Changeset f216c56

Timestamp:

10/24/2011 01:06:24 AM (13 years ago)

Author:

Bruce Dubbs <bdubbs@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

778be14

Parents:

599fda8

Message:

Add routine to remove out of date CA certificates.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8915 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

• general/genlib/libxslt.xml (modified) (2 diffs)
• introduction/welcome/changelog.xml (modified) (1 diff)
• postlfs/security/cacerts.xml (modified) (5 diffs)

general/genlib/libxslt.xml

@@ -35 +35 @@
     XSLT files.</para>
 
-    &lfs65_checked;
-    <para>&lfssvn_checked;20101029&lfssvn_checked2;</para>
+    &lfs70_checked;
 
     <bridgehead renderas="sect3">Package Information</bridgehead>
@@ -90 +89 @@
 
   </sect2>
-
-  <!-- <sect2 role="commands">
-    <title>Command Explanations</title>
-
-    <para><command>sed -i "s/\$(PYTHON_SITE_PACKAGES)/'&amp;'/"
-    configure</command>: The quotes around this variable were inadvertently
-    removed in this release. This command puts the quotes back in so that
-    the variable is not interpreted as a shell command.</para>
-
-  </sect2> -->
 
   <sect2 role="content">

introduction/welcome/changelog.xml

@@ -45 +45 @@
       <para>October 23rd, 2011</para>
       <itemizedlist>
+        <listitem>
+          <para>[bdubbs] - Add routine to remove out of date
+          CA certificates.</para>
+        </listitem>
         <listitem>
           <para>[bdubbs] - Update to libxml2-2.7.8.</para>

postlfs/security/cacerts.xml

@@ -130 +130 @@
    user:</para>
 
-  <screen><userinput>cat > /bin/make-ca.sh &lt;&lt; "EOF"
+   <screen><userinput>cat > /bin/make-ca.sh &lt;&lt; "EOF"
 #!/bin/bash
 # Begin make-ca.sh
@@ -228 +228 @@
 chmod +x /bin/make-ca.sh</userinput></screen>
 
+   <para>Add a short script to remove expired certifictes from a directory.
+   Again create this script as the <systemitem
+   class="username">root</systemitem> user:</para>
+
+  <screen><userinput>cat > /bin/remove-expired-certs.sh &lt;&lt; "EOF"
+#!/bin/bash
+# Begin /bin/remove-expired-certs.sh
+
+OPENSSL=/usr/bin/openssl
+DIR=/etc/ssl/certs
+
+if [ $# -gt 0 ]; then
+  DIR="$1"
+fi
+
+certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
+today=$( date +%Y%m%d )
+
+for cert in $certs; do
+  notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
+  date=$( echo ${notafter} |  sed 's/^notAfter=//' )
+
+  if [ $( date -d "${date}" +%Y%m%d ) -lt ${today} ]; then
+     echo "${cert} is expired! Removing..."
+     rm -f "${cert}"
+  fi
+done
+EOF
+
+chmod +x /bin/remove-expired-certs.sh</userinput></screen>
+
    <para>The following commands will fetch the certificates and convert them to
    the correct format.  If desired, a web browser may be used instead of
@@ -240 +271 @@
 wget --output-document certdata.txt $url &amp;&amp;
 unset certhost certdir url               &amp;&amp;
-make-ca.sh</userinput></screen>
+make-ca.sh                               &amp;&amp;
+remove-expired-certs.sh certs</userinput></screen>
 
    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
 
-<screen><userinput>install -d ${SSLDIR}/certs        &amp;&amp;
-cp -v certs/*.pem ${SSLDIR}/certs &amp;&amp;
-c_rehash                          &amp;&amp;
-install ca-bundle.crt ${SSLDIR}</userinput></screen>
+<screen><userinput>SSLDIR=/etc/ssl                                     &amp;&amp;
+install -d ${SSLDIR}/certs                          &amp;&amp;
+cp -v certs/*.pem ${SSLDIR}/certs                   &amp;&amp;
+c_rehash                                            &amp;&amp;
+install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &amp;&amp;
+unset SSLDIR</userinput></screen>
 
    <para>Finally, clean up the current directory:</para>
@@ -264 +298 @@
 
       <seglistitem>
-        <seg>make-ca.sh and make-cert.pl</seg>
+        <seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
         <seg>None</seg>
         <seg>/etc/ssl/certs</seg>
@@ -297 +331 @@
         </listitem>
       </varlistentry>
+
+      <varlistentry id="remove-expired-certs">
+        <term><command>remove-expired-certs.sh</command></term>
+        <listitem>
+          <para>is a utility <application>perl</application> script that 
+          removed expired certificates fom a directory.  The defaut
+          directory is <filename class='directory'>/etc/ssl/ceerts</filename>.</para>
+          <indexterm zone="cacerts remove-expired-certs">
+            <primary sortas="b-remove-expired-certs">remove-expired-certs</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
    </variablelist>