SSL ¥µ¥Ý¡¼¥È¤Ë¤Ä¤¤¤Æ
(2000/11/07) ²¬Éô¹îÌé
okabek@guitar.ocn.ne.jp
(2001/12/27) ±»ôʸÉÒ
ukai@debian.or.jp
¡¦ OpenSSL ¥é¥¤¥Ö¥é¥ê¤òÄ̤¸¤Æ, SSL ¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤Þ¤¹.
¤¢¤é¤«¤¸¤á¥¤¥ó¥¹¥È¡¼¥ë¤·¤Æ¤ª¤¤¤Æ¤¯¤À¤µ¤¤.
¡¦ configure ¥¹¥¯¥ê¥×¥È¼Â¹Ô»þ, "5 - Monster model" ¤Þ¤¿¤Ï "6 - Customize" ¤òÁª
¤Ö»ö¤ÇÍøÍѲÄǽ¤Ë¤Ê¤ê¤Þ¤¹.
¤â¤·¤¦¤Þ¤¯Æ°¤«¤Ê¤¤¤È¤¤Ï, config.h ¤ò¥Á¥§¥Ã¥¯¤·¤Æ¤ß¤Æ¤¯¤À¤µ¤¤. SSL ¤òÍøÍѤ¹
¤ë¤¿¤á¤Ë¤Ï, config.h ¤Ç, USE_SSL ¥Þ¥¯¥í¤¬ÄêµÁ¤µ¤ì¤Æ¤¤¤ëɬÍפ¬¤¢¤ê¤Þ¤¹.
¤µ¤é¤Ë, SSL ǧ¾Ú¥µ¥Ý¡¼¥È¤òÍøÍѤ¹¤ë¾ì¹ç¤Ï, USE_SSL_VERIFY ¥Þ¥¯¥í¤â¥Á¥§¥Ã¥¯¤·
¤Æ¤ß¤Æ¤¯¤À¤µ¤¤.
¥³¥ó¥Ñ¥¤¥ë¤Ç¥¨¥é¡¼¤¬½Ð¤ë¾ì¹ç¤Ï, ¥ê¥ó¥«¥Õ¥é¥°¤Ë `-lssl -lcrypto', ¥³¥ó¥Ñ¥¤¥é
¥Õ¥é¥°¤Ë '-I(SSLeay/OpenSSL ¤Î¥Ø¥Ã¥À¤¬¤¢¤ë¥Ç¥£¥ì¥¯¥È¥ê)' ¤¬¤¢¤ë¤«³Îǧ¤·¤Æ¤¯
¤À¤µ¤¤.
SSL ¥µ¥Ý¡¼¥È¤¬Í¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤«¤É¤¦¤«¤Ï, Option Setting Panel ¤Ë¡ÖSSL¤ÎÀß
Äê¡×¤¬´Þ¤Þ¤ì¤Æ¤¤¤ë¤«¤É¤¦¤«¤Ç³Îǧ¤Ç¤¤Þ¤¹.
¡¦ SSL ¤Ë´Ø¤·¤Æ°Ê²¼¤ÎÀßÄ꤬²Äǽ¤Ë¤Ê¤Ã¤Æ¤Þ¤¹:
ssl_forbid_method
»È¤ï¤Ê¤¤SSL¥á¥½¥Ã¥É¤Î¥ê¥¹¥È(2: SSLv2, 3: SSLv3, t: TLSv1)
(¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>).
ssl_verify_server ON/OFF
SSL¤Î¥µ¡¼¥Ðǧ¾Ú¤ò¹Ô¤¦(¥Ç¥Õ¥©¥ë¥È¤ÏOFF).
ssl_cert_file ¥Õ¥¡¥¤¥ë̾
SSL¤Î¥¯¥é¥¤¥¢¥ó¥ÈÍÑPEM·Á¼°¾ÚÌÀ½ñ¥Õ¥¡¥¤¥ë(¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>).
ssl_key_file ¥Õ¥¡¥¤¥ë̾
SSL¤Î¥¯¥é¥¤¥¢¥ó¥ÈÍÑPEM·Á¼°ÈëÌ©¸°¥Õ¥¡¥¤¥ë(¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>).
ssl_ca_path ¥Ç¥£¥ì¥¯¥È¥ê̾
SSL¤Îǧ¾Ú¶É¤ÎPEM·Á¼°¾ÚÌÀ½ñ·²¤Î¤¢¤ë¥Ç¥£¥ì¥¯¥È¥ê¤Ø¤Î¥Ñ¥¹
(¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>).
ssl_ca_file ¥Õ¥¡¥¤¥ë̾
SSL¤Îǧ¾Ú¶É¤ÎPEM·Á¼°¾ÚÌÀ½ñ·²¤Î¥Õ¥¡¥¤¥ë(¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>).
¤¿¤À¤·¡ÖSSLEAY_VERSION_NUMBER >= 0x0800¡×¤Ê´Ä¶¤Ç¤Ê¤¤¤È̵Â̤ʥ³¡¼¥É¤¬Áý
¤¨¤ë¤À¤±¤Ê¤Î¤Ç, configure»þ¤Ëdisable¤·¤Æ¤ª¤¤¤¿¤Û¤¦¤¬¤è¤¤¤Ç¤·¤ç¤¦.
¤Þ¤¿¼ÂºÝ¤Ëǧ¾Ú¤ò¹Ô¤¦¾ì¹ç, ssl_ca_path¤Þ¤¿¤Ïssl_ca_file¤Ç, ¥µ¡¼¥Ð¤Î¸°¤Ë
½ð̾¤·¤Æ¤¤¤ëǧ¾Ú¶É¤Î¾ÚÌÀ½ñ¤ò (ssl_verify_server¤ÎON/OFF¤Ë´Ø·¸Ìµ¤¯) »ØÄê
¤·¤Ê¤¤¤È¥µ¡¼¥Ðǧ¾Ú¤ÏÀ®¸ù¤·¤Þ¤»¤ó¡£
Ä̾ï»È¤ï¤ì¤Æ¤¤¤ëǧ¾Ú¶É¤Î¾ÚÌÀ½ñ¤Ï°Ê²¼¤Î¤È¤³¤í¤Ê¤É¤«¤éÆþ¼ê¤Ç¤¤Þ¤¹¡£
* mozilla¤Î¥½¡¼¥¹¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë
mozilla/security/nss/lib/ckfw/builtins/certdata.txt
¤«¤éźÉդΠruby script ¤Ç *.pem¥Õ¥¡¥¤¥ë¤È¤·¤Æ¤È¤ê¤À¤·¤¿¤â¤Î
% ruby certdata2pem.rb < certdata.txt
¤Ç¥«¥ì¥ó¥È¥Ç¥£¥ì¥¯¥È¥ê¤Ë *.pem¥Õ¥¡¥¤¥ë¤ò¤È¤ê¤À¤·
openssl¤Î c_rehash ¥³¥Þ¥ó¥É¤Ç hash symlink ¤òºîÀ®¤·¤Þ¤¹¡£
¤³¤Î¥Ç¥£¥ì¥¯¥È¥ê¤ò ssl_ca_path ¤ËÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
¤â¤·¤¯¤Ï¡¢*.pem ¤ò¤Þ¤È¤á¤¿°ì¤Ä¤Î¥Õ¥¡¥¤¥ë¤òºîÀ®¤·¤Æ¤ª¤±¤Ð
¤½¤ì¤ò ssl_ca_file ¤ËÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
* mod_ssl¤Î¥½¡¼¥¹¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë pkg.sslcfg/ca-bundle.crt
¤³¤ì¤Ï PEM¤Ê¤Î¤Ç¡¢¤³¤Î¥Õ¥¡¥¤¥ë¤Î¥Õ¥ë¥Ñ¥¹Ì¾¤ò ssl_ca_file ¤Ë
ÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
¡¦ ¥Ð¡¼¥¸¥ç¥ó 0.9.5 °Ê¹ß¤Î OpenSSL ¥é¥¤¥Ö¥é¥ê¤Ï, Íð¿ô¤ò½é´ü²½¤¹¤ë¤¿¤á¤Ë´ö¤Ä¤«
¤Î¥·¡¼¥É¤òÀßÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹.
¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï /dev/urandom ¤¬¤¢¤ì¤Ð¤½¤ì¤òÍøÍѤ·¤Þ¤¹¤¬, ̵¤±¤ì¤Ð w3m ÆâÉô
¤ÇÀ¸À®¤·¤Þ¤¹. ¤â¤·, EGD (Entropy Gathering Daemon) ¤Þ¤¿¤Ï PRNGD (Pseudo
Random Number Generator Daemon) ¤¬ÍøÍѤǤ¤ë´Ä¶¤Ç¤³¤ì¤ò»È¤¤¤¿¤¤¾ì¹ç¤Ï,
USE_EGD ¥Þ¥¯¥í¤ò¥Á¥§¥Ã¥¯¤·¤Æ¤ß¤Æ¤¯¤À¤µ¤¤.
¡¦ URL
OpenSSL - http://www.openssl.org/
PRNGD - http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
----------------------------------------------------------------
#!/usr/bin/ruby
# Copyright (c) 2001 Fumitoshi UKAI <ukai@debian.or.jp>
# All rights reserved.
# This is free software with ABSOLUTELY NO WARRANTY.
#
# You can redistribute it and/or modify it under the terms of
# the Ruby's licence.
#
# certdata2pem.rb
while line = $stdin.gets
next if line =~ /^#/
next if line =~ /^\s*$/
line.chomp!
if line =~ /CKA_LABEL/
label,type,val = line.split(' ',3)
val.sub!(/^"/, "")
val.sub!(/"$/, "")
fname = val.gsub(/\//,"_").gsub(/\s+/, "_").gsub(/[()]/, "=") + ".pem"
next
end
if line =~ /CKA_VALUE MULTILINE_OCTAL/
data=''
while line = $stdin.gets
break if /^END/
line.chomp!
line.gsub(/\\([0-3][0-7][0-7])/) { data += $1.oct.chr }
end
open(fname, "w") do |fp|
fp.puts "-----BEGIN CERTIFICATE-----"
fp.puts [data].pack("m*")
fp.puts "-----END CERTIFICATE-----"
end
puts "Created #{fname}"
end
end
system("c_rehash", ".")
