mod_gnutls's dhfile/rsafile generation

Adam Gołębiowski adamg at biomerieux.pl
Sun Sep 9 22:44:01 CEST 2007


On Sun, Sep 09, 2007 at 11:18:03AM +0300, Elan Ruusamäe wrote:
> On Sunday 09 September 2007 02:44, Adam Gołębiowski wrote:
> > Hi,
> >
> > I was thinking about apache mod_gnutls's dhfile/rsafile files being
> > generate in %post, which could be done by something similiar to:
> >
> > --- cut ---
> > %post
> > if [ "$1" = "0" ]; then
> > 	d=/etc/httpd/tls
> > 	[ -f "$d/dhfile" ] || /usr/bin/certtool --generate-dh-params --bits 1024
> > --outfile $d/dhfile [ -f "$d/rsafile" ] || /usr/bin/certtool
> > --generate-privkey --bits 512 --outfile $d/rsafile fi
> > --- cut ---
> >
> > but the process may take some time on slower machines, or those where
> > /dev/random tends to block while waiting for entropy pool.
> 
> other way is openssh way -- when service is started, but that's modifying 
> apache.spec 

Ah, didn't think of that.

This would mean keeping httpd down for some time (only once, but still),
and this could annoy some people. I think I'll go for the presented
option (%post).

-- 
 http://www.mysza.eu.org/ | Everybody needs someone sure, someone true,
   PLD Linux developer    | Everybody needs some solid rock, I know I do.


More information about the pld-devel-en mailing list