Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

..
Failed to load latest commit information.
README

README

It is probably best to generate/move certificates in
   /etc/ssl/local
to share them easily among daemons and to put symlinks to it as
   /etc/nginx/certs
   /etc/dovecot/certs
   /etc/exim4/exim.crt
   /etc/exim4/exim.key
   ...

The makecert.sh script from /etc/ssl/local should generate decent enough
self-signed certificate:
     .crt + .key
     .pem as symlink to .crt
     .der as der encoded version (sometimes necessary)

Some daemon (exim4) need read access to the certs. In this case, it's possible to use the special group ssl-cert
     adduser Debian-exim ssl-cert
     chgrp ssl-cert /etc/ssl/local/domain...
     chmod g+r /etc/ssl/local/domain...

Daemons compiled with GNU TLS (exim once again) may have troubles to deal
with SHA2-512 sigs along with TLS 1.2. The temporary workaround is to disable
TLS 1.2 see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740160

     tls_require_ciphers = NORMAL:-VERS-SSL3.0:-VERS-TLS1.2


For the record, at the moment (2014 April) it's recommended to rely only on
TLS and deactivate SSLv3, SSL2, etc.
See https://yeupou.wordpress.com/2015/02/05/improving-qualys-ssl-server-test-results-regarding-poodle-attack-and-sha1/

Something went wrong with that request. Please try again.