Bug#175849: Acknowledgement (apache-ssl: SSL_accept failed for IE on Mac)

To: 175849@bugs.debian.org
Subject: Bug#175849: Acknowledgement (apache-ssl: SSL_accept failed for IE on Mac)
From: debdev@Tonelli.sns.it (Andrea Mennucc)
Date: Fri, 10 Jan 2003 11:36:00 +0100
Message-id: <[🔎] 20030110103559.GA24753@Tonelli.sns.it>
Mail-followup-to: mennucc1@debian.org
Reply-to: mennucc1@debian.org, 175849@bugs.debian.org
In-reply-to: <handler.175849.B.104203629031599.ack@bugs.debian.org>
References: <[🔎] 20030108143122.GA27066@Tonelli.sns.it> <handler.175849.B.104203629031599.ack@bugs.debian.org>

hi

the program /usr/sbin/ssl-certificate is broken

it generates a certificate that is not accepted by Internet Explorer
on Macintoshes 

this is not a problem of openssl (as I thought at first)
but it is a problem of the config file
/usr/share/apache-ssl/ssleay.conf

I attach a version that will generate a certificate that
is accepted also by IE on Mac

my script also tries to put some reasonable defaults
(in particular, it offers the default for the hostname, that is
very important)

a.


-- 
Andrea Mennucc
 "E' un mondo difficile. Che vita intensa!" (Tonino Carotone)

#!/bin/sh 

set -e

if [ "$1" != "--force" -a -f /etc/apache-ssl/apache.pem ]; then
  echo "/etc/apache-ssl/apache.pem exists!  Use \"$0 --force.\""
  exit 0
fi

if [ "$1" = "--force" ]; then
  shift
fi     

echo
echo creating selfsingned certificate
echo "replace it with one signed by a certification authority (CA)"
echo
echo enter your ServerName at the Common Name prompt
echo
echo If you want your certificate to expire after x days call this programm 
echo with "-days x" 


export RANDFILE=/dev/random

CERTDIR=/etc/apache-ssl
CERTNAME=$CERTDIR/apache.pem
CERTNAME=pippo.pem

T=`tempfile`

#stolen from sslwrap
country="US"
state=""
locality=""
organization=""
unit=""
hostname=`hostname -f`
email="webmaster@"`hostname -f`
[ -r /etc/sslwrap/debian_config ] && source /etc/sslwrap/debian_config


awk '
/commonName.*=.*YOUR.*/\
{$0="commonName = server name (eg. ssl.domain.tld; required!!!)\ncommonName_default='"$hostname"'"}
/0.organizationName_default/\
{$0="0.organizationName_default	='"$organization"'"}
/countryName_default/\
{$0="countryName_default='"$country"'"}
/stateOrProvinceName_default/\
{$0="stateOrProvinceName_default='"$state"'"}
//{print}'  /usr/lib/ssl/openssl.cnf   > $T

openssl req $@ -config  $T \
  -new -x509 -nodes -out $CERTNAME~new  -keyout $CERTNAME~new

chmod 600  $CERTNAME~new

openssl verify $CERTNAME~new

ln -sf $CERTNAME   $CERTDIR/`/usr/bin/openssl \
  x509 -noout -hash < $CERTNAME~new `.0

#move only if everything went OK
mv -b $CERTNAME~new $CERTNAME
rm $T

Reply to:

References:
- Bug#175849: apache-ssl: SSL_accept failed for IE on Mac
  - From: Andrea Mennucc <debdev@Tonelli.sns.it>

Prev by Date: Processed: your mail
Next by Date: Processed: Pending.
Previous by thread: Bug#175849: Acknowledgement (apache-ssl: SSL_accept failed for IE on Mac)
Next by thread: Bug#175849: Acknowledgement (apache-ssl: SSL_accept failed for IE on Mac)
Index(es):
- Date
- Thread