Linux-Bulgaria.ORG

навигация

начало

пощенски списък

архив на групата

По Дата

Re: lug-bg: STARTTLS vupros

Subject: Re: lug-bg: STARTTLS vupros
From: vlk@email.domain.hidden (Vesselin Kolev)
Date: Wed, 2 Apr 2003 09:57:18 +0300


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<p><em class="quotelev1">> Opitvam se da si pusna sendmail sus STARTTLS support. Kompiliral sum
<em class="quotelev1">> sednmail sus:
<em class="quotelev1">>
<em class="quotelev1">> define(`confCACERT_PATH',`/usr/local/ssl/certs')dnl
<em class="quotelev1">> define(`confCACERT',`/usr/local/ssl/certs/ca-bundle.crt')dnl
<em class="quotelev1">> define(`confSERVER_CERT',`/usr/local/ssl/certs/host.cert')dnl
<em class="quotelev1">> define(`confSERVER_KEY',`/usr/local/ssl/certs/host.key')dnl
<em class="quotelev1">> define(`confCLIENT_CERT',`/usr/local/ssl/certs/host.cert')dnl
<em class="quotelev1">> define(`confCLIENT_KEY',`/usr/local/ssl/certs/host.key')dnl
<em class="quotelev1">> define(`confLOG_LEVEL', 14)dnl
<em class="quotelev1">>
<em class="quotelev1">>

Po-tochno e da se kazhe, sydeiko po gornoto, che si kompiliral
faila sendmail.cf s tezi opcii ot prototipa sendmail.mc.

Mdam:)) Opciite v m4 prototipa na sendmail.cf sa pravilni.

Mislia, che v rykovodstvoto sym napisal kakvo da se pravi, no ako
vse pak ne si razbral shte se opitam da povtoria v razbran stil.

   Failyt ca-bundle.crt sydyrzha certificatite na CA po sveta ili takiva,
koito ti si dobavil. Za tezi certificati ne se plashta. Syshtite certificati
se namirat i v browserite. Ako zhelaesh da si imash tezi certificati za
da trygne sendmail s TLS poddryzhka, az moga da ti gi pratia, no na
tvoia otgovornost. Zashtoto se seshtash, che az moga da ti probutam 
falshivi certificati. Tvoia zadacha shte si e da proverish fingerprintite
na CA certificatite i da vidish dali sa verni. Shte gi sravnish s tezi v
browserite.

Neka iziasnim na kratko kakva e roliata na certificatite v TLS:
Kogato ti se opitvash da se svyrzhish s drug MTA, ti iztegliash
certificata na tozi MTA i go proveriavash chrez certificata na CA, koiato
go e podpisala. Tozi certificate na CA traibva da se namira vyv faila
ca-bundle.crt. Ako toi ne se namira tam, niama kak da se proveri
certificata i vse edno napravo si zhertva na "man-in-the-middle"
(ili izvestna oshte kato "proxy attack".

Po princip pri men, tezi CA certificati idvat v ramkite na RedHat i Mandrake,
no tova ne e zadylzhitelno po princip. Mozhe i da ne idvat i ti sam da
si gi postaviash.

Razbira se, izhod e da syzdadesh prazen file ca-bundle, no v nego
da niama certificati. TOgava niama da ima greshki v syslog, no pyk
niama i da ima TLS poddryzhka, zashtoto niama da syshtestvuvat certificati za
proverka.

<em class="quotelev1">> i razbira se che shte mi dava greshka zashtoto ne sum requestnal cert:
<em class="quotelev1">>
<em class="quotelev1">> sendmail[398]: [ID 702911 mail.warning] STARTTLS=server: file
<em class="quotelev1">> /usr/local/ssl/certs/ca-bundle.crt unsafe: No such file or directory
<em class="quotelev1">>
<em class="quotelev1">> ca-bundle.crt bi trqbvalo da mi sadurja infoto sled kato submitna
<em class="quotelev1">> request.csr spored http://www.lcpe.uni-sofia.bg/linuxdoc/sendmail/tls.html
<em class="quotelev1">>
<em class="quotelev1">> Ta vuprosa mi e moga li da si pusna STARTTLS bez da se nalaga da plashtam
<em class="quotelev1">> za cert?kakvo shte stane ako mahna ca-bundle.crt ot sendmail.mc?
<em class="quotelev1">>

Da, vyzmozhno e ako izpolzvash samopdpisani certificati. No te sa samo
za testovo polzvane. 

Vsyshnost procheti tova za da ti stane po-iasno

http://www.linuxjournal.com/article.php?sid=4823

i tova:

http://www.lcpe.uni-sofia.bg/linuxdoc/CA

  Pozdravi
     Vesselin Kolev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+ionV+48lZPXaa+MRAuObAJsHjgwodSTZQqTtp5clYIoB+QIftACghh49
tOke+gpCbSx7SDjsL6Ctzk4=
=J3lB
-----END PGP SIGNATURE-----

============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================

Относно:
- lug-bg: STARTTLS vupros
  - Изпратено от: kangelov@email.domain.hidden (Konstantin Angelov)

Предишно по дата: RE: lug-bg: Podobriavane na sigurnostta v IP mrezhite
Следващо по дата: Re: lug-bg: Podobriavane na sigurnostta v IP mrezhite
Предишно по тема: lug-bg: STARTTLS vupros
Следващо по тема: Re: lug-bg: STARTTLS vupros
Индекс:
- По дата
- По тема

наши приятели

линукс за българи
http://linux-bg.org

FSA-BG
http://fsa-bg.org

OpenFest
http://openfest.org

FreeBSD BG
http://bg-freebsd.org

KDE-BG
http://kde.fsa-bg.org/

Gnome-BG
http://gnome.cult.bg/

проект OpenFMI
http://openfmi.net

NetField Forum
http://netField.ludost.net/forum/

Linux-Bulgaria.ORG