[Pkg-voip-commits] [resiprocate] 12/14: Update TLS notes in repro.README.Debian
Daniel Pocock
pocock at moszumanska.debian.org
Sun Jan 12 10:44:38 UTC 2014
This is an automated email from the git hooks/post-receive script.
pocock pushed a commit to branch master
in repository resiprocate.
commit 0519d84dc5753e428c0d38e8c8561f742f29e332
Author: Daniel Pocock <daniel at pocock.com.au>
Date: Sun Jan 12 09:38:36 2014 +0100
Update TLS notes in repro.README.Debian
---
debian/repro.README.Debian | 44 ++++++++++++--------------------------------
1 file changed, 12 insertions(+), 32 deletions(-)
diff --git a/debian/repro.README.Debian b/debian/repro.README.Debian
index 70be8a8..c94abc5 100644
--- a/debian/repro.README.Debian
+++ b/debian/repro.README.Debian
@@ -48,42 +48,22 @@ SSL/TLS on Debian
The normal place for certs on Debian is in /etc/ssl
-repro has particular expectations about certificate filenames
-and permissions.
+Before repro v1.9.0~beta9, repro had particular expectations about
+certificate filenames and permissions.
+In particular, they needed to have names matching a particular
+template.
- Stategy A:
- ----------
+Now, however, it is possible to specify any arbitrary certificate
+and key filenames on a per-transport basis, e.g.
- If the certs you need are shared, or if your local policy
- is to keep all certs and keys under /etc/ssl, then you need
- to do two things:
+Transport1TlsCertificate = /etc/ssl/ssl.crt/sip-server.example.org.crt
+Transport1TlsPrivateKey = /etc/ssl/ssl.key/sip-server.example.org.key
- - add the repro user to the group ssl-cert
-
- addgroup repro ssl-cert
-
- - create symlinks in /etc/repro/ssl pointing to the real
- certs and keys in /etc/ssl, e.g:
-
- ln -s /etc/ssl/ssl.crt/sip-server.example.org.crt \
- /etc/repro/ssl/domain_cert_sip-server.example.org.pem
-
- ln -s /etc/ssl/ssl.key/sip-server.example.org.key \
- /etc/repro/ssl/domain_key_sip-server.example.org.pem
-
- Note that filenames must be in that exact format, with
- the domain_ prefix and the .pem suffix
-
- Strategy B:
- -----------
-
- If the certs you need are ONLY for repro, then create
- the certs and keys in /etc/repro/ssl using the naming
- convention expected by repro (see examples above)
-
- They can be owned by root and readable for the `repro'
- user.
+The TlsCertificate file should also contain any intermediate certificates.
+The server certificate should be first and the intermiediate certificates
+should be listed in order, starting with the one that signed your
+certificate and finishing with the one below the root.
Intermediate certificates
-------------------------
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/resiprocate.git
More information about the Pkg-voip-commits
mailing list