Re: lynx-dev FORCE_SSL_PROMPT:NO

[Doug Kaufman]

On Wed, 23 Jul 2003, Stef Caunter wrote:

> Attached, and sent below, is README.sslcerts

A good discussion, but I believe that some of the statements are
incorrect. Comments below.

> Briefly, the procedure will involve confirming the default system location for
> certificates, setting and exporting the environment variable SSL_CERT_DIR,
> and hashing the certificates found in that directory using an openssl utility
> to enable recognition.

This should probably say "possibly putting a value for SSL_CERT_DIR in
the environment". Note that SSL_CERT_DIR only needs to be used if the
certs directory is different from the default compiled into the openssl
library. "Exporting" is specific to certain shells (e.g. bash, ksh, sh)
but doesn't apply to tcsh or csh.

> It is assumed that openssl has been installed correctly, that SSL_CERT_DIR is
> /usr/local/ssl/certs, and that lynx has been compiled --with-ssl. If the
> default location for certs on your system is different you will have to
> substitute that location for /usr/local/ssl/certs in the following 
> instructions.

Once again, SSL_CERT_DIR only needs to be set if a non-default location
is used.
  
> The source for openssl will be required in order to access the c_rehash 
> utility
> and the CA cert bundle.

You don't need the source. When OpenSSL is installed, c_rehash is
installed in a binary directory (default /usr/local/ssl/bin). There is
no CA cert bundle distributed with OpenSSL. The OpenSSL team
specifically decided NOT to do that. Getting a set of trusted
certificates is left up to the installer.
  
> So the next thing to do is to hash the cert using c_rehash in the default
> location for your system (SSL_CERT_DIR, the oft-referred to
> /usr/local/ssl/certs), and to set the environment variable so that openssl,
> and lynx, can find the certs.

Once again, SSL_CERT_DIR is for non-default installations. If you use
the default no environment variable needs to be set.

> INSTALLING OR UPDATING THE CA BUNDLE:
> 
> Now would be a good time to check to see if you have the bundle of CA certs
> in your /usr/local/ssl/certs, or to update them. Openssl and mod_ssl ship
> with them.  They are in the certs directory of the openssl source tree.

The certs in the OpenSSL certs directory are for testing purposes only
and are not suitable for use in accessing secure sites. The ca-bundle
from mod-ssl is somewhat old. It might be better to advise users to
extract from a current version of Netscape or Internet Explorer rather
than use this bundle. I believe that each extracts as a PKCS7 file and
needs to be converted with something like:
"openssl pkcs7 -inform DER -in site_name.crt -outform PEM -out site_name.pem 
-print_certs -text"

> Copy them to /usr/local/ssl/certs.

The bundle should be copied to the default directory for bundles
(usually /usr/local/ssl) and renamed to "cert.pem". The certs directory
is for individual certificates.

> We now have all of the certs we wish to trust in our certs directory.
> Run the perl script c_rehash, which ships with the openssl source, and is
> located in the tools directory of the openssl source tree.
> 
> As root, run:
> 
> ./c_rehash
> 
> This is a perl script that runs openssl commands which creates the files
> named after the hash values of the certs in the default directory for certs.
> The output looks like this:
> 
> Doing /usr/local/ssl/certs
> vsignss.pem => f73e89fd.0
> vsign3.pem => 7651b327.0
> ...more output
> <snip>
> 
> All pem encoded certs in /usr/local/ssl/certs will now be recognized as long
> as we perform the last step.

This is only necessary if adding individual certificates. The
alternative is to concatenate them to the bundle in /usr/local/ssl.
  
> SETTING AND EXPORTING THE ENVIRONMENT VARIABLE SSL_CERT_DIR:
> 
> Almost done! The last thing we _have_ to do is set the environment variable
> SSL_CERT_DIR in our shell initialization .profile or .*shrc, or /etc/profile,
> like so:
> 
> SSL_CERT_DIR=/usr/local/ssl/certs
> export SSL_CERT_DIR
> 
> This environment variable _must_ be set, and it must be exported!

This is necessary only if using a non-default location. "Exporting" is
dependent on the shell being used.

I would also add that the environment variable "SSL_CERT_FILE" applies
to the cert-bundle if used outside of the default location compiled into
OpenSSL. I am not sure that there is an easy way to determine the
default locations if you didn't compile OpenSSL yourself. I have used
"strings libcrypto.a", then searched for SSL_CERT_FILE. The default
locations are usually located near that string. On the linux machine on
my ISP, these are /usr/share/ssl and /usr/share/ssl/certs.

Overall, I think this is a clear summary. I would recommend fixing the
problems I mentioned before putting this in the lynx distribution.
                            Doug

  

-- 
Doug Kaufman
Internet: address@hidden


; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden