X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@lists.alpinelinux.org Received: from mail.squbes.com (squbes.com [208.74.142.49]) by lists.alpinelinux.org (Postfix) with ESMTP id 489A6170000BA for ; Thu, 19 Feb 2009 21:45:19 +0000 (UTC) Received: from BigMac.private.net (pool-70-23-206-113.ny325.east.verizon.net [70.23.206.113]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: nangel@nothome.org) by mail.squbes.com (Postfix) with ESMTPSA id E9B8250001CA7 for ; Thu, 19 Feb 2009 21:45:18 +0000 (UTC) Message-ID: <499DD2EE.6090803@nothome.org> Date: Thu, 19 Feb 2009 16:45:18 -0500 From: Nathan Angelacos User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 To: Alpine Developers Subject: [alpine-devel] Notes on fetch-crl apk Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit These notes are for the fetch-crl-2.7.0-r0.apk from dev.a.o/~ncopa/alpine If you just want the "what needs to be fixed" bit, skip to the bottom. The test system is using racoon with a cert bundle and a client cert (all in pem format, all in /etc/racoon) - they should probably be somewhere else .. but whatever. apk_add http://dev.alpinelinux.org/~ncopa/alpine/fetch-crl-2.7.0-r0.apk It needs the hashes of all the certs; here's a quick awk script to do it: --- /dev/null Thu Feb 19 21:20:21 2009 +++ split.awk Thu Feb 19 20:27:33 2009 @@ -0,0 +1,17 @@ +# split a certificate bundle into individual certificates + +{ content = content $0 "\n" } + +/^subject=/ { + subject=$0 + sub("^.*CN=", "", subject) + } + +/^-----END/ { + x=subject ".pem" + print content > x + close(x) + system("ln -s " x " `openssl x509 -noout -hash -in " x "`.0 2>/dev/null") + content = "" + } + The client cert needs a hash as well: ln -s mycert.pem `openssl x509 -in mycert.pem -noout -hash`.0 Create the fetch-crl.crl_url files. The files go where the certs are. To find the crl location, you can try this: for a in *.pem; do echo In $a:; openssl x509 -in $a -text -noout 2>/dev/null| grep crl ; done The files can have any name, as long as they end in ".crl_url" So I chose mycert.crl_url, my_ca.crl_url, etc. But you could use the hash as well. edit /etc/conf.d/fetch-crl. The minimum is: CRLDIR=/etc/racoon QUIET=yes CACHEDIR=/tmp Fetch-crl *requires* real wget because of the -t -T -N options. (replacing wget binary with a shell script #!/bin/echo $0 $@" shows the following) /usr/bin/wget -t -T 10 -q -N 2 -P /tmp/3e25f602d2aedb251e08f79e3e1db34dc388927a Setting the Timeout and Retry options in the fetch-crl config file does not seem to make things better. Once all that is done, run fetch-crl, and it will retrieve the crls and put them in the same directory as the certs, with the same name as the hash, but a .r0 extension. ----------------------- Things that need fixing ----------------------- If we want to use busybox wget, either: bb wget should support (or ignore) -t -T and -N; or fetch-crl should not use -N , -t -T when the config entries for WGET_RETRIES and WGET_TIMEOUT are set to "nil" (not 0) the fetch-crl conf file for alpinelinux should be in /etc/fetch-crl/fetch-crl, and not /etc/conf.d/fetch-crl Other than that, it works well! --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---