Re: lynx-dev FORCE_SSL_PROMPT:NO

[Doug Kaufman]

On Fri, 25 Jul 2003, Stef Caunter wrote:

> Added procedure to determine default ssl cert location
> (thanks to DK and HN)
> Neutralized path and system definition language (thanks to
> TG and HN)
> Re-presented environment variable definition as possible
> solution.
> File is getting big so attachment not duplicated in
> message body, please advise if I should do it the other way.

Looks good. Some suggestions follow:

> The default location for certs on your system may be different, or there may 
> not
> be one. You will have to substitute that location for /usr/local/ssl/certs in 
> the following instructions, and/or set environment variables.
> 
> To determine the default location for certs on your system run the following 
> command: 
> 
> strings `find / -name libcrypto.a 2>/dev/null` | grep -in cert | less

Doing a find from root may take up excessive resources on some systems.
I would think that we should recommend that only if libcrypto is not
found in the usual library locations.
  
> ...
> It is a fairly trivial procedure to pull the bundle of trusted root certs out 
> of a recent version of Internet Explorer. The procedure to convert and 
> install 
> them is detailed later in this document, and if you simply need to have 
> commercially provided certificates trusted by lynx, you can skip down a few 
> lines to the INSTALLING OR UPDATING THE CA BUNDLE section.

This might be a good place to mention that ca bundles are available in
various places, such as the modssl distribution, for those who want to
take that route.

> ... 
> Confirm that you have the script c_rehash (See PRELIMINARY PROCEDURES; if it 
> is 
> not found, a copy is usually located in the tools directory of the openssl 
> source tree. If you use this copy, it needs the execute bit set or it will not
> run).
> 
> As root, run:
> 
> ./c_rehash

I don't think that we should necessarily advise running as root. This
README might be used by a user on a shared system setting up lynx in his
own directory. That is, after all, the main reason for the environment
variables. Whoever is root has already set the defaults that they want
for the system.

> ...
> SETTING AND EXPORTING ENVIRONMENT VARIABLES:
> 
> If lynx is still not recognizing certs, environment variables may need
> to be set; if so, they must be exported!

You might want to say instead "if on a sh type shell, the variables also
need to be exported".
  
> ...
> The environment variables SSL_CERT_DIR and SSL_CERT_FILE only need to be set 
> if a non-default location is used for certificates, or if certs just can't be
> found by lynx. They may be set as follows in /etc/profile, or a shell 
> initialization .profile or .*shrc, if we run a non csh type shell, according 
> to the results of the search for the default location for certs procedure 
> (See PRELIMINARY PROCEDURES):
> 
> SSL_CERT_DIR /usr/local/ssl/certs
> SSL_CERT_FILE /usr/local/ssl/cert.pem
> export SSL_CERT_DIR SSL_CERT_FILE

Shouldn't this be:
SSL_CERT_DIR="/usr/local/ssl/certs"
SSL_CERT_FILE="/usr/local/ssl/cert.pem"
export SSL_CERT_DIR SSL_CERT_FILE

On csh type shells, you can use:
setenv SSL_CERT_DIR "/usr/local/ssl/certs"
setenv SSL_CERT_FILE "/usr/local/ssl/cert.pem"

                       Doug



-- 
Doug Kaufman
Internet: address@hidden


; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden