forked from rpms/openssl
Makefile.certificate should not set serial to 0 by default
This commit is contained in:
parent
4240ecaa1b
commit
6536aa4c73
@ -1,8 +1,11 @@
|
|||||||
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
|
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
|
||||||
SERIAL=0
|
|
||||||
DAYS=365
|
DAYS=365
|
||||||
KEYLEN=2048
|
KEYLEN=2048
|
||||||
TYPE=rsa:$(KEYLEN)
|
TYPE=rsa:$(KEYLEN)
|
||||||
|
EXTRA_FLAGS=
|
||||||
|
ifdef SERIAL
|
||||||
|
EXTRA_FLAGS+=-set_serial $(SERIAL)
|
||||||
|
endif
|
||||||
|
|
||||||
.PHONY: usage
|
.PHONY: usage
|
||||||
.SUFFIXES: .key .csr .crt .pem
|
.SUFFIXES: .key .csr .crt .pem
|
||||||
@ -23,8 +26,9 @@ usage:
|
|||||||
@echo "To create a CSR for use with Apache, run \"make certreq\"."
|
@echo "To create a CSR for use with Apache, run \"make certreq\"."
|
||||||
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
|
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
|
||||||
@echo
|
@echo
|
||||||
@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
|
@echo "To create a test certificate with serial number other than random, add SERIAL=num"
|
||||||
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
|
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
|
||||||
|
@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
|
||||||
@echo
|
@echo
|
||||||
@echo Examples:
|
@echo Examples:
|
||||||
@echo " make server.key"
|
@echo " make server.key"
|
||||||
@ -35,14 +39,14 @@ usage:
|
|||||||
@echo " make certreq"
|
@echo " make certreq"
|
||||||
@echo " make testcert"
|
@echo " make testcert"
|
||||||
@echo " make server.crt SERIAL=1"
|
@echo " make server.crt SERIAL=1"
|
||||||
@echo " make stunnel.pem SERIAL=2"
|
@echo " make stunnel.pem EXTRA_FLAGS=-sha384"
|
||||||
@echo " make testcert SERIAL=3"
|
@echo " make testcert DAYS=600"
|
||||||
|
|
||||||
%.pem:
|
%.pem:
|
||||||
umask 77 ; \
|
umask 77 ; \
|
||||||
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||||
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||||
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \
|
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
|
||||||
cat $$PEM1 > $@ ; \
|
cat $$PEM1 > $@ ; \
|
||||||
echo "" >> $@ ; \
|
echo "" >> $@ ; \
|
||||||
cat $$PEM2 >> $@ ; \
|
cat $$PEM2 >> $@ ; \
|
||||||
@ -58,7 +62,7 @@ usage:
|
|||||||
|
|
||||||
%.crt: %.key
|
%.crt: %.key
|
||||||
umask 77 ; \
|
umask 77 ; \
|
||||||
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL)
|
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS)
|
||||||
|
|
||||||
TLSROOT=/etc/pki/tls
|
TLSROOT=/etc/pki/tls
|
||||||
KEY=$(TLSROOT)/private/localhost.key
|
KEY=$(TLSROOT)/private/localhost.key
|
||||||
@ -75,4 +79,4 @@ $(CSR): $(KEY)
|
|||||||
|
|
||||||
$(CRT): $(KEY)
|
$(CRT): $(KEY)
|
||||||
umask 77 ; \
|
umask 77 ; \
|
||||||
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL)
|
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)
|
||||||
|
10
openssl.spec
10
openssl.spec
@ -227,6 +227,9 @@ if ! echo %{_target} | grep -q i686 ; then
|
|||||||
sslflags="no-asm 386"
|
sslflags="no-asm 386"
|
||||||
fi
|
fi
|
||||||
%endif
|
%endif
|
||||||
|
%ifarch x86_64
|
||||||
|
sslflags=enable-ec_nistp_64_gcc_128
|
||||||
|
%endif
|
||||||
%ifarch sparcv9
|
%ifarch sparcv9
|
||||||
sslarch=linux-sparcv9
|
sslarch=linux-sparcv9
|
||||||
sslflags=no-asm
|
sslflags=no-asm
|
||||||
@ -243,21 +246,25 @@ sslarch="linux-generic32 -DB_ENDIAN"
|
|||||||
%endif
|
%endif
|
||||||
%ifarch s390x
|
%ifarch s390x
|
||||||
sslarch="linux64-s390x"
|
sslarch="linux64-s390x"
|
||||||
|
sslflags=enable-ec_nistp_64_gcc_128
|
||||||
%endif
|
%endif
|
||||||
%ifarch %{arm}
|
%ifarch %{arm}
|
||||||
sslarch=linux-armv4
|
sslarch=linux-armv4
|
||||||
%endif
|
%endif
|
||||||
%ifarch aarch64
|
%ifarch aarch64
|
||||||
sslarch=linux-aarch64
|
sslarch=linux-aarch64
|
||||||
|
sslflags=enable-ec_nistp_64_gcc_128
|
||||||
%endif
|
%endif
|
||||||
%ifarch sh3 sh4
|
%ifarch sh3 sh4
|
||||||
sslarch=linux-generic32
|
sslarch=linux-generic32
|
||||||
%endif
|
%endif
|
||||||
%ifarch ppc64 ppc64p7
|
%ifarch ppc64 ppc64p7
|
||||||
sslarch=linux-ppc64
|
sslarch=linux-ppc64
|
||||||
|
sslflags=enable-ec_nistp_64_gcc_128
|
||||||
%endif
|
%endif
|
||||||
%ifarch ppc64le
|
%ifarch ppc64le
|
||||||
sslarch="linux-ppc64le"
|
sslarch="linux-ppc64le"
|
||||||
|
sslflags=enable-ec_nistp_64_gcc_128
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# ia64, x86_64, ppc are OK by default
|
# ia64, x86_64, ppc are OK by default
|
||||||
@ -268,7 +275,7 @@ sslarch="linux-ppc64le"
|
|||||||
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
|
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
|
||||||
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
|
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
|
||||||
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
|
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
|
||||||
enable-cms enable-md2 enable-ec_nistp_64_gcc_128 \
|
enable-cms enable-md2 \
|
||||||
no-mdc2 no-rc5 no-ec2m no-gost no-srp \
|
no-mdc2 no-rc5 no-ec2m no-gost no-srp \
|
||||||
--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
|
--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
|
||||||
--with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips}
|
--with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips}
|
||||||
@ -488,6 +495,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
- enable fast assembler implementation for NIST P-256 and P-521
|
- enable fast assembler implementation for NIST P-256 and P-521
|
||||||
elliptic curves (#1164210)
|
elliptic curves (#1164210)
|
||||||
- filter out unwanted link options from the .pc files (#1257836)
|
- filter out unwanted link options from the .pc files (#1257836)
|
||||||
|
- do not set serial to 0 in Makefile.certificate (#1135719)
|
||||||
|
|
||||||
* Mon Nov 16 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2d-3
|
* Mon Nov 16 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2d-3
|
||||||
- fix sigill on some AMD CPUs (#1278194)
|
- fix sigill on some AMD CPUs (#1278194)
|
||||||
|
Loading…
Reference in New Issue
Block a user