHLIB)/key.pem
- chmod 600 $(D)$(PATHLIB)/key.pem
+ -out $(D)$(PATHETC)/cert.pem -days 366 \
+ -keyout $(D)$(PATHETC)/key.pem
+ chown $(RUNASUSER) $(D)$(PATHETC)/cert.pem
+ chgrp $(RUNASGROUP) $(D)$(PATHETC)/cert.pem
+ chmod 640 $(D)$(PATHETC)/cert.pem
+ chown $(RUNASUSER) $(D)$(PATHETC)/key.pem
+ chgrp $(RUNASGROUP) $(D)$(PATHETC)/key.pem
+ chmod 600 $(D)$(PATHETC)/key.pem
## Cleanup targets. clean deletes all compilation results but leaves the
Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod 2009-06-20 14:15:20 UTC (rev 8524)
+++ doc/pod/inn.conf.pod 2009-06-20 14:17:23 UTC (rev 8525)
@@ -1002,14 +1002,14 @@
certificates. Each file in the directory should contain one CA
certificate, and the name of the file should be the CA subject name hash
value. See the OpenSSL documentation for more information. This
-parameter is only used if B<nnrpd> is built with TLS/SSL support. There
-is no default value.
+parameter is only used if B<nnrpd> is built with TLS/SSL support. The
+default value is I<pathetc>.
=item I<tlscertfile>
The path to a file containing the server certificate to present to
TLS clients. This parameter is only used if B<nnrpd> is built with TLS/SSL
-support. The default value is I<pathnews>/lib/cert.pem.
+support. The default value is I<pathetc>/cert.pem.
=item I<tlskeyfile>
@@ -1019,7 +1019,7 @@
the same file (if, for example, you gave the same file name to both the
B<-out> and B<-keyout> options to C<openssl req>). This parameter is only
used if B<nnrpd> is built with TLS/SSL support. The default value is
-I<pathnews>/lib/key.pem.
+I<pathetc>/key.pem.
This file must only be readable by the news user or B<nnrpd> will refuse to
use it.
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2009-06-20 14:15:20 UTC (rev 8524)
+++ doc/pod/news.pod 2009-06-20 14:17:23 UTC (rev 8525)
@@ -29,6 +29,14 @@
(especially a random portion of some other header). The desired header
name is now explicitly searched in the overview information.
+=item *
+
+The default path for TLS certificates has changed from I<pathlib> to
+I<pathetc>. It only affects new INN installations or generations of
+certificates with C<make cert>. Besides, a default value has been
+added to I<tlscapath> because it is required by B<nnrpd> when TLS
+is used.
+
=back
=head1 Upgrading from 2.4 to 2.5
Modified: doc/pod/nnrpd.pod
===================================================================
--- doc/pod/nnrpd.pod 2009-06-20 14:15:20 UTC (rev 8524)
+++ doc/pod/nnrpd.pod 2009-06-20 14:17:23 UTC (rev 8525)
@@ -180,12 +180,12 @@
the default path by running C<make cert> after C<make install> when
installing INN, or by running the following commands:
- openssl req -new -x509 -nodes -out <pathnews>/lib/cert.pem \
- -days 366 -keyout <pathnews>/lib/key.pem
- chown news:news <pathnews>/lib/cert.pem
- chmod 640 <pathnews>/lib/cert.pem
- chown news:news <pathnews>/lib/key.pem
- chmod 600 <pathnews>/lib/key.pem
+ openssl req -new -x509 -nodes -out <pathetc>/cert.pem \
+ -days 366 -keyout <pathetc>/key.pem
+ chown news:news <pathetc>/cert.pem
+ chmod 640 <pathetc>/cert.pem
+ chown news:news <pathetc>/key.pem
+ chmod 600 <pathetc>/key.pem
Replace the paths with something appropriate to your INN installation.
This will create a self-signed certificate that will expire in a year.
@@ -193,6 +193,15 @@
organization. Enter the fully qualified domain name of the server as the
name the certificate is for.
+You then have to set these F<inn.conf> parameters with the right paths:
+
+ tlscapath: <pathetc>
+ tlscertfile: <pathetc>/cert.pem
+ tlskeyfile: <pathetc>/key.pem
+
+In case you have a certificate authority root certificate, you can also
+set I<tlscafile> to its path.
+
Most news clients currently do not use the STARTTLS command, however, and
instead expect to connect to a separate port (563) and start a TLS
negotiation immediately. B<innd> does not, however, know how to listen
Modified: lib/innconf.c
===================================================================
--- lib/innconf.c 2009-06-20 14:15:20 UTC (rev 8524)
+++ lib/innconf.c 2009-06-20 14:17:23 UTC (rev 8525)
@@ -222,7 +222,7 @@
{ K(strippostcc), BOOL (false) },
#ifdef HAVE_SSL
{ K(tlscafile), STRING ("") },
- { K(tlscapath), STRING ("") },
+ { K(tlscapath), STRING (NULL) },
{ K(tlscertfile), STRING (NULL) },
{ K(tlskeyfile), STRING (NULL) },
#endif /* HAVE_SSL */
@@ -364,10 +364,12 @@
/* Defaults used only if TLS (SSL) is supported. */
#ifdef HAVE_SSL
+ if (innconf->tlscapath == NULL)
+ innconf->tlscapath = xstrdup(innconf->pathetc);
if (innconf->tlscertfile == NULL)
- innconf->tlscertfile = concatpath(innconf->pathnews, "lib/cert.pem");
+ innconf->tlscertfile = concatpath(innconf->pathetc, "cert.pem");
if (innconf->tlskeyfile == NULL)
- innconf->tlskeyfile = concatpath(innconf->pathnews, "lib/key.pem");
+ innconf->tlskeyfile = concatpath(innconf->pathetc, "key.pem");
#endif
}
Modified: samples/inn.conf.in
===================================================================
--- samples/inn.conf.in 2009-06-20 14:15:20 UTC (rev 8524)
+++ samples/inn.conf.in 2009-06-20 14:17:23 UTC (rev 8525)
@@ -131,9 +131,9 @@
# Reading and posting -- TLS/SSL support
#tlscafile:
-#tlscapath:
-#tlscertfile: @libdir@/cert.pem
-#tlskeyfile: @libdir@/key.pem
+#tlscapath: @sysconfdir@
+#tlscertfile: @sysconfdir@/cert.pem
+#tlskeyfile: @sysconfdir@/key.pem
# Monitoring
Modified: tests/data/upgrade/inn.conf.ok
===================================================================
--- tests/data/upgrade/inn.conf.ok 2009-06-20 14:15:20 UTC (rev 8524)
+++ tests/data/upgrade/inn.conf.ok 2009-06-20 14:17:23 UTC (rev 8525)
@@ -13,9 +13,9 @@
extraoverviewadvertised: [ Path Keywords Injection-Info ]
# Moved from sasl.conf by innupgrade.
-tlscafile: /usr/local/news/lib/ca.cert
-tlscapath: /usr/local/news/lib/cas
+tlscafile: /usr/local/news/etc/ca.cert
+tlscapath: /usr/local/news/etc/cas
# Our local certificate.
-tlscertfile: /usr/local/news/lib/our.cert
-tlskeyfile: /usr/local/news/lib/our.key
+tlscertfile: /usr/local/news/etc/our.cert
+tlskeyfile: /usr/local/news/etc/our.key
Modified: tests/data/upgrade/sasl.conf
===================================================================
--- tests/data/upgrade/sasl.conf 2009-06-20 14:15:20 UTC (rev 8524)
+++ tests/data/upgrade/sasl.conf 2009-06-20 14:17:23 UTC (rev 8525)
@@ -1,6 +1,6 @@
-tls_ca_file: /usr/local/news/lib/ca.cert
-tls_ca_path: /usr/local/news/lib/cas
+tls_ca_file: /usr/local/news/etc/ca.cert
+tls_ca_path: /usr/local/news/etc/cas
# Our local certificate.
-tls_cert_file: /usr/local/news/lib/our.cert
-tls_key_file: /usr/local/news/lib/our.key
+tls_cert_file: /usr/local/news/etc/our.cert
+tls_key_file: /usr/local/news/etc/our.key
More information about the inn-committers
mailing list