From a61f46c23e7607c3fc1057eb68cc84d0f3232889 Mon Sep 17 00:00:00 2001 From: Thierry Parmentelat Date: Wed, 27 Nov 2013 22:26:08 +0100 Subject: [PATCH] belongs in the repo --- apache/APACHE.notes | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 apache/APACHE.notes diff --git a/apache/APACHE.notes b/apache/APACHE.notes new file mode 100644 index 00000000..7c77e4bd --- /dev/null +++ b/apache/APACHE.notes @@ -0,0 +1,29 @@ +The apache config as it ships in unfold.conf defines a port +(currently 443) where SSL client-auth is enforced + +The idea being to have the browser prompting our user for a +certificate - instead of leaving that optional, which we believe is +something nobody will ever use if it's optional. + +A few notes and caveats must be outlined though below; see also unfold-init-ssl.sh about that + +* as of this writing quite a lot of what is below would be taken care + of by the packaging stuff once/if it works; + the notes below are intended to help in this respect. + +* all the local material for this deployment gets into /etc/unfold/ + +* I could not find a way to have client-auth without server auth; + this is totally weird, and stupid, but just so + so there is a need to install a (probably self-signed) cert + and related key in +/etc/unfold/myslice.cert +/etc/unfold/myslice.key + see init-ssl.sh for how to create these + +* Now the trusted roots - that we do need in our case - are expected in +/etc/unfold/trusted_roots + this of course is a user choice, e.g.: +/etc/unfold/trusted_roots/plc.gid +/etc/unfold/trusted_roots/ple.gid + -- 2.43.0