一堆SSL的疑问。。。

cxfcxf

IMAPs
请问如何打开IMAPs？
/etc/dovecot.conf
protocols = imaps
imaps_listen = ?
ssl_disable = no
ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
ssl_key_file = /usr/share/ssl/private/dovecot.pem
这些？？还要别的么？？
秘要 电子证书的生成呢？？
还有https..
用SSL生成电子证书 密钥之类 然后放到/etc/httpd/conf/下
修改HTTPD。CONF
service httpd start
apachectl startssl
步骤不知道对不对。。可是 修改httpd.conf和用ssl生成密钥 电子证书应该如何做？？
秘要生成应该一样吧？？

cxfcxf

生成私钥
openssl genrsa -des3 1024 > server.key
生成CSR
openssl req -new -key server.key > server.csr

然后需要把CSR发给CA签署

自己造电子证书
openssl req -x509 -key server.key -in server.csr  > server.crt

然后cp .crt .key .csr到/etc/httpd/conf/ssl.* 相对目录下

证书制造完毕
启动的话 apachectl startssl
然后呢=。=

httpd.conf里面需要配置什么么？？但是我在里面没发现任何SSL的选项

上面的ssl同样用到dovecot里面 把电子证书 和KEY分别CP到
ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
ssl_key_file = /usr/share/ssl/private/dovecot.pem
覆盖 就有KEY和电子证书了
但是 如何选择DOVECOT。conf 文件内选项 让dovecot启动SSL机制 imaps 和pop3s呢？？

zaiwen

Yeah, I also have 一堆SSL的疑问。。。

Let me see if I can answer some of your questions, but wait for yongjian for confirmation

1. IMAPS

These links explain very detailed. Please take a look:
   http://www.samba.hk/OpenWorkShop ... cotAndSSLConnection
http://opdebeeck.org/blog/doveco ... 0a72d09539066cca123

Basically, IMAPS is already configured in dovecot:
protocols = imaps
ssl_disable = no
ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
ssl_key_file = /usr/share/ssl/private/dovecot.pem

Those two key and cert files are already generated during install.
If you want to generate self-signed key and cert files,
go to /usr/share/doc/dovecot.xx/ and run ./mkcert.sh

but you need to fix mkcert.sh before running the script, you should check if:

SSLDIR=${SSLDIR-/etc/ssl}CERTFILE=$SSLDIR/certs/imapd.pemKEYFILE=$SSLDIR/private/imapd.pem

have been replaced by:

SSLDIR=${SSLDIR-/usr/share/ssl}CERTFILE=$SSLDIR/certs/dovecot.pemKEYFILE=$SSLDIR/private/dovecot.pem

Also edit dovecot-openssl.cnf in the same doc dir and change it to your need. Then run ./mkcert.sh

2. https

I am totally confused by you.
I remember there is a /etc/httpd/conf.d/ssl.conf which allows you to setup https. I tried it and it works fine.
Why don't you use this file?  Instead you keep talking about /etc/httpd/conf/httpd.conf

cxfcxf

嗯。。在ssl.conf里面有很多选项。。。
但是 看似不需要修改。。因为默认的key file和cert file都是在/conf/下面的ssl.*里面
文件名都为server.*
所以 我只要做好CRT和KEY文件 然后转移到 /conf/ssl。*下面就可以了吧？？
启动应该就是apachectl startssl
但是 刚刚自己作了分CRT文件。。然后再浏览器里输入https://192.168.0.1(my servername)
跳出ssl提醒框。。3个选项都是过期和不安全=。=这难道就是自己作的CA问题？？还是那里没成功？？

cxfcxf

and for imaps
first set up a cert and a key then edit dovecot.conf
for four line
protocols = imaps
ssl_disable = no
ssl_cert_file = /usr/share/ssl/certs/xxx.pem
ssl_key_file = /usr/share/ssl/private/yyy.pem
and then
service dovecot reload
这样？？

zaiwen

Hi cxfcxf, for imap, that's how you generate cert file and start dovecot, but I have a question for you

Do we need to transfer the /usr/share/ssl/certs/dovecot.pem file to the client machine? If yes, where to place this file (suppose the client machine is also a linux)? same dir /usr/share/ssl/certs/ ?   (Remember in ssh, we transfer the dsa_pub to client machine as ~/.ssh/authorized.keys file)

cxfcxf

OPENSSL and use mkcert.sh can make cert and key  
ok i set outlook and get the same as https ~~
the cert and the key is 不可靠的
i think there are some problem with it ~~
need a CA??

i think it's not need to transfer a key to client site
i have tested it with outlook ~

cxfcxf

i have new quest....
about https
i copyed ssl.crt ssl.key to their DIR
and just started apache without ssl section
service httpd start
i also can get in to https:192.168.0.1
so what's the meaning of "cmd=apachectl startssl"???

yongjian

I don't have the server with me but I don't think you need to use apachectl startssl to start the SSL http server. I've never used it. When you start httpd, it will start the SSL portion of it too. I remember you can configure the httpd *NOT* include some conf files when starting up. Besides, you can netstat to double check the status...

zaiwen

First, about apachessl start, I did some tests and yongjian is correct: you don't need to use apachectl startssl to start the SSL http server.  When you start httpd, it will start the SSL portion of it too.

However, I am still very confused with the key and cert files.

cxfxcf says, "i think it's not need to transfer a key to client site; i have tested it with outlook".

If you don't need to transfer a key or cert to client site, how could the key and certificate be verified?  When you connect from the client to the server? (maybe silly questions

I tested both imaps and https from windows clients.  

跳出ssl提醒框。。2个选项都是不安全, except date.  

But after I viewed the certificate and installed it into the window's store, I don't get ssl提醒框 any more....

Yongjian, could you please explain the whole logic of ssl key and certificate files about imaps and https for us?  I will check this posting anxiously....waiting for you.....