From 703134b7c4aa5a070ef0bb779609dd91b8144772 Mon Sep 17 00:00:00 2001 From: Pavel Roskin Date: Sun, 22 Jan 2017 22:05:34 -0800 Subject: [PATCH] Add expanded openssl.conf to sources, use no location in certificate --- openssl.conf | 46 ++++++++++++++++++++++++++++++++++++++++++++++ xrdp.spec | 4 ++-- 2 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 openssl.conf diff --git a/openssl.conf b/openssl.conf new file mode 100644 index 0000000..faa269c --- /dev/null +++ b/openssl.conf @@ -0,0 +1,46 @@ +[req] +distinguished_name = req_distinguished_name +# The extensions to add to the self signed cert +x509_extensions = v3_ca +# Run non-interactively +prompt = no + +[req_distinguished_name] +# Certificate subject +#countryName = US +#stateOrProvinceName = CA +#localityName = Sunnyvale +#organizationName = xrdp +#organizationalUnitName = +commonName = XRDP +#emailAddress = + +[v3_ca] +# Extensions for a typical CA - PKIX recommendation. +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical, CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +#keyUsage = cRLSign, keyCertSign + +# Some might want this also +#nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +#subjectAltName = email:copy +# Copy issuer details +#issuerAltName = issuer:copy + +# DER hex encoding of an extension: experts only! +#obj = DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +#basicConstraints = critical, DER:30:03:01:01:FF diff --git a/xrdp.spec b/xrdp.spec index 114b08e..48230f3 100644 --- a/xrdp.spec +++ b/xrdp.spec @@ -10,6 +10,7 @@ Source0: https://github.com/neutrinolabs/xrdp/releases/download/v%{version}/xr Source1: xrdp-sesman.pamd Source2: xrdp.sysconfig Source3: xrdp.logrotate +Source4: openssl.conf Patch0: xrdp-0.9.1-sesman.patch Patch1: xrdp-0.9.1-xrdp-ini.patch Patch2: xrdp-0.9.1-service.patch @@ -71,7 +72,7 @@ echo '#!/bin/bash -l %{__install} -Dp -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/xrdp #install openssl.conf /etc/xrdp -%{__install} -Dp -m 644 keygen/openssl.conf %{buildroot}%{_sysconfdir}/xrdp/openssl.conf +%{__install} -Dp -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/xrdp/openssl.conf #install log file /var/log/xrdp-sesman.log %{__mkdir} -p %{buildroot}%{_localstatedir}/log/ @@ -97,7 +98,6 @@ if [ ! -f %{_sysconfdir}/xrdp/cert.pem ]; then openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \ -keyout %{_sysconfdir}/xrdp/key.pem \ -out %{_sysconfdir}/xrdp/cert.pem \ - -subj /C=US/ST=CA/L=Sunnyvale/O=xrdp/CN=www.xrdp.org \ -config %{_sysconfdir}/xrdp/openssl.conf fi