From 7d05fa82ff12d352190051628dcac6f91a77ae14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Zl=C3=A1mal?= Date: Wed, 10 Apr 2024 14:31:55 +0200 Subject: [PATCH] Enabled Certificate Revocation Lists checking - CRLs were not checked so far, this change adds directives to check them. - The service *fetch-crl-cron* must be installed and started for this to work. --- templates/sites-enabled/perun-api-cert.conf.j2 | 2 ++ templates/sites-enabled/perun-cert.conf.j2 | 2 ++ templates/sites-enabled/perun.conf.j2 | 2 ++ 3 files changed, 6 insertions(+) diff --git a/templates/sites-enabled/perun-api-cert.conf.j2 b/templates/sites-enabled/perun-api-cert.conf.j2 index 3ab6c0f..c2122a7 100644 --- a/templates/sites-enabled/perun-api-cert.conf.j2 +++ b/templates/sites-enabled/perun-api-cert.conf.j2 @@ -64,6 +64,8 @@ SSLVerifyDepth 5 SSLVerifyClient optional SSLOptions +LegacyDNStringFormat + SSLCARevocationCheck chain + SSLCARevocationPath /etc/grid-security/certificates/ LogLevel warn ssl:warn rewrite:warn diff --git a/templates/sites-enabled/perun-cert.conf.j2 b/templates/sites-enabled/perun-cert.conf.j2 index 76a4941..2451c78 100644 --- a/templates/sites-enabled/perun-cert.conf.j2 +++ b/templates/sites-enabled/perun-cert.conf.j2 @@ -79,6 +79,8 @@ SSLVerifyDepth 5 SSLVerifyClient optional SSLOptions +LegacyDNStringFormat + SSLCARevocationCheck chain + SSLCARevocationPath /etc/grid-security/certificates/ LogLevel warn ssl:warn rewrite:warn diff --git a/templates/sites-enabled/perun.conf.j2 b/templates/sites-enabled/perun.conf.j2 index 7a362ad..3ba374b 100644 --- a/templates/sites-enabled/perun.conf.j2 +++ b/templates/sites-enabled/perun.conf.j2 @@ -76,6 +76,8 @@ ShibCompatValidUser on SSLVerifyDepth 5 SSLVerifyClient optional SSLOptions +LegacyDNStringFormat + SSLCARevocationCheck chain + SSLCARevocationPath /etc/grid-security/certificates/ {% endif %} # Increasing limits on HTTP headers. Connector packetSize in Tomcat must be set to bigger value than ProxyIOBufferSize here.