View Single Post
  #4  
Old 16th November 2012, 18:09
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 386
Thanks: 28
Thanked 58 Times in 50 Posts
Default

Quote:
Originally Posted by till View Post
... But this rollback is implemented for apache config changes only and not syntax errors in ssl certs, for ssl certs such a implementation is already on our todo list.
Till, are you able to provide a specific bug-tracker ticket number for this effort?

I have long been leery of managing SSL certificates in ISPConfig for this very reason (no validation is performed to determine whether or not the key and certificate match).

If this has not been implemented already, it seems that this should be as simple as examining the hashes of each certificate component and ensuring that they all match.

On the command-line, this might look something like the following:

Code:
# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.crt | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl rsa -noout -modulus -in /var/www/example.com/ssl/example.com.key | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl req -noout -modulus -in /var/www/example.com/ssl/example.com.csr | openssl md5
395aed008daf908ba3c447cec3a50db6
Of course, in ISPConfig's case, it may make more sense to pass the certificate strings as they exist in the database to the openssl executable.

If any hash mismatches are present in the output, ISPConfig refuses to save the certificate files to disk and throws an error with specific information as to where the mismatch occurred.

Something like this would be a major step forward for SSL handling in ISPConfig.
Reply With Quote