SSL ¥µ¥Ý¡¼¥È¤Ë¤Ä¤¤¤Æ (2000/11/07) ²¬Éô¹îÌé okabek@guitar.ocn.ne.jp (2001/12/27) ±»ôʸÉÒ ukai@debian.or.jp ¡¦ OpenSSL ¥é¥¤¥Ö¥é¥ê¤òÄ̤¸¤Æ, SSL ¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤Þ¤¹. ¤¢¤é¤«¤¸¤á¥¤¥ó¥¹¥È¡¼¥ë¤·¤Æ¤ª¤¤¤Æ¤¯¤À¤µ¤¤. ¡¦ configure ¥¹¥¯¥ê¥×¥È¼Â¹Ô»þ, "5 - Monster model" ¤Þ¤¿¤Ï "6 - Customize" ¤òÁª ¤Ö»ö¤ÇÍøÍѲÄǽ¤Ë¤Ê¤ê¤Þ¤¹. ¤â¤·¤¦¤Þ¤¯Æ°¤«¤Ê¤¤¤È¤¤Ï, config.h ¤ò¥Á¥§¥Ã¥¯¤·¤Æ¤ß¤Æ¤¯¤À¤µ¤¤. SSL ¤òÍøÍѤ¹ ¤ë¤¿¤á¤Ë¤Ï, config.h ¤Ç, USE_SSL ¥Þ¥¯¥í¤¬ÄêµÁ¤µ¤ì¤Æ¤¤¤ëɬÍפ¬¤¢¤ê¤Þ¤¹. ¤µ¤é¤Ë, SSL ǧ¾Ú¥µ¥Ý¡¼¥È¤òÍøÍѤ¹¤ë¾ì¹ç¤Ï, USE_SSL_VERIFY ¥Þ¥¯¥í¤â¥Á¥§¥Ã¥¯¤· ¤Æ¤ß¤Æ¤¯¤À¤µ¤¤. ¥³¥ó¥Ñ¥¤¥ë¤Ç¥¨¥é¡¼¤¬½Ð¤ë¾ì¹ç¤Ï, ¥ê¥ó¥«¥Õ¥é¥°¤Ë `-lssl -lcrypto', ¥³¥ó¥Ñ¥¤¥é ¥Õ¥é¥°¤Ë '-I(SSLeay/OpenSSL ¤Î¥Ø¥Ã¥À¤¬¤¢¤ë¥Ç¥£¥ì¥¯¥È¥ê)' ¤¬¤¢¤ë¤«³Îǧ¤·¤Æ¤¯ ¤À¤µ¤¤. SSL ¥µ¥Ý¡¼¥È¤¬Í¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤«¤É¤¦¤«¤Ï, Option Setting Panel ¤Ë¡ÖSSL¤ÎÀß Äê¡×¤¬´Þ¤Þ¤ì¤Æ¤¤¤ë¤«¤É¤¦¤«¤Ç³Îǧ¤Ç¤¤Þ¤¹. ¡¦ SSL ¤Ë´Ø¤·¤Æ°Ê²¼¤ÎÀßÄ꤬²Äǽ¤Ë¤Ê¤Ã¤Æ¤Þ¤¹: ssl_forbid_method »È¤ï¤Ê¤¤SSL¥á¥½¥Ã¥É¤Î¥ê¥¹¥È(2: SSLv2, 3: SSLv3, t: TLSv1) (¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>). ssl_verify_server ON/OFF SSL¤Î¥µ¡¼¥Ðǧ¾Ú¤ò¹Ô¤¦(¥Ç¥Õ¥©¥ë¥È¤ÏOFF). ssl_cert_file ¥Õ¥¡¥¤¥ë̾ SSL¤Î¥¯¥é¥¤¥¢¥ó¥ÈÍÑPEM·Á¼°¾ÚÌÀ½ñ¥Õ¥¡¥¤¥ë(¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>). ssl_key_file ¥Õ¥¡¥¤¥ë̾ SSL¤Î¥¯¥é¥¤¥¢¥ó¥ÈÍÑPEM·Á¼°ÈëÌ©¸°¥Õ¥¡¥¤¥ë(¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>). ssl_ca_path ¥Ç¥£¥ì¥¯¥È¥ê̾ SSL¤Îǧ¾Ú¶É¤ÎPEM·Á¼°¾ÚÌÀ½ñ·²¤Î¤¢¤ë¥Ç¥£¥ì¥¯¥È¥ê¤Ø¤Î¥Ñ¥¹ (¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>). ssl_ca_file ¥Õ¥¡¥¤¥ë̾ SSL¤Îǧ¾Ú¶É¤ÎPEM·Á¼°¾ÚÌÀ½ñ·²¤Î¥Õ¥¡¥¤¥ë(¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>). ¤¿¤À¤·¡ÖSSLEAY_VERSION_NUMBER >= 0x0800¡×¤Ê´Ä¶¤Ç¤Ê¤¤¤È̵Â̤ʥ³¡¼¥É¤¬Áý ¤¨¤ë¤À¤±¤Ê¤Î¤Ç, configure»þ¤Ëdisable¤·¤Æ¤ª¤¤¤¿¤Û¤¦¤¬¤è¤¤¤Ç¤·¤ç¤¦. ¤Þ¤¿¼ÂºÝ¤Ëǧ¾Ú¤ò¹Ô¤¦¾ì¹ç, ssl_ca_path¤Þ¤¿¤Ïssl_ca_file¤Ç, ¥µ¡¼¥Ð¤Î¸°¤Ë ½ð̾¤·¤Æ¤¤¤ëǧ¾Ú¶É¤Î¾ÚÌÀ½ñ¤ò (ssl_verify_server¤ÎON/OFF¤Ë´Ø·¸Ìµ¤¯) »ØÄê ¤·¤Ê¤¤¤È¥µ¡¼¥Ðǧ¾Ú¤ÏÀ®¸ù¤·¤Þ¤»¤ó¡£ Ä̾ï»È¤ï¤ì¤Æ¤¤¤ëǧ¾Ú¶É¤Î¾ÚÌÀ½ñ¤Ï°Ê²¼¤Î¤È¤³¤í¤Ê¤É¤«¤éÆþ¼ê¤Ç¤¤Þ¤¹¡£ * mozilla¤Î¥½¡¼¥¹¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë mozilla/security/nss/lib/ckfw/builtins/certdata.txt ¤«¤éźÉդΠruby script ¤Ç *.pem¥Õ¥¡¥¤¥ë¤È¤·¤Æ¤È¤ê¤À¤·¤¿¤â¤Î % ruby certdata2pem.rb < certdata.txt ¤Ç¥«¥ì¥ó¥È¥Ç¥£¥ì¥¯¥È¥ê¤Ë *.pem¥Õ¥¡¥¤¥ë¤ò¤È¤ê¤À¤· openssl¤Î c_rehash ¥³¥Þ¥ó¥É¤Ç hash symlink ¤òºîÀ®¤·¤Þ¤¹¡£ ¤³¤Î¥Ç¥£¥ì¥¯¥È¥ê¤ò ssl_ca_path ¤ËÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£ ¤â¤·¤¯¤Ï¡¢*.pem ¤ò¤Þ¤È¤á¤¿°ì¤Ä¤Î¥Õ¥¡¥¤¥ë¤òºîÀ®¤·¤Æ¤ª¤±¤Ð ¤½¤ì¤ò ssl_ca_file ¤ËÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£ * mod_ssl¤Î¥½¡¼¥¹¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë pkg.sslcfg/ca-bundle.crt ¤³¤ì¤Ï PEM¤Ê¤Î¤Ç¡¢¤³¤Î¥Õ¥¡¥¤¥ë¤Î¥Õ¥ë¥Ñ¥¹Ì¾¤ò ssl_ca_file ¤Ë ÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£ ¡¦ ¥Ð¡¼¥¸¥ç¥ó 0.9.5 °Ê¹ß¤Î OpenSSL ¥é¥¤¥Ö¥é¥ê¤Ï, Íð¿ô¤ò½é´ü²½¤¹¤ë¤¿¤á¤Ë´ö¤Ä¤« ¤Î¥·¡¼¥É¤òÀßÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹. ¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï /dev/urandom ¤¬¤¢¤ì¤Ð¤½¤ì¤òÍøÍѤ·¤Þ¤¹¤¬, ̵¤±¤ì¤Ð w3m ÆâÉô ¤ÇÀ¸À®¤·¤Þ¤¹. ¤â¤·, EGD (Entropy Gathering Daemon) ¤Þ¤¿¤Ï PRNGD (Pseudo Random Number Generator Daemon) ¤¬ÍøÍѤǤ¤ë´Ä¶¤Ç¤³¤ì¤ò»È¤¤¤¿¤¤¾ì¹ç¤Ï, USE_EGD ¥Þ¥¯¥í¤ò¥Á¥§¥Ã¥¯¤·¤Æ¤ß¤Æ¤¯¤À¤µ¤¤. ¡¦ URL OpenSSL - http://www.openssl.org/ PRNGD - http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html ---------------------------------------------------------------- #!/usr/bin/ruby # Copyright (c) 2001 Fumitoshi UKAI <ukai@debian.or.jp> # All rights reserved. # This is free software with ABSOLUTELY NO WARRANTY. # # You can redistribute it and/or modify it under the terms of # the Ruby's licence. # # certdata2pem.rb while line = $stdin.gets next if line =~ /^#/ next if line =~ /^\s*$/ line.chomp! if line =~ /CKA_LABEL/ label,type,val = line.split(' ',3) val.sub!(/^"/, "") val.sub!(/"$/, "") fname = val.gsub(/\//,"_").gsub(/\s+/, "_").gsub(/[()]/, "=") + ".pem" next end if line =~ /CKA_VALUE MULTILINE_OCTAL/ data='' while line = $stdin.gets break if /^END/ line.chomp! line.gsub(/\\([0-3][0-7][0-7])/) { data += $1.oct.chr } end open(fname, "w") do |fp| fp.puts "-----BEGIN CERTIFICATE-----" fp.puts [data].pack("m*") fp.puts "-----END CERTIFICATE-----" end puts "Created #{fname}" end end system("c_rehash", ".")