[Fusionforge-commits] r10220 - in branches/Branch_5_0/gforge: . etc etc/httpd.d

Thorsten Glaser mirabilos at libremir.placard.fr.eu.org
Fri Jul 9 14:49:53 CEST 2010


Author: mirabilos
Date: 2010-07-09 14:49:53 +0200 (Fri, 09 Jul 2010)
New Revision: 10220

Modified:
   branches/Branch_5_0/gforge/etc/gforge.conf.example
   branches/Branch_5_0/gforge/etc/httpd.conf.example
   branches/Branch_5_0/gforge/etc/httpd.d/07maindirhttp.vhost.ssl
   branches/Branch_5_0/gforge/etc/httpd.d/21list.vhost.ssl
   branches/Branch_5_0/gforge/setup
Log:
Add new gforge.conf directive sys_ssl_apache_extra_cmd.

Rationale: some X.509v3 SSL certificates are signed by one or more
intermediate CAs before the Root CA, thus forming a chain of cer-
tification authorities. Since SSL clients usually only keep a store
of Root CAs, the intermediates must be delivered to them by the SSL
server (here, the Apache webserver). The new command defaults to
empty, but here?\226?\128?\153s a usage example:

sys_sslcrt=/etc/ssl/myforge.cer
sys_sslcrt=/etc/ssl/private/myforge.key
sys_ssl_apache_extra_cmd=SSLCertificateChainFile /etc/ssl/class3.crt

In this example, myforge.key is the RSA secret key, myforge.cer the
public key signed by the CAcert.org Class 3 certificate, thus being
the SSL server certificate. The Class 3 certificate is signed by their
Class 1 certificate (Root CA Certificate), which is what we expect the
browser to carry (well, maybe not for CAcert.org but e.g. StartCom,
GoDaddy, Comodo, Verisign/Thawte, ?\226?\128?\166). Thus, in order to validate the
myforge.cer the browser needs to first check if the signature of
class1.crt (which it has) on class3.crt (which we send out) is valid,
then whether the signature of class3.crt (which we send out, but has
been validated to trust earlier) on myforge.cer (which we send out and
use for communication) is valid.

People with self-signed certificates, CAcert.org Class 1 signed cer-
tificates, and no SSL at all want to leave this empty, which is also
the default value. Agreed to put into 5.0 only by lolando@ (trunk
will have different SSL mechanisms) so fusionforge.org can have the
Gandi intermediate certificate in its chain.

The FusionForge project does not endorse a?\204?\178n?\204?\178y?\204?\178 certification authority.

Modified: branches/Branch_5_0/gforge/etc/gforge.conf.example
===================================================================
--- branches/Branch_5_0/gforge/etc/gforge.conf.example	2010-07-09 12:48:31 UTC (rev 10219)
+++ branches/Branch_5_0/gforge/etc/gforge.conf.example	2010-07-09 12:49:53 UTC (rev 10220)
@@ -94,6 +94,7 @@
 sys_plugins_path=/usr/share/gforge/plugins/
 sys_sslcrt=/etc/apache2/ssl/apache.pem
 sys_sslkey=/etc/apache2/ssl/apache.pem
+sys_ssl_apache_extra_cmd=SSLCertificateChainFile /etc/ssl/chain.pem
 noreply_to_bitbucket=true
 sys_simple_dns=true
 sys_apache_user=www-gforge

Modified: branches/Branch_5_0/gforge/etc/httpd.conf.example
===================================================================
--- branches/Branch_5_0/gforge/etc/httpd.conf.example	2010-07-09 12:48:31 UTC (rev 10219)
+++ branches/Branch_5_0/gforge/etc/httpd.conf.example	2010-07-09 12:49:53 UTC (rev 10220)
@@ -154,6 +154,7 @@
 		SSLEngine on
 		SSLCertificateFile /etc/apache2/ssl/apache.pem
 		SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
+		SSLCertificateChainFile /etc/apache2/ssl/chain.pem
 		<Files ~ "\.(cgi|shtml)$">
 			SSLOptions +StdEnvVars
 		</Files>

Modified: branches/Branch_5_0/gforge/etc/httpd.d/07maindirhttp.vhost.ssl
===================================================================
--- branches/Branch_5_0/gforge/etc/httpd.d/07maindirhttp.vhost.ssl	2010-07-09 12:48:31 UTC (rev 10219)
+++ branches/Branch_5_0/gforge/etc/httpd.d/07maindirhttp.vhost.ssl	2010-07-09 12:49:53 UTC (rev 10220)
@@ -87,6 +87,7 @@
 		SSLEngine on
 		SSLCertificateFile {sys_sslcrt}
 		SSLCertificateKeyFile {sys_sslkey}
+		{sys_ssl_apache_extra_cmd}
 		<Files ~ "\.(cgi|shtml)$">
 			SSLOptions +StdEnvVars
 		</Files>

Modified: branches/Branch_5_0/gforge/etc/httpd.d/21list.vhost.ssl
===================================================================
--- branches/Branch_5_0/gforge/etc/httpd.d/21list.vhost.ssl	2010-07-09 12:48:31 UTC (rev 10219)
+++ branches/Branch_5_0/gforge/etc/httpd.d/21list.vhost.ssl	2010-07-09 12:49:53 UTC (rev 10220)
@@ -6,6 +6,7 @@
 		SSLEngine on
 		SSLCertificateFile {sys_sslcrt}
 		SSLCertificateKeyFile {sys_sslkey}
+		{sys_ssl_apache_extra_cmd}
 		<Files ~ "\.(cgi|shtml)$">
 			SSLOptions +StdEnvVars
 		</Files>

Modified: branches/Branch_5_0/gforge/setup
===================================================================
--- branches/Branch_5_0/gforge/setup	2010-07-09 12:48:31 UTC (rev 10219)
+++ branches/Branch_5_0/gforge/setup	2010-07-09 12:49:53 UTC (rev 10220)
@@ -125,6 +125,7 @@
 	DEFAULTsys_plugins_path=$SHAREDIR/plugins/
 	DEFAULTsys_sslcrt=$(findcrt)
 	DEFAULTsys_sslkey=$(findkey)
+	DEFAULTsys_ssl_apache_extra_cmd=
 	DEFAULTnoreply_to_bitbucket=true
 	DEFAULTsys_simple_dns=true
 	DEFAULTsys_apache_user=$(findapacheowner)




More information about the Fusionforge-commits mailing list