发信人: wienne(小荔)
整理人: blainelinar(2001-07-19 20:53:45), 站内信件
|
gcc
ftp://ftp.sunfreeware.com/pub/freeware/sparc/7/gcc-2.95.2-sol7-sparc-local.gz
gzip
ftp://ftp.sunfreeware.com/pub/freeware/sparc/7/gzip-1.3-sol7-sparc-local
make
ftp://ftp.sunfreeware.com/pub/freeware/sparc/7/make-3.78.1-sol7-sparc-local.gz
perl
ftp://ftp.sunfreeware.com/pub/freeware/sparc/7/perl-5.005_03-sol7-sparc-local.gz
openssl-0.9.6
ftp://ftp.happysize.co.jp/mirror/openssl/source/openssl-0.9.6.tar.gz
mod_ssl-2.8.0-1.3.17
http://www.modssl.org/source/mod_ssl-2.8.0-1.3.17.tar.gz
apache_1.3.17
http://www.apache.org/dist/apache_1.3.17.tar.gz
php-4.0.4pl1
在www.mysql.com网站上可下载到gtar-solaris-4.1.4-sparc.gz
gtar zvxf filename
用此方法来解开tar.gz文件
Mysql的安装最简单,在他的网站上可下载到已编译好的sparc版本的,要用
gtar来解开,否则会报错,是因为soliras的tar有bug。
解开后,比如解开到/temp/目录,cd /temp,下运行命令
pkgadd -d ./mysql-3.23.32-sun-solaris2.7。系统就把mysql安装到
/usr/local/mysql-3.23.32-sun-solaris2.7-sparc目录下
cd /usr/local/mysql-3.23.32-sun-solaris2.7-sparc/bin
运行mysql命令,就可进入mysql了。在安装时已自动把mysql启动了。
手动启动的方法是运行mysqld。
-----------------------------------------------------------------------
安装方法
gtar zxf mod_ssl-2.8.0-1.3.17.tar.gz
gtar zxf openssl-0.9.6.tar.gz
gtar zxf apache_1.3.17.tar.gz
gtar zxf php-4.0.4pl1.tar.gz
cd /temp/mod_ssl-2.8.0-1.3.17
./configure --with-apache=/temp/apache_1.3.17
cd /temp/apache_1.3.17
SSL_BASE=/temp/openssl-0.9.6 ./configure --enable-module=ssl --enable-module=so
make
make install
----------------------------------------
/usr/local/apache/bin/apachectl start
start httpd on 80
/usr/local/apache/bin/apachectl startssl
start httpd on 443
----------------------------------------
cd /temp/php-4.0.4pl1
./configure --enable-track-vars --with-apxs=/usr/local/apache/bin/apxs
make
make install
cd /usr/local/apache/conf
编辑 httpd.conf
修改 ServerName 为你电脑的主机名
到此你的电脑已可以运行Apache了,但不能用SSL。因为在
apache的配置文件httpd.conf中有两行
SSLCertificateFile /usr/local/apache/ca/server.crt
SSLCertificateKeyFile /usr/local/apache/ca/server.key
指定的文件要存在,正确。
在此安装方法中,不知为什么openssl创建数字签名时报rand错误
在www.modssl.org网站上有一个已编译好的
Apache_1.3.14-mod_ssl_2.7.2-openssl_0.9.6-WIN32.zip文件
你可以安装在win2k下。openssl可正常使用。
如果谁要那两个文件的话可发邮件给我。key是QuakeIII。
在用/usr/local/apache/bin/apachectl startssl启动apache时
会提示你输入的。
用浏览器看时,会出现一些提示,说‘安全证书’有什么什么的问题
是因为没有安装客户端的安全证书。在win32下用以下命令进行创建
引用原文
\\\\\\\\\\\\\\\\\\
为你的CA创建一个RSA私用密钥( 被Triple-DES加密并且进行PEM格式化的):
openssl genrsa -des3 -out ca.key 1024
利用CA的RSA密钥创建一个自签署的CA证书(X509结构)(输出将是PEN格式的):
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
安装ca.crt
在win32下运行openssl时说找不到openssl.cnf文件
这里给出一个openssl.cnf的例子
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# RANDFILE = $ENV::HOME/.rnd
# oid_file = $ENV::HOME/.oid
# oid_section = new_oids
pfad = /usr/local/openssl
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1 = 1.2.3.4
# Or use config file substitution like this:
# testoid2 = ${testoid1}.5.6
####################################################################
[ ca ]
default_ca = Server_CA # The default ca section
####################################################################
[ Root_CA ] # Abschnitt fuer eine Root CA
dir = $pfad/PCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/PCAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/PCAkey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = PCA_ext # The extentions to add to the cert
#crl_extensions = crl_ext # Extensions to add to CRL
default_days = 730 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
[ Server_CA ] # Abschnitt fuer eine Server CA
dir = $pfad/SCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/SCAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/SCAkey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = SCA_ext # The extentions to add to the cert
#crl_extensions = crl_ext # Extensions to add to CRL
default_days = 365 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ User_CA ] # Abschnitt fuer eine User CA
dir = $pfad/UCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/UCAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/UCAkey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = UCA_ext # The extentions to add to the cert
#crl_extensions = crl_ext # Extensions to add to CRL
default_days = 365 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
# For the CA policy
# Auch hier gilt:
# ... you must list all acceptable 'object' types.
[ policy_match ]
countryName = match
stateOrProvinceName = supplied
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
#stateOrProvinceName_default = Schleswig-Holstein
localityName = Locality Name (eg, city)
#localityName_default = Kiel
0.organizationName = Organization Name (eg, company)
#0.organizationName_default = Universitaet Kiel
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default = Studis
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 60
# SET-ex3 = SET extension number 3
[ req_attributes ]
# Das Challenge Password dient dazu, sich bei Verlust des geheimen Schluessels
# gegenueber der Herausgeber-CA fuer einen Zertifikatwiderruf auszuweisen.
# Wird bei Erstellung der Zertifikat-Anforderung erfragt.
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ PCA_ext ]
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints = critical, CA:TRUE
# Moeglich: digitalSignature, nonRepudiation, keyEncipherment,
# dataEncipherment, keyAgreement, keyCertSign,
# cRLSign, encipherOnly, decipherOnly
keyUsage = cRLSign, keyCertSign
# PKIX recommendations
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# Import the email address.
subjectAltName = email:copy
# Copy subject details
issuerAltName = issuer:copy
# Moeglich: client, server, email, objsign, reserved, sslCA, emailCA, objCA
nsCertType = sslCA, emailCA, objCA
# Hier kann der den folgenden Url's gemeinsame Url-Stamm angegeben werden.
nsBaseUrl = https://192.168.0.79:443/
# Die Seite mit der CA-Policy
nsCaPolicyUrl = http://192.168.0.79/
nsComment = 证书由wienne授权
# Hier kann eine Online-Zertifikatspruefung stattfinden, indem auf die
# Url in der Form ../foo.cgi?aaaa zugegriffen wird. "aaaa" ist dabei
# die ASCII-kodierte Seriennummer des Zertifikats. Dann kann das Zertifikat
# per OpenSSL geprueft werden.
# Zurueckgegeben wird dann eine dezimale 0 oder 1
nsRevocationUrl =
# Nur gueltig in CA-Zertifikaten. Bedeutung nicht ganz klar.
# nsCaRevocationUrl =
# Wird verwendet, um einem Benutzer die Erneuerung seines Zertifikats zu
# erleichtern. Ueblicherweise steckt dahinter ein CGI-Script, auf das per
# HTTP GET in der Form ../foo.cgi?aaaa zugegriffen wird. "aaaa" ist wieder
# Seriennummer. Zurueckgegeben werden kann ein Antrags-Formular zur Erneuerung
# des Zertifikats.
# nsRenewalUrl =
[ SCA_ext ]
# basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
nsCertType = server
nsBaseUrl = https://192.168.0.79:443/
nsCaPolicyUrl = http://192.168.0.79/
nsComment = This certificate was issued by a Server CA
nsRevocationUrl =
# nsCaRevocationUrl =
# nsRenewalUrl =
[ UCA_ext ]
# basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEnciphermen, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
nsCertType = client, email
nsBaseUrl = https://192.168.0.79:443/
nsCaPolicyUrl = http://192.168.0.79
nsComment = This certificate was issued by a User CA
nsRevocationUrl =
# nsCaRevocationUrl =
# nsRenewalUrl =
[ v3_ca ]
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA, objCA
subjectAltName = email:copy
issuerAltName = issuer:copy
nsBaseUrl = https://192.168.0.79:443/
nsCaPolicyUrl = http://
nsComment = 证书由wienne授权
nsRevocationUrl =
# nsCaRevocationUrl =
# nsRenewalUrl =
# RAW DER hex encoding of an extension: beware experts only!
# 1.2.3.5 = RAW:02:03
# You can even override a supported extension:
# basicConstraints = critical, RAW:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OK
在编译进出现了非常多的问题,主要是因为用户的环境变量不全
比如编译时找不到什么什么命令,你把它找到后,把路径加到里面
执行,有时要把解开的编译文件全部删除,再解一次源文件。再编译。
PATH=/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/ccs/bin;export PATH
这里面PHP还没有编译GD库,其实也可以,只是我还没编译成功。
GD编译时出错,解决不了。
有什么问题可联系我,看我能不能帮忙大家。
搞不定真是不爽
正常运行之后的感觉真是爽!
跳起来把地踩三下
还是希望哪位高手能帮忙,解决我前面提出的那些问题。
GD编译时出错
Soliras下运行openssl报rand错误
Email:[email protected]
小荔
在安装时参考过的文章
Generate a server.key:
openssl genrsa -des3 -out server.key 1024
Place this file in /etc/ssl
Generate a CSR (Certificate Signing Request):
openssl req -new -key server.key -out server.csr
Place this file in /etc/ssl
Generate an RSA key for your CA (Certificate Authority):
openssl genrsa -des3 -out ca.key 1024
Place this file in /etc/ssl
Generate an x.509 certificate for your CA:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Place this file in /etc/ssl
Sign your CSR:
./sign.sh server.crt
sign.sh comes packaged with the OpenSSL source distribution.
========================================================================
为你的Apache服务器创建一个RSA私用密钥(被Triple-DES加密并且进行PEM格式化):
openssl genrsa -des3 -out server.key 1024
用服务器RSA私用密钥生成一个证书签署请求(CSR-Certificate Signing Request)(输出将是PEM格式的):
当OpenSSL提示你“CommonName”时,确保你输入了服务器的FQDN("Fully Qualified Domain Name") ,即,当
你为一个以后用https://www.foo.dom/访问的网站生成一个CSR时,这里输入"www.foo.dom"。
openssl req -new -key server.key -out server.csr
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
为你的CA创建一个RSA私用密钥( 被Triple-DES加密并且进行PEM格式化的):
openssl genrsa -des3 -out ca.key 1024
利用CA的RSA密钥创建一个自签署的CA证书(X509结构)(输出将是PEN格式的):
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
=======================================================================
Edit /var/www/httpd.conf:
In the main section:
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
A <VirtualHost> tag for your domain:
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot /home/www/vhost/www.mydomain.net/htdocs
ServerName www.mydomain.net
ServerAdmin [email protected]
ErrorLog logs/error_log
TransferLog logs/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/server.key
</VirtualHost>
Apache、SSL、MySQL和PHP平滑无缝地安装
原作者:Israel Denis Jr. 译:晏子
--------------------------------------------------------------------------------
目的
我们的目标是安装一个允许我们托管多个网站的web服务器,其中一些是针对电子商务的安全解决方案,而大部
分网站是通过连接一个数据库服务器并且提取其数据的脚本驱动的。
为了这个任务所需的工具是:
Apache-一个网站服务器
Mod_SSL-一个安全套接字层(SSL)的模块
OpenSSL-开放源代码工具箱(mod_ssl所需)
RSARef-仅对美国用户
MySQL-一个数据库服务器
PHP-一种脚本语言
“条条大路通罗马”……因此这只是很多能达到我们要求的配置之一。我选择这样的配置,是因为它是最简单
和最快的一种。选择Mod_SSL/OpenSSL的原因是因为我有它的先前经验,是最快配置和最容易安装的一种。为了
彼此方便地与Apache集成,我选择了PHP和MySQL。记住,Perl能做到你想要做任何工作,然而,PHP对任何想学
习它地程序员来说简单并且容易。
希望你将在结束这个简单的指南后能成功地完成下列目标。
安装并设置MySQL数据库服务器
o 知道怎样检查MySQL服务器的状态
o 知道怎样使用命令行客户程序存取MySQL服务器
o 知道怎样从web存取你的DB服务器
安装并设置具备SSL的Apache网站服务器
o 配置一个简单的虚拟网站
o 知道怎样停止并启动服务器
o 知道怎样做一些基本的主机托管配置
安装并配置服务器端脚本的PHP 4.0超文本预处理器
o 知道怎样编写简单的php代码
o 知道怎样使用php连接一个DB
o 创建一个启用PHP地简单网站与一个数据库沟通
创造一些样本证书用于Apache SSL
o 知道怎样产生一个CSR文件
o 知道怎样加密一个键码
o 知道怎样 签署你自己的证书
本文将覆盖大量的信息。本指南作为一个入门性地的指南,让你步入电子商务、网站脚本和安全套接字层
(SSL)的世界,目的是帮助你建立由存储在数据库中的动态信息驱动的安全网站。
本文绝非是一个详细全面的文档,它当然将有一些错误(希望最小),在你阅读它时请记住这一点。然而,它将
激起你的热情并运行前面提到的产品,希望让你更好理解这些东西是怎样工作的。不需要以前的编程知识,但
假定你有点计算机知识背景。我的目标是编写这个文档以便任何新手能理解我正在谈论的东西。如果我达到了
,那么我做了一件好事。如果你轻而易举地建立了电子商务站点,比我做的更出色:-) 给我一些解释。
假设
本文假设你已经把下列软件安装在你的系统上了。
Perl (最好是ver 5+)
gzip或gunzip
gcc 和 GNU make
如果你没有安装好这些,你将需要采取必要的步骤在解释本文的任何过程前把他们安装好。
你也需要对UNIX命令、HTML、和SQL的一个基本了解。你应该有怎样管理你的Linux机器的一个基本了解。你也
需要一个完全正常的Linux机器,你将在它上面安装软件。当然你将需要在前面列出的必要的软件包以编译源代
码,并且最后,保证你还没有在Linux机器中预装了MySQL、Apache、或PHP。
工作原理
理解在幕后发生了什么是有帮助的。这里是一个过分简化的工作原理,下图和随后的解释目前不是完全正确的
,只是它的一个要点概述:
情况是:我们有一个从一个数据库取出一些数据的网页。John Doe从他的浏览器请求该页,请求被发送给web服
务器,接着调用一个PHP脚本。PHP脚本由PHP预处理器解释并从数据库中取出数据,然后结果由余下的PHP脚本
加工并转化成HTML,做后的HTML被发回用户的浏览器。
----
/************************
源码共享
取之于人
用之于人
************************/ |
|