Martin Bähr <[email protected]> writes:
> On Sat, Mar 14, 2009 at 07:15:50PM +0000, Andrew M. Bishop wrote:
>> > So, every time "the root CA certificate has expired; replacing it"
>> > wwwoffle causes a major outage not only for itself, but the whole
>> > system: on can only reboot.
>> Expiring security certificates is good practice and as I said in
>> yesterday's message GnuTLS originally had no option but to generate
>> certificates using high quality randomness.
>
> could the certificate be generated after wwwoffle is done starting up?
> it is quite annoying (and can cause trouble for uptime critical machines)
> if the whole bootup sequence is blocked because it has to wait for wwwoffle.
>
> i'd rather have only wwwoffle semi-functional instead of having the
> whole machine nonfunctional while the certificate is regenerated.
>
> on a server where wwwoffle runs without restart for months the
> regeneration of an expired certificate should not wait until restart
> either.
I have added two new features to WWWOFFLE based on the discussions on
the list in recent days. The first is to allow a weaker but quicker
random number source (but this will require a new-enough version of
the GnuTLS library) and the second is increased expiration dates on
the certificates.
quick-key-gen = yes | no
Normally generation of secret keys for the SSL/https functions uses the
default GnuTLS option for random number source. This can be slow on
some machines so this option selects a quicker but less secure random
number source (default = no).
expiration-time = (age)
The length of time after creation that each certificate will expire
(default = 1y).
The defaults will be the same as now (i.e. slow/secure and 1 year) but
they can be changed at will.
If anybody wants the patches for these I can post them here.
Otherwise the information was already included in earlier e-mails.
It should also be possible to make the WWWOFFLE daemon go into the
background earlier in the startup sequence before the certifcates are
loaded (and created). This means that it won't stall the boot
sequence. I haven't examined this in detail, but there might be a
good reason why it is in the order that it is now.
--
Andrew.
----------------------------------------------------------------------
Andrew M. Bishop [email protected]
http://www.gedanken.demon.co.uk/
WWWOFFLE users page:
http://www.gedanken.demon.co.uk/wwwoffle/version-2.9/user.html
