Accepting request 263227 from home:pgajdos

- small improvement of ssl instructions [bnc#891813] OBS-URL: https://build.opensuse.org/request/show/263227 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=421
2014-11-27 13:45:11 +00:00 · 2014-11-27 13:45:11 +00:00 · f64d31d835
commit f64d31d835
parent bf5cc252d9
3 changed files with 23 additions and 12 deletions
--- a/apache2.changes
+++ b/apache2.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Nov 27 13:38:25 UTC 2014 - pgajdos@suse.com
+
+- small improvement of ssl instructions [bnc#891813]
+
 -------------------------------------------------------------------
 Sun Nov 09 00:57:00 UTC 2014 - Led <ledest@gmail.com>

--- a/4
+++ b/4
@ -182,14 +182,14 @@ modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e
 modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`

 if [ ".$modcrt" != ".$modkey" ]; then
-    error "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2
+    error "gensslcert:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2
    myexit $LINENO $?
 fi

 echo;myecho Verify: matching certificate signature
    $openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $?
 if [ $? -ne 0 ]; then
-    error "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2
+    error "gensslcert:Error: Failed to verify signature on resulting X.509 certificate" 1>&2
    myexit $LINENO $?
 fi

--- a/sysconfig.apache2
+++ b/sysconfig.apache2
@ -51,16 +51,22 @@ APACHE_CONF_INCLUDE_DIRS=""
 # * In the APACHE_MODULES variable, you can use mod_xyz or just xyz syntax.
 #   You may also name an absolute path if you like.
 #
-# * NOTE ON SSL: before you can use mod_ssl, you need a server certificate. 
-#   A test certificate can be created by (as root):
-#   cd /usr/share/doc/packages/apache2; /bin/sh ./mkcert.sh make --no-print-directory /usr/bin/openssl /usr/sbin/ test
-#   Please feel free to have a look at the mkcert.sh script to see how certificates can be created.
-#   Also, you need to set the ServerName inside the <VirtualHost _default_:443> 
-#   block to the fully qualified domain name (see /etc/HOSTNAME).
-# * if your server certificate is protected by a passphrase you should increase the
-#   APACHE_START_TIMEOUT (see above)
-# * to finally enable ssl support, you need to add 'SSL' to APACHE_SERVER_FLAGS 
-#   below.
+# * NOTES ON SSL: 
+#   1. Before you can use mod_ssl, you need a server certificate. 
+#      A test certificate can be created by entering e. g.
+#
+#      $ gensslcert -n a.com -C a.com -e webmaster@a.com
+#
+#      See gensslcert -h for or gensslcert script itself for details.
+#   2. Also, you need to set the ServerName inside the <VirtualHost _default_:443> 
+#      block to the fully qualified domain name (see /etc/HOSTNAME).
+#   3. If your server certificate is protected by a passphrase you should increase the
+#      APACHE_START_TIMEOUT (see above)
+#   4. Consider to load also socache_shmcb module, see
+#      http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessioncache
+#      for details.
+#   5. To finally enable ssl support, you need to add 'SSL' to APACHE_SERVER_FLAGS 
+#      below.
 #
 # * modules listed here will be ignored if they are not installed
 #