4 okabek@guitar.ocn.ne.jp
8 ¡¦ OpenSSL ¥é¥¤¥Ö¥é¥ê¤òÄ̤¸¤Æ, SSL ¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤Þ¤¹.
9 ¤¢¤é¤«¤¸¤á¥¤¥ó¥¹¥È¡¼¥ë¤·¤Æ¤ª¤¤¤Æ¤¯¤À¤µ¤¤.
11 ¡¦ OpenSSL ¥é¥¤¥Ö¥é¥ê¤¬¥¤¥ó¥¹¥È¡¼¥ë¤µ¤ì¤Æ¤¤¤ì¤Ð configure ¥¹¥¯¥ê¥×¥È¼Â¹Ô»þ¤Ë¼«
12 ưŪ¤Ë¸¡½Ð¤µ¤ì¤ÆÍøÍѲÄǽ¤È¤Ê¤ê¤Þ¤¹.
13 ¤â¤·¤¦¤Þ¤¯Æ°¤«¤Ê¤¤¤È¤¤Ï, config.h ¤ò¥Á¥§¥Ã¥¯¤·¤Æ¤ß¤Æ¤¯¤À¤µ¤¤. SSL ¤òÍøÍѤ¹
14 ¤ë¤¿¤á¤Ë¤Ï, config.h ¤Ç, USE_SSL ¥Þ¥¯¥í¤¬ÄêµÁ¤µ¤ì¤Æ¤¤¤ëɬÍפ¬¤¢¤ê¤Þ¤¹.
15 ¤µ¤é¤Ë, SSL ǧ¾Ú¥µ¥Ý¡¼¥È¤òÍøÍѤ¹¤ë¾ì¹ç¤Ï, USE_SSL_VERIFY ¥Þ¥¯¥í¤â¥Á¥§¥Ã¥¯¤·
17 ¥³¥ó¥Ñ¥¤¥ë¤Ç¥¨¥é¡¼¤¬½Ð¤ë¾ì¹ç¤Ï, ¥ê¥ó¥«¥Õ¥é¥°¤Ë `-lssl -lcrypto', ¥³¥ó¥Ñ¥¤¥é
18 ¥Õ¥é¥°¤Ë '-I(SSLeay/OpenSSL ¤Î¥Ø¥Ã¥À¤¬¤¢¤ë¥Ç¥£¥ì¥¯¥È¥ê)' ¤¬¤¢¤ë¤«³Îǧ¤·¤Æ¤¯
21 SSL ¥µ¥Ý¡¼¥È¤¬Í¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤«¤É¤¦¤«¤Ï, Option Setting Panel ¤Ë¡ÖSSL¤ÎÀß
22 Äê¡×¤¬´Þ¤Þ¤ì¤Æ¤¤¤ë¤«¤É¤¦¤«¤Ç³Îǧ¤Ç¤¤Þ¤¹.
24 ¡¦ SSL ¤Ë´Ø¤·¤Æ°Ê²¼¤ÎÀßÄ꤬²Äǽ¤Ë¤Ê¤Ã¤Æ¤Þ¤¹:
27 »È¤ï¤Ê¤¤SSL¥á¥½¥Ã¥É¤Î¥ê¥¹¥È(2: SSLv2, 3: SSLv3, t: TLSv1)
29 ssl_verify_server ON/OFF
30 SSL¤Î¥µ¡¼¥Ðǧ¾Ú¤ò¹Ô¤¦(¥Ç¥Õ¥©¥ë¥È¤ÏOFF).
31 ssl_cert_file ¥Õ¥¡¥¤¥ë̾
32 SSL¤Î¥¯¥é¥¤¥¢¥ó¥ÈÍÑPEM·Á¼°¾ÚÌÀ½ñ¥Õ¥¡¥¤¥ë(¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>).
33 ssl_key_file ¥Õ¥¡¥¤¥ë̾
34 SSL¤Î¥¯¥é¥¤¥¢¥ó¥ÈÍÑPEM·Á¼°ÈëÌ©¸°¥Õ¥¡¥¤¥ë(¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>).
35 ssl_ca_path ¥Ç¥£¥ì¥¯¥È¥ê̾
36 SSL¤Îǧ¾Ú¶É¤ÎPEM·Á¼°¾ÚÌÀ½ñ·²¤Î¤¢¤ë¥Ç¥£¥ì¥¯¥È¥ê¤Ø¤Î¥Ñ¥¹
38 ssl_ca_file ¥Õ¥¡¥¤¥ë̾
39 SSL¤Îǧ¾Ú¶É¤ÎPEM·Á¼°¾ÚÌÀ½ñ·²¤Î¥Õ¥¡¥¤¥ë(¥Ç¥Õ¥©¥ë¥È¤Ï<NULL>).
40 ¤¿¤À¤·¡ÖSSLEAY_VERSION_NUMBER >= 0x0800¡×¤Ê´Ä¶¤Ç¤Ê¤¤¤È̵Â̤ʥ³¡¼¥É¤¬Áý
41 ¤¨¤ë¤À¤±¤Ê¤Î¤Ç, configure»þ¤Ëdisable¤·¤Æ¤ª¤¤¤¿¤Û¤¦¤¬¤è¤¤¤Ç¤·¤ç¤¦.
43 ¤Þ¤¿¼ÂºÝ¤Ëǧ¾Ú¤ò¹Ô¤¦¾ì¹ç, ssl_ca_path¤Þ¤¿¤Ïssl_ca_file¤Ç, ¥µ¡¼¥Ð¤Î¸°¤Ë
44 ½ð̾¤·¤Æ¤¤¤ëǧ¾Ú¶É¤Î¾ÚÌÀ½ñ¤ò (ssl_verify_server¤ÎON/OFF¤Ë´Ø·¸Ìµ¤¯) »ØÄê
45 ¤·¤Ê¤¤¤È¥µ¡¼¥Ðǧ¾Ú¤ÏÀ®¸ù¤·¤Þ¤»¤ó¡£
47 Ä̾ï»È¤ï¤ì¤Æ¤¤¤ëǧ¾Ú¶É¤Î¾ÚÌÀ½ñ¤Ï°Ê²¼¤Î¤È¤³¤í¤Ê¤É¤«¤éÆþ¼ê¤Ç¤¤Þ¤¹¡£
49 * mozilla¤Î¥½¡¼¥¹¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë
50 mozilla/security/nss/lib/ckfw/builtins/certdata.txt
51 ¤«¤éźÉդΠruby script ¤Ç *.pem¥Õ¥¡¥¤¥ë¤È¤·¤Æ¤È¤ê¤À¤·¤¿¤â¤Î
53 % ruby certdata2pem.rb < certdata.txt
55 ¤Ç¥«¥ì¥ó¥È¥Ç¥£¥ì¥¯¥È¥ê¤Ë *.pem¥Õ¥¡¥¤¥ë¤ò¤È¤ê¤À¤·
56 openssl¤Î c_rehash ¥³¥Þ¥ó¥É¤Ç hash symlink ¤òºîÀ®¤·¤Þ¤¹¡£
57 ¤³¤Î¥Ç¥£¥ì¥¯¥È¥ê¤ò ssl_ca_path ¤ËÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
58 ¤â¤·¤¯¤Ï¡¢*.pem ¤ò¤Þ¤È¤á¤¿°ì¤Ä¤Î¥Õ¥¡¥¤¥ë¤òºîÀ®¤·¤Æ¤ª¤±¤Ð
59 ¤½¤ì¤ò ssl_ca_file ¤ËÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
61 * mod_ssl¤Î¥½¡¼¥¹¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë pkg.sslcfg/ca-bundle.crt
62 ¤³¤ì¤Ï PEM¤Ê¤Î¤Ç¡¢¤³¤Î¥Õ¥¡¥¤¥ë¤Î¥Õ¥ë¥Ñ¥¹Ì¾¤ò ssl_ca_file ¤Ë
63 ÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
65 ¡¦ ¥Ð¡¼¥¸¥ç¥ó 0.9.5 °Ê¹ß¤Î OpenSSL ¥é¥¤¥Ö¥é¥ê¤Ï, Íð¿ô¤ò½é´ü²½¤¹¤ë¤¿¤á¤Ë´ö¤Ä¤«
66 ¤Î¥·¡¼¥É¤òÀßÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹.
67 ¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï /dev/urandom ¤¬¤¢¤ì¤Ð¤½¤ì¤òÍøÍѤ·¤Þ¤¹¤¬, ̵¤±¤ì¤Ð w3m ÆâÉô
68 ¤ÇÀ¸À®¤·¤Þ¤¹. ¤â¤·, EGD (Entropy Gathering Daemon) ¤Þ¤¿¤Ï PRNGD (Pseudo
69 Random Number Generator Daemon) ¤¬ÍøÍѤǤ¤ë´Ä¶¤Ç¤³¤ì¤ò»È¤¤¤¿¤¤¾ì¹ç¤Ï,
70 USE_EGD ¥Þ¥¯¥í¤ò¥Á¥§¥Ã¥¯¤·¤Æ¤ß¤Æ¤¯¤À¤µ¤¤.
74 OpenSSL - http://www.openssl.org/
75 PRNGD - http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
77 ----------------------------------------------------------------
79 # Copyright (c) 2001 Fumitoshi UKAI <ukai@debian.or.jp>
80 # All rights reserved.
81 # This is free software with ABSOLUTELY NO WARRANTY.
83 # You can redistribute it and/or modify it under the terms of
88 while line = $stdin.gets
90 next if line =~ /^\s*$/
92 if line =~ /CKA_LABEL/
93 label,type,val = line.split(' ',3)
96 fname = val.gsub(/\//,"_").gsub(/\s+/, "_").gsub(/[()]/, "=") + ".pem"
99 if line =~ /CKA_VALUE MULTILINE_OCTAL/
101 while line = $stdin.gets
104 line.gsub(/\\([0-3][0-7][0-7])/) { data += $1.oct.chr }
106 open(fname, "w") do |fp|
107 fp.puts "-----BEGIN CERTIFICATE-----"
108 fp.puts [data].pack("m*")
109 fp.puts "-----END CERTIFICATE-----"
111 puts "Created #{fname}"
114 system("c_rehash", ".")