diff --git a/apache2.changes b/apache2.changes index 926c891..60aab84 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Nov 27 13:38:25 UTC 2014 - pgajdos@suse.com + +- small improvement of ssl instructions [bnc#891813] + ------------------------------------------------------------------- Sun Nov 09 00:57:00 UTC 2014 - Led diff --git a/gensslcert b/gensslcert index 59506fd..9f8916d 100644 --- a/gensslcert +++ b/gensslcert @@ -182,14 +182,14 @@ modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?` if [ ".$modcrt" != ".$modkey" ]; then - error "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 + error "gensslcert:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 myexit $LINENO $? fi echo;myecho Verify: matching certificate signature $openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $? if [ $? -ne 0 ]; then - error "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 + error "gensslcert:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 myexit $LINENO $? fi diff --git a/sysconfig.apache2 b/sysconfig.apache2 index 33221f6..897b98c 100644 --- a/sysconfig.apache2 +++ b/sysconfig.apache2 @@ -51,16 +51,22 @@ APACHE_CONF_INCLUDE_DIRS="" # * In the APACHE_MODULES variable, you can use mod_xyz or just xyz syntax. # You may also name an absolute path if you like. # -# * NOTE ON SSL: before you can use mod_ssl, you need a server certificate. -# A test certificate can be created by (as root): -# cd /usr/share/doc/packages/apache2; /bin/sh ./mkcert.sh make --no-print-directory /usr/bin/openssl /usr/sbin/ test -# Please feel free to have a look at the mkcert.sh script to see how certificates can be created. -# Also, you need to set the ServerName inside the -# block to the fully qualified domain name (see /etc/HOSTNAME). -# * if your server certificate is protected by a passphrase you should increase the -# APACHE_START_TIMEOUT (see above) -# * to finally enable ssl support, you need to add 'SSL' to APACHE_SERVER_FLAGS -# below. +# * NOTES ON SSL: +# 1. Before you can use mod_ssl, you need a server certificate. +# A test certificate can be created by entering e. g. +# +# $ gensslcert -n a.com -C a.com -e webmaster@a.com +# +# See gensslcert -h for or gensslcert script itself for details. +# 2. Also, you need to set the ServerName inside the +# block to the fully qualified domain name (see /etc/HOSTNAME). +# 3. If your server certificate is protected by a passphrase you should increase the +# APACHE_START_TIMEOUT (see above) +# 4. Consider to load also socache_shmcb module, see +# http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessioncache +# for details. +# 5. To finally enable ssl support, you need to add 'SSL' to APACHE_SERVER_FLAGS +# below. # # * modules listed here will be ignored if they are not installed #