From cbba337004004ec43fb5dcd372ce367b7aac493f Mon Sep 17 00:00:00 2001 From: reyk Date: Mon, 4 Aug 2014 18:12:15 +0000 Subject: [PATCH] Temporarily move the default location of the SSL/TLS server key and certificate from /var/www/ to /var/www/conf/. Don't get scared - this will be changed soon! They're currently located in the chroot directory but will be moved outside as soon as we adopted some of the key privsep from relayd in ressl/httpd. --- usr.sbin/httpd/httpd.8 | 6 +++++- usr.sbin/httpd/httpd.h | 4 +++- usr.sbin/httpd/server.c | 11 +++++++---- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/usr.sbin/httpd/httpd.8 b/usr.sbin/httpd/httpd.8 index 66244af92e9..050bfcdeff2 100644 --- a/usr.sbin/httpd/httpd.8 +++ b/usr.sbin/httpd/httpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: httpd.8,v 1.40 2014/08/04 17:12:44 reyk Exp $ +.\" $OpenBSD: httpd.8,v 1.41 2014/08/04 18:12:15 reyk Exp $ .\" .\" Copyright (c) 2014 Reyk Floeter .\" @@ -36,6 +36,10 @@ Default configuration file. .Ux Ns -domain socket used for communication with .Nm . +.It /var/www/conf/server.key +Default SSL/TLS server key. +.It /var/www/conf/server.crt +Default SSL/TLS server certificate. .It /var/www/logs/access.log Default access log file. .It /var/www/logs/error.log diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h index 9a7ef8b823f..b5cff077ce0 100644 --- a/usr.sbin/httpd/httpd.h +++ b/usr.sbin/httpd/httpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: httpd.h,v 1.41 2014/08/04 17:38:12 reyk Exp $ */ +/* $OpenBSD: httpd.h,v 1.42 2014/08/04 18:12:15 reyk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -37,6 +37,8 @@ #define HTTPD_FCGI_SOCKET "/run/slowcgi.sock" #define HTTPD_ACCESS_LOG "/logs/access.log" #define HTTPD_ERROR_LOG "/logs/error.log" +#define HTTPD_SSL_KEY "/conf/server.key" +#define HTTPD_SSL_CERT "/conf/server.crt" #define FD_RESERVE 5 #define SERVER_MAX_CLIENTS 1024 diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 5748a85fefc..c8b134b878b 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.27 2014/08/04 17:38:12 reyk Exp $ */ +/* $OpenBSD: server.c,v 1.28 2014/08/04 18:12:15 reyk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -135,9 +135,12 @@ server_ssl_init(struct server *srv) return (-1); } - /* XXX - make these configurable. */ - ressl_config_set_cert_file(srv->srv_ressl_config, "/server.crt"); - ressl_config_set_key_file(srv->srv_ressl_config, "/server.key"); + /* + * XXX Make these configurable and move keys out of the chroot. + * XXX The RSA privsep code in relayd should be adopted to ressl. + */ + ressl_config_set_cert_file(srv->srv_ressl_config, HTTPD_SSL_CERT); + ressl_config_set_key_file(srv->srv_ressl_config, HTTPD_SSL_KEY); if (ressl_configure(srv->srv_ressl_ctx, srv->srv_ressl_config) != 0) { log_warn("%s: failed to configure SSL - %s", __func__, -- 2.20.1