Temporarily move the default location of the SSL/TLS server key and

certificate from /var/www/ to /var/www/conf/.  Don't get scared - this
will be changed soon!  They're currently located in the chroot
directory but will be moved outside as soon as we adopted some of the
key privsep from relayd in ressl/httpd.

diff --git a/usr.sbin/httpd/httpd.8 b/usr.sbin/httpd/httpd.8
index 66244af..050bfcd 100644 (file)
--- a/usr.sbin/httpd/httpd.8
+++ b/usr.sbin/httpd/httpd.8
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: httpd.8,v 1.40 2014/08/04 17:12:44 reyk Exp $
+.\"    $OpenBSD: httpd.8,v 1.41 2014/08/04 18:12:15 reyk Exp $
 .\"
 .\" Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org>
 .\"
@@ -36,6 +36,10 @@ Default configuration file.
 .Ux Ns -domain
 socket used for communication with
 .Nm .
+.It /var/www/conf/server.key
+Default SSL/TLS server key.
+.It /var/www/conf/server.crt
+Default SSL/TLS server certificate.
 .It /var/www/logs/access.log
 Default access log file.
 .It /var/www/logs/error.log

diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h
index 9a7ef8b..b5cff07 100644 (file)
--- a/usr.sbin/httpd/httpd.h
+++ b/usr.sbin/httpd/httpd.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: httpd.h,v 1.41 2014/08/04 17:38:12 reyk Exp $ */
+/*     $OpenBSD: httpd.h,v 1.42 2014/08/04 18:12:15 reyk Exp $ */
 
 /*
  * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -37,6 +37,8 @@
 #define HTTPD_FCGI_SOCKET      "/run/slowcgi.sock"
 #define HTTPD_ACCESS_LOG       "/logs/access.log"
 #define HTTPD_ERROR_LOG                "/logs/error.log"
+#define HTTPD_SSL_KEY          "/conf/server.key"
+#define HTTPD_SSL_CERT         "/conf/server.crt"
 #define FD_RESERVE             5
 
 #define SERVER_MAX_CLIENTS     1024

diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c
index 5748a85..c8b134b 100644 (file)
--- a/usr.sbin/httpd/server.c
+++ b/usr.sbin/httpd/server.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: server.c,v 1.27 2014/08/04 17:38:12 reyk Exp $        */
+/*     $OpenBSD: server.c,v 1.28 2014/08/04 18:12:15 reyk Exp $        */
 
 /*
  * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -135,9 +135,12 @@ server_ssl_init(struct server *srv)
                return (-1);
        }
 
-       /* XXX - make these configurable. */
-       ressl_config_set_cert_file(srv->srv_ressl_config, "/server.crt");
-       ressl_config_set_key_file(srv->srv_ressl_config, "/server.key");
+       /*
+        * XXX Make these configurable and move keys out of the chroot.
+        * XXX The RSA privsep code in relayd should be adopted to ressl.
+        */
+       ressl_config_set_cert_file(srv->srv_ressl_config, HTTPD_SSL_CERT);
+       ressl_config_set_key_file(srv->srv_ressl_config, HTTPD_SSL_KEY);
 
        if (ressl_configure(srv->srv_ressl_ctx, srv->srv_ressl_config) != 0) {
                log_warn("%s: failed to configure SSL - %s", __func__,