svn commit: r44604 - head/en_US.ISO8859-1/books/handbook/security

Dru Lavigne dru at
Fri Apr 18 16:10:46 UTC 2014

Author: dru
Date: Fri Apr 18 16:10:46 2014
New Revision: 44604

  Finish editorial review of OpenSSL chapter.
  Update instructions and examples.
  Sponsored by:	iXsystems


Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri Apr 18 14:47:22 2014	(r44603)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri Apr 18 16:10:46 2014	(r44604)
@@ -1781,17 +1781,6 @@ kadmind5_server_enable="YES"</programlis
       and Transport Layer Security v1 (TLSv1) network security
       protocols and can be used as a general cryptographic
-This patent expired in 2012, is the note still needed?
-    <note>
-      <para>While <application>OpenSSL</application> supports the
-	<acronym>IDEA</acronym> algorithm, it is disabled by default
-	due to United States patents.  To use it, the license should
-	be reviewed and, if the restrictions are acceptable, the
-	<varname>MAKE_IDEA</varname> variable must be set in
-	<filename>/etc/make.conf</filename>.</para>
-    </note>
-    -->
     <para><application>OpenSSL</application> is often used to encrypt
       authentication of mail clients and to secure web based
@@ -1833,8 +1822,15 @@ This patent expired in 2012, is the note
 	<secondary>certificate generation</secondary>
-      <para>To generate a certificate, the following command is
-	available:</para>
+      <para>To generate a certificate that will be signed by an
+	external <acronym>CA</acronym>, issue the following command and
+	input the information requested at the prompts.  This input
+	information will be written to the certificate.  At the
+	<literal>Common Name</literal> prompt, input the fully
+	qualified name for the system that will use the certificate.
+	If this name does not match the server, the application verifying the
+	certificate will issue a warning to the user, rendering the
+	verification provided by the certificate as useless.</para>
       <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput>
 Generating a 1024 bit RSA private key
@@ -1861,100 +1857,120 @@ Please enter the following 'extra' attri
 to be sent with your certificate request
 A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput>
 An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen>
-      <para>Notice the response directly after the <quote>Common
-	  Name</quote> prompt shows a domain name.  This prompt
-	requires a server name to be entered for verification
-	purposes and placing anything but a domain name yields a
-	useless certificate.  Other options, such as the expire
-	time and alternate encryption algorithms, are available.  A
+      <para>Other options, such as the expire
+	time and alternate encryption algorithms, are available when
+	creating a certificate.  A
 	complete list of options is described in
-      <para>Two files should now exist in the directory in which this
-	command was issued.  The certificate request,
-	<filename>req.pem</filename>, may be sent to a
+      <para>This command will create two files in the current directory.
+	The certificate request,
+	<filename>req.pem</filename>, can be sent to a
 	<acronym>CA</acronym> who will validate the entered
 	credentials, sign the request, and return the signed
-	certificate.  The second file is named
-	<filename>cert.pem</filename> and is the private key for the
-	certificate and should be protected at all costs.  If this
-	falls in the hands of others it can be used to impersonate
+	certificate.  The second file,
+	<filename>cert.pem</filename>, is the private key for the
+	certificate and should be stored in a secure location.  If this
+	falls in the hands of others, it can be used to impersonate
 	the user or the server.</para>
-      <para>In cases where a signature from a <acronym>CA</acronym>
-	is not required, a self signed certificate can be created.
+      <para>Alternately, if a signature from a <acronym>CA</acronym>
+	is not required, a self-signed certificate can be created.
 	First, generate the <acronym>RSA</acronym> key:</para>
-      <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput></screen>
-      <para>Next, generate the <acronym>CA</acronym> key:</para>
-      <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput></screen>
+      <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput>
+0 semi-random bytes loaded
+Generating DSA parameters, 1024 bit long prime
+This could take some time
+      <para>Next, generate the <acronym>CA</acronym> key.  When
+	prompted, enter a passphrase between 4 to 1023 characters.
+	Remember this passphrase as it is needed whenever the key is
+	used to sign a certificate.</para>
+      <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput>
+Generating DSA key, 1024 bits
+Enter PEM pass phrase:
+Verifying - Enter PEM pass phrase:</screen>
+      <para>Use this key to create a self-signed certificate.  When
+	prompted, enter the passphrase.  Then follow the usual prompts
+	for creating a certificate:</para>
-      <para>Use this key to create the certificate:</para>
-      <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput></screen>
+      <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput>
+Enter pass phrase for myca.key:
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+Country Name (2 letter code) [AU]:<userinput><replaceable>US</replaceable></userinput>
+State or Province Name (full name) [Some-State]:<userinput><replaceable>PA</replaceable></userinput>
+Locality Name (eg, city) []:<userinput><replaceable>Pittsburgh</replaceable></userinput>
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:<userinput><replaceable>My Company</replaceable></userinput>
+Organizational Unit Name (eg, section) []:<userinput><replaceable>Systems Administrator</replaceable></userinput>
+Common Name (e.g. server FQDN or YOUR name) []:<userinput><replaceable></replaceable></userinput>
+Email Address []:<userinput><replaceable>trhodes at</replaceable></userinput></screen>
-      <para>Two new files should appear in the directory: a
+      <para>This will create two new files in the current directory: a
 	certificate authority signature file,
-	<filename>myca.key</filename> and the certificate itself,
+	<filename>myca.key</filename>, and the certificate itself,
 	<filename>new.crt</filename>.  These should be placed in a
 	directory, preferably under <filename>/etc</filename>, which
 	is readable only by <systemitem
-	  class="username">root</systemitem>.  Permissions of 0700 are
-	appropriate and can be set using &man.chmod.1;.</para>
+	  class="username">root</systemitem>.  Permissions of <literal>0700</literal> are
+	appropriate for these files and can be set using <command>chmod</command>.</para>
       <title>Using Certificates</title>
       <para>One use for a certificate is to encrypt connections to the
-	<application>Sendmail</application> <acronym>MTA</acronym>.
-	This prevents the use of clear text authentication for users
-	who send mail via the local <acronym>MTA</acronym>.</para>
+	<application>Sendmail</application> mail server in order to
+	prevent the use of clear text authentication.</para>
-	<para>Some <acronym>MUA</acronym>s will display error if the
-	  user has not installed the certificate locally.  Refer to
+	<para>Some mail clients will display an error if the
+	  user has not installed a local copy of the certificate.  Refer to
 	  the documentation included with the software for more
 	  information on certificate installation.</para>
-      <para>To configure <application>Sendmail</application>, the
-	following lines should be placed in the local
-	<filename>.mc</filename> file:</para>
-      <programlisting>dnl SSL Options
-define(`confTLS_SRV_OPTIONS', `V')dnl</programlisting>
-      <para>In this example,  <filename>/etc/certs/</filename>
-	stores the certificate and key files locally.  After saving
-	the edits, rebuild the local <filename>.cf</filename> file by
-	typing
-	<command>make install</command>
-	within <filename>/etc/mail</filename>.
-	Follow that up with <command>make
-	  restart</command> which should
-	start the <application>Sendmail</application> daemon.</para>
+      <para>To configure <application>Sendmail</application>, add the
+	following lines to
+	<filename>/etc/rc.conf</filename>:</para>
+      <programlisting>sendmail_enable="YES"
+      <para>This will automatically create a self-signed certificate,
+	<filename>/etc/mail/certs/host.cert</filename>, a signing key,
+	<filename>/etc/mail/certs/host.key</filename>, and a
+	<acronym>CA</acronym> certificate,
+	<filename>/etc/mail/certs/cacert.pem</filename>.  The
+	certificate will use the <literal>Common Name</literal>
+	specified in <option>sendmail_cert_cn</option>.
+	After saving
+	the edits, restart <application>Sendmail</application>:</para>
-      <para>If all went well, there will be no error messages in
-	<filename>/var/log/maillog</filename> and
-	<application>Sendmail</application> will show up in the
-	process list.</para>
+      <screen>&prompt.root; <userinput>service sendmail restart</userinput></screen>
-      <para>For a simple test, connect to the mail server using
-	&man.telnet.1;:</para>
+      <para>If all went well, there will be no error messages in
+	<filename>/var/log/maillog</filename>.  For a simple test,
+	connect to the mail server's listening port using
+	<command>telnet</command>:</para>
       <screen>&prompt.root; <userinput>telnet <replaceable></replaceable> 25</userinput>
-Connected to <systemitem class="fqdomainname"></systemitem>.
+Connected to
 Escape character is '^]'.
-220 <systemitem class="fqdomainname"></systemitem> ESMTP Sendmail 8.12.10/8.12.10; Tue, 31 Aug 2004 03:41:22 -0400 (EDT)
+220 ESMTP Sendmail 8.14.7/8.14.7; Fri, 18 Apr 2014 11:50:32 -0400 (EDT)
 <userinput>ehlo <replaceable></replaceable></userinput> Hello [], pleased to meet you
@@ -1968,10 +1984,10 @@ Escape character is '^]'.
 250 HELP
-221 2.0.0 <systemitem class="fqdomainname"></systemitem> closing connection
+221 2.0.0 closing connection
 Connection closed by foreign host.</screen>
-      <para>If the <quote>STARTTLS</quote> line appears in the
+      <para>If the <literal>STARTTLS</literal> line appears in the
 	output, everything is working correctly.</para>

More information about the svn-doc-all mailing list