Re: lug-bg: STARTTLS vupros
- Subject: Re: lug-bg: STARTTLS vupros
- From: vlk@email.domain.hidden (Vesselin Kolev)
- Date: Wed, 2 Apr 2003 09:57:18 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
<p><em class="quotelev1">> Opitvam se da si pusna sendmail sus STARTTLS support. Kompiliral sum
<em class="quotelev1">> sednmail sus:
<em class="quotelev1">>
<em class="quotelev1">> define(`confCACERT_PATH',`/usr/local/ssl/certs')dnl
<em class="quotelev1">> define(`confCACERT',`/usr/local/ssl/certs/ca-bundle.crt')dnl
<em class="quotelev1">> define(`confSERVER_CERT',`/usr/local/ssl/certs/host.cert')dnl
<em class="quotelev1">> define(`confSERVER_KEY',`/usr/local/ssl/certs/host.key')dnl
<em class="quotelev1">> define(`confCLIENT_CERT',`/usr/local/ssl/certs/host.cert')dnl
<em class="quotelev1">> define(`confCLIENT_KEY',`/usr/local/ssl/certs/host.key')dnl
<em class="quotelev1">> define(`confLOG_LEVEL', 14)dnl
<em class="quotelev1">>
<em class="quotelev1">>
Po-tochno e da se kazhe, sydeiko po gornoto, che si kompiliral
faila sendmail.cf s tezi opcii ot prototipa sendmail.mc.
Mdam:)) Opciite v m4 prototipa na sendmail.cf sa pravilni.
Mislia, che v rykovodstvoto sym napisal kakvo da se pravi, no ako
vse pak ne si razbral shte se opitam da povtoria v razbran stil.
Failyt ca-bundle.crt sydyrzha certificatite na CA po sveta ili takiva,
koito ti si dobavil. Za tezi certificati ne se plashta. Syshtite certificati
se namirat i v browserite. Ako zhelaesh da si imash tezi certificati za
da trygne sendmail s TLS poddryzhka, az moga da ti gi pratia, no na
tvoia otgovornost. Zashtoto se seshtash, che az moga da ti probutam
falshivi certificati. Tvoia zadacha shte si e da proverish fingerprintite
na CA certificatite i da vidish dali sa verni. Shte gi sravnish s tezi v
browserite.
Neka iziasnim na kratko kakva e roliata na certificatite v TLS:
Kogato ti se opitvash da se svyrzhish s drug MTA, ti iztegliash
certificata na tozi MTA i go proveriavash chrez certificata na CA, koiato
go e podpisala. Tozi certificate na CA traibva da se namira vyv faila
ca-bundle.crt. Ako toi ne se namira tam, niama kak da se proveri
certificata i vse edno napravo si zhertva na "man-in-the-middle"
(ili izvestna oshte kato "proxy attack".
Po princip pri men, tezi CA certificati idvat v ramkite na RedHat i Mandrake,
no tova ne e zadylzhitelno po princip. Mozhe i da ne idvat i ti sam da
si gi postaviash.
Razbira se, izhod e da syzdadesh prazen file ca-bundle, no v nego
da niama certificati. TOgava niama da ima greshki v syslog, no pyk
niama i da ima TLS poddryzhka, zashtoto niama da syshtestvuvat certificati za
proverka.
<em class="quotelev1">> i razbira se che shte mi dava greshka zashtoto ne sum requestnal cert:
<em class="quotelev1">>
<em class="quotelev1">> sendmail[398]: [ID 702911 mail.warning] STARTTLS=server: file
<em class="quotelev1">> /usr/local/ssl/certs/ca-bundle.crt unsafe: No such file or directory
<em class="quotelev1">>
<em class="quotelev1">> ca-bundle.crt bi trqbvalo da mi sadurja infoto sled kato submitna
<em class="quotelev1">> request.csr spored http://www.lcpe.uni-sofia.bg/linuxdoc/sendmail/tls.html
<em class="quotelev1">>
<em class="quotelev1">> Ta vuprosa mi e moga li da si pusna STARTTLS bez da se nalaga da plashtam
<em class="quotelev1">> za cert?kakvo shte stane ako mahna ca-bundle.crt ot sendmail.mc?
<em class="quotelev1">>
Da, vyzmozhno e ako izpolzvash samopdpisani certificati. No te sa samo
za testovo polzvane.
Vsyshnost procheti tova za da ti stane po-iasno
http://www.linuxjournal.com/article.php?sid=4823
i tova:
http://www.lcpe.uni-sofia.bg/linuxdoc/CA
Pozdravi
Vesselin Kolev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+ionV+48lZPXaa+MRAuObAJsHjgwodSTZQqTtp5clYIoB+QIftACghh49
tOke+gpCbSx7SDjsL6Ctzk4=
=J3lB
-----END PGP SIGNATURE-----
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
|