[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Sander, we're planning SSL on svn.collab.net soon...

From: Nuutti Kotivuori <naked_at_iki.fi>
Date: 2002-08-13 22:03:32 CEST

Karl Fogel wrote:
> Timothee Besset <ttimo@idsoftware.com> writes:
>> I suppose you will want to have the SSL certifcate signed by a
>> certificate authority and you don't want to sign it yourself?
> Actually, we're doing this more to help people get around
> uncooperative proxies than for real security.

I have a virtualhosting apache with the other virtualhost providing
non-SSL access to the repository and the other providing SSL access to
the repository.

It was all very trivial to achieve - and I never changed the
repository configurations any.

I'll can paste the instructions from Debian, written by someone:

| Welp, SSL now works. Whoohoo! Have another beer.
| Replace <SERVERNAME> in these examples with the fully-qualified
| domain name you gave to the virtual host you want this key to
| service.
| For example, if I wanted to do a cert for piro.kabuki.sfarc.net, I'd
| use -out /etc/apache2/sites/piro.kabuki.sfarc.net-server.key, etc.
| Now, you need to make several random, gzip'ed text files. I
| recommend autogen.
| $ for i in 1 2 3 4 5 6 7 8 9; do dd if=/dev/urandom count=2 bs=1k | od -a | sed -e 's/.......//' > rand$i; \
| gzip -1 rand$i; done
| # openssl genrsa -des3 -rand rand1.gz:rand2.gz:rand3.gz:rand4.gz:rand5.gz:rand6.gz:rand7.gz:rand8.gz:rand9.gz \
| -out /etc/apache2/sites/<SERVERNAME>-ssl.key 1024
| This will prompt you for a passphrase, which means that apache2 will
| also prompt you for said passphrase every time it starts. Which is
| probably a bad thing. To de-passphrase it:
| # openssl rsa -in /etc/apache2/sites/<SERVERNAME>-ssl.key -out /etc/apache2/sites/<SERVERNAME>-ssl.pem
| This will remove the 3DES, so be careful with server.pem. You'll
| also need to change the SSLCertificateKeyFile line in
| /etc/apache2/sites/<SERVERNAME> from server.key to server.pem.
| Next, generate a Certificate Signing Request (necessary even if self-signing):
| # openssl req -new -key /etc/apache2/sites/<SERVERNAME>-ssl.key -out /etc/apache2/sites/<SERVERNAME>-ssl.csr
| Note, if you've decrypted the key (as above), use:
| # openssl req -new -key /etc/apache2/sites/<SERVERNAME>-ssl.pem -out /etc/apache2/sites/<SERVERNAME>-ssl.csr
| Fill in all the information as requested.
| To self-sign your certificate:
| # openssl x509 -req -in /etc/apache2/sites/<SERVERNAME>-ssl.csr -signkey /etc/apache2/sites/<SERVERNAME>-ssl.key \
| -out /etc/apache2/sites/<SERVERNAME>-ssl.crt
| Again, if you've decrypted your key, just change server.key to server.pem.
| Now, clean up the temporary CSR and the random files:
| # rm -f /etc/apache2/sites/<SERVERNAME>-ssl.csr rand*.gz
| And, if you've decrypted your key:
| # rm -f /etc/apache2/sites/<SERVERNAME>-ssl.key
| You did enable the SSL module, didn't you? :)
| # /usr/sbin/a2enmod ssl
| :) d <daniel@sfarc.net>, 4:41pm, Sat 18th August
| (updated 7:17pm, Sat 3rd November for new virtual hosts config stuff)

You can find more solid information from the links about SSL on
apache's site ofcourse, but this gave me exactly what I needed.

And as a sidenote - no, I don't think any of this should get near
subversion INSTALL or other files. It's strictly an apache
configuration issue, and a hairy one at that - better to just refer to
an outside source.

-- Naked

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Aug 13 22:06:01 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.