Mail archive
alpine-devel

[alpine-devel] Notes on fetch-crl apk

From: Nathan Angelacos <nangel_at_nothome.org>
Date: Thu, 19 Feb 2009 16:45:18 -0500

These notes are for the fetch-crl-2.7.0-r0.apk from dev.a.o/~ncopa/alpine


If you just want the "what needs to be fixed" bit, skip to the bottom.

The test system is using racoon with a cert bundle and a client cert
(all in pem format, all in /etc/racoon) - they should probably be
somewhere else .. but whatever.



apk_add http://dev.alpinelinux.org/~ncopa/alpine/fetch-crl-2.7.0-r0.apk

It needs the hashes of all the certs; here's a quick awk script to do it:


--- /dev/null Thu Feb 19 21:20:21 2009
+++ split.awk Thu Feb 19 20:27:33 2009
_at_@ -0,0 +1,17 @@
+# split a certificate bundle into individual certificates
+
+{ content = content $0 "\n" }
+
+/^subject=/ {
+ subject=$0
+ sub("^.*CN=", "", subject)
+ }
+
+/^-----END/ {
+ x=subject ".pem"
+ print content > x
+ close(x)
+ system("ln -s " x " `openssl x509 -noout -hash -in " x "`.0 2>/dev/null")
+ content = ""
+ }
+


The client cert needs a hash as well:

ln -s mycert.pem `openssl x509 -in mycert.pem -noout -hash`.0


Create the fetch-crl.crl_url files. The files go where the certs are.
To find the crl location, you can try this:

for a in *.pem; do echo In $a:; openssl x509 -in $a -text -noout 2>/dev/null| grep crl ; done

The files can have any name, as long as they end in ".crl_url" So I chose mycert.crl_url, my_ca.crl_url, etc.
But you could use the hash as well.


edit /etc/conf.d/fetch-crl. The minimum is:

CRLDIR=/etc/racoon
QUIET=yes
CACHEDIR=/tmp


Fetch-crl *requires* real wget because of the -t -T -N options.

(replacing wget binary with a shell script #!/bin/echo $0 $_at_" shows the following)


/usr/bin/wget -t -T 10 -q -N 2 -P /tmp/3e25f602d2aedb251e08f79e3e1db34dc388927a <location of crl>


Setting the Timeout and Retry options in the fetch-crl config file does not seem to make things better.




Once all that is done, run fetch-crl, and it will retrieve the crls and put them in the same directory as the certs, with the same name as the hash, but a .r0 extension.



-----------------------
Things that need fixing
-----------------------


If we want to use busybox wget, either: bb wget should support (or ignore) -t -T and -N; or fetch-crl should not use -N , -t -T when the config entries for WGET_RETRIES and WGET_TIMEOUT are set to "nil" (not 0)


the fetch-crl conf file for alpinelinux should be in /etc/fetch-crl/fetch-crl, and not /etc/conf.d/fetch-crl


Other than that, it works well!



---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Thu Feb 19 2009 - 16:45:18 UTC