From: Jeff Trawick Date: Fri, 10 Oct 2014 00:17:33 +0000 (+0000) Subject: mod_ssl_ct: Update the doc for the recent sync with current OpenSSL 1.0.2 X-Git-Tag: 2.5.0-alpha~3787 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c420809d92bfc7508bc29f34d31242825d5cc269;p=apache mod_ssl_ct: Update the doc for the recent sync with current OpenSSL 1.0.2 and Certificate Transparency tools, as well as a few other clarifications. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1630625 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ssl_ct.xml b/docs/manual/mod/mod_ssl_ct.xml index 029fdd0c7c..50794e3df8 100644 --- a/docs/manual/mod/mod_ssl_ct.xml +++ b/docs/manual/mod/mod_ssl_ct.xml @@ -80,8 +80,8 @@ information does not have to also restart httpd to make it take effect.

This module is experimental for the following reasons: @@ -182,7 +182,10 @@ testing.

public key of the log
A proxy must have the public key of the log in order to check the - signature in SCTs it receives which were obtained from the log.
+ signature in SCTs it receives which were obtained from the log. +
+ A server must have the public key of the log in order to submit certificates + to it.
general trust/distrust setting
This is a mechanism to distrust or restore trust in a particular log, @@ -229,20 +232,21 @@ testing.

Off-line audit for proxy

Experimental support for this is implemented in the ctauditscts - command (in the httpd source tree, not currently installed), which itself - relies on the verify_single_proof.py tool in the + command, which itself relies on the verify_single_proof.py tool in the certificate-transparency open source project. ctauditscts can parse data for off-line audit (enabled with the CTAuditStorage directive) and invoke verify_single_proof.py. - However, verify_single_proof.py is not complete currently and does - not provide a way to identify audit failures.

+

Here are rough notes for using ctauditscts:

    -
  • Set PYTHONPATH to include the src/python +
  • Create a virtualenv using the requirements.txt file + from the certificate-transparency project and run the following steps + with that virtualenv activated.
    • +
  • Set PYTHONPATH to include the python directory within the certificate-transparency tools.
    • -
  • Set PATH to include the src/python/ct/client/tools +
  • Set PATH to include the python/ct/client/tools directory.
  • Run ctauditscts, passing the value of the CTAuditStorage directive and, optionally, the path to @@ -251,7 +255,7 @@ testing.

The data saved for audit can also be used by other programs; refer to the - ctauditscts source code for details.

+ ctauditscts source code for details on processing the data.

@@ -289,7 +293,8 @@ testing.

executable is the full path to the log client tool, which is - normally file src/client/ct within the source tree of the + normally file cpp/client/ct (or ct.exe) within the + source tree of the certificate-transparency open source project.

@@ -298,7 +303,7 @@ testing.

If this directive is not configured, server certificates cannot be submitted to logs in order to obtain SCTs; thus, only admin-managed - SCTs will be provided to clients.

+ SCTs or SCTs in certificate extensions will be provided to clients.