lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev FORCE_SSL_PROMPT:NO


From: Stef Caunter
Subject: Re: lynx-dev FORCE_SSL_PROMPT:NO
Date: Fri, 25 Jul 2003 12:56:50 -0400 (EDT)

Thanks. Fixed. I'll be offline for a day and a half.

On Fri, 25 Jul 2003, Doug Kaufman wrote:

> On Fri, 25 Jul 2003, Stef Caunter wrote:
>
> > Added procedure to determine default ssl cert location
> > (thanks to DK and HN)
> > Neutralized path and system definition language (thanks to
> > TG and HN)
> > Re-presented environment variable definition as possible
> > solution.
> > File is getting big so attachment not duplicated in
> > message body, please advise if I should do it the other way.
>
> Looks good. Some suggestions follow:
>
> > The default location for certs on your system may be different, or there 
> > may not
> > be one. You will have to substitute that location for /usr/local/ssl/certs 
> > in
> > the following instructions, and/or set environment variables.
> >
> > To determine the default location for certs on your system run the following
> > command:
> >
> > strings `find / -name libcrypto.a 2>/dev/null` | grep -in cert | less
>
> Doing a find from root may take up excessive resources on some systems.
> I would think that we should recommend that only if libcrypto is not
> found in the usual library locations.
>
> > ...
> > It is a fairly trivial procedure to pull the bundle of trusted root certs 
> > out
> > of a recent version of Internet Explorer. The procedure to convert and 
> > install
> > them is detailed later in this document, and if you simply need to have
> > commercially provided certificates trusted by lynx, you can skip down a few
> > lines to the INSTALLING OR UPDATING THE CA BUNDLE section.
>
> This might be a good place to mention that ca bundles are available in
> various places, such as the modssl distribution, for those who want to
> take that route.
>
> > ...
> > Confirm that you have the script c_rehash (See PRELIMINARY PROCEDURES; if 
> > it is
> > not found, a copy is usually located in the tools directory of the openssl
> > source tree. If you use this copy, it needs the execute bit set or it will 
> > not
> > run).
> >
> > As root, run:
> >
> > ./c_rehash
>
> I don't think that we should necessarily advise running as root. This
> README might be used by a user on a shared system setting up lynx in his
> own directory. That is, after all, the main reason for the environment
> variables. Whoever is root has already set the defaults that they want
> for the system.
>
> > ...
> > SETTING AND EXPORTING ENVIRONMENT VARIABLES:
> >
> > If lynx is still not recognizing certs, environment variables may need
> > to be set; if so, they must be exported!
>
> You might want to say instead "if on a sh type shell, the variables also
> need to be exported".
>
> > ...
> > The environment variables SSL_CERT_DIR and SSL_CERT_FILE only need to be set
> > if a non-default location is used for certificates, or if certs just can't 
> > be
> > found by lynx. They may be set as follows in /etc/profile, or a shell
> > initialization .profile or .*shrc, if we run a non csh type shell, according
> > to the results of the search for the default location for certs procedure
> > (See PRELIMINARY PROCEDURES):
> >
> > SSL_CERT_DIR /usr/local/ssl/certs
> > SSL_CERT_FILE /usr/local/ssl/cert.pem
> > export SSL_CERT_DIR SSL_CERT_FILE
>
> Shouldn't this be:
> SSL_CERT_DIR="/usr/local/ssl/certs"
> SSL_CERT_FILE="/usr/local/ssl/cert.pem"
> export SSL_CERT_DIR SSL_CERT_FILE
>
> On csh type shells, you can use:
> setenv SSL_CERT_DIR "/usr/local/ssl/certs"
> setenv SSL_CERT_FILE "/usr/local/ssl/cert.pem"
>
>                        Doug
>
>
>
> --
> Doug Kaufman
> Internet: address@hidden
>
>
> ; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden
>

Attachment: README.sslcerts
Description: jul25fixes ssl/certs


reply via email to

[Prev in Thread] Current Thread [Next in Thread]