[APACHE] : Utiliser plusieurs certificats pour une seule adresse IP avec les virtualhosts de Apache
Par neoclimb,
mercredi 25 février 2009 à 07:50 ::Linux:: 
Nous savons que par défaut, le service apache2 ssl ne peut utiliser qu'un seul certificat. Pour y remédier nous allons compiler et utiliser le GnuTLS à la place de SSL.
ATTENTION: Depuis le passage de la version de Debian ETCH en LENNY, le module GnuTLS pour apache2 est disponible via le gestionnaire de paquet:
apt-get install libapache2-mod-gnutls.
ATTENTION: Depuis le passage de la version de Debian ETCH en LENNY, le module GnuTLS pour apache2 est disponible via le gestionnaire de paquet:
apt-get install libapache2-mod-gnutls.
Via la branche testing (attention vous passez en libc6 testing):
#apt-get install libgnutls26 libc6-i686 2.7-16 [1265kB] libapache2-mod-gnutls 0.5.1-1 [29,2kB] tzdata 2008h-2 [742kB] libc6 2.7-16 [4438kB] libgcrypt11 1.4.1-1 [242kB] locales 2.7-16 [4491kB] libgnutls26 2.4.2-1 [456kB]Récupération des sources du module GnuTLS et installation des librairies de développement Apache
#wget http://www.outoforder.cc/downloads/mod_gnutls/mod_gnutls-0.5.3.tar.bz2 #bzip2 -d mod_gnutls-0.5.3.tar.bz2 #tar xvf mod_gnutls-0.5.3.tar #cd mod_gnutls-0.5.3 #apt-get install apache2-prefork-dev libgnutls-devCompilation du module GnuTLS pour Apache2
#./configure --with-apxs=/usr/bin/apxs2 --with-libgnutls=/usr configure: creating config.nice checking whether to enable maintainer-specific portions of Makefiles... no checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking target system type... x86_64-unknown-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... no checking for mawk... mawk checking whether make sets $(MAKE)... yes checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for a sed that does not truncate output... /bin/sed checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for a BSD-compatible install... /usr/bin/install -c checking for /usr/bin/ld option to reload object files... -r checking for BSD-compatible nm... /usr/bin/nm -B checking whether ln -s works... yes checking how to recognize dependent libraries... pass_all checking how to run the C preprocessor... gcc -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking dlfcn.h usability... yes checking dlfcn.h presence... yes checking for dlfcn.h... yes checking for g++... no checking for c++... no checking for gpp... no checking for aCC... no checking for CC... no checking for cxx... no checking for cc++... no checking for cl.exe... no checking for FCC... no checking for KCC... no checking for RCC... no checking for xlC_r... no checking for xlC... no checking whether we are using the GNU C++ compiler... no checking whether g++ accepts -g... no checking dependency style of g++... none checking for g77... no checking for xlf... no checking for f77... no checking for frt... no checking for pgf77... no checking for cf77... no checking for fort77... no checking for fl32... no checking for af77... no checking for xlf90... no checking for f90... no checking for pgf90... no checking for pghpf... no checking for epcf90... no checking for gfortran... no checking for g95... no checking for xlf95... no checking for f95... no checking for fort... no checking for ifort... no checking for ifc... no checking for efc... no checking for pgf95... no checking for lf95... no checking for ftn... no checking whether we are using the GNU Fortran 77 compiler... no checking whether accepts -g... no checking the maximum length of command line arguments... 98304 checking command to parse /usr/bin/nm -B output from gcc object... ok checking for objdir... .libs checking for ar... ar checking for ranlib... ranlib checking for strip... strip checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC checking if gcc PIC flag -fPIC works... yes checking if gcc static flag -static works... yes checking if gcc supports -c -o file.o... yes checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes configure: creating libtool appending configuration tag "CXX" to libtool appending configuration tag "F77" to libtool checking for Apache 2.0 version >= 2.0.40... yes checking whether DEFAULT_EXP_LIBEXECDIR is declared... no checking for libgnutls-config... /usr/bin/libgnutls-config checking for libgnutls - version >= 2.4.0... yes checking whether to enable SRP functionality... yes checking dynamic linker characteristics... GNU/Linux ld.so (cached) (cached) checking for apr_memcache_create in -lapr_memcache... no configure: *** memcache library not found. configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating include/mod_gnutls.h config.status: creating include/mod_gnutls_config.h config.status: executing depfiles commands --- Configuration summary for mod_gnutls: * mod_gnutls version: 0.5.3 * Apache Modules directory: /usr/lib/apache2/modules * GnuTLS Library version: 2.4.2 * SRP Authentication: yes --- #make #make install
Activation du module GnuTLS pour Apache et configuration de celui-ci:
#a2enmod gnutlsAjouter à votre fichier de configuration APACHE:
GnuTLSEnable on GnuTLSCertificateFile /etc/apache2/certificats/votre-certificat.crt GnuTLSKeyFile /etc/apache2/certificats/votre-certificat.key GnuTLSPriorities NORMAL:+COMP-DEFLATETester votre config:
#apache2 -tPour désinstallation des paquets nécessaire à la compilation
#apt-get remove --purge apache2-prefork-dev comerr-dev libapr1-dev libaprutil1-dev libdb4.4-dev libexpat1-dev libkadm55 libkrb5-dev libldap2-dev libpcre3-dev libpcrecpp0 libpq-dev libsqlite3-dev libssl-dev uuid-dev zlib1g-dev #apt-get remove --purge libgcrypt11-dev libgnutls-dev libgpg-error-dev liblzo-dev libopencdk8-dev libpopt-dev libtasn1-3-dev
Commentaires
Aucun commentaire pour le moment.
Ajouter un commentaire
Les commentaires pour ce billet sont fermés.