/sys/lib/tls or /sys/lib/ssl

/sys/lib/tls or /sys/lib/ssl

[Dr.Kenji Okamoto]

I'm now trying to setup email to our smtps(port 465) server.

Now I have a question how to use /sys/lib/tls or /sys/lib/ssl.

What is difference between the two?


Kenji

====from my new OpenBSD 6.2 PC====

Re: [9front] /sys/lib/tls or /sys/lib/ssl

[Steve Simon]

Hi Kenji,

I believe /sys/lib/ssl is just historic, smtpd still uses it as the default
place to find TLS/SSL certificates but I override it on the command line on my server.

My /rc/bin/service/tcp465 contains

	exec /bin/tlssrv -c /sys/lib/tls/mail.pem -l ssmtpd -r `{cat $3/remote} /bin/upas/smtpd -a -g -n $3

I wrote some notes on how to generate a new certificate as my self-signed one expired a year or so ago.

--------------------------------------
make a safe (not backed up) place to work
	ramfs
	cd /tmp

generate a key pair

	auth/rsagen -b 2048 -t 'service=tls role=client owner=*' > key.rsa

generate a certificate 

	auth/rsa2x509 'C=GB CN=*.mydomain.dom' /tmp/key.rsa | auth/pemencode CERTIFICATE > key.pem

you can check your certificate using the web interface:

	https://certlogik.com

Update your secstore - used for sending email

	auth/secstore -G factotum > factotum.old
	grep -v 'service=tls role=client owner=*' factotum.old > factotum
	cat key.rsa >> factotum
	diff factotum factotum.old
	auth/secstore -p factotum


Update bootes secstore - used by imap4d and pop3d

	auth/secstore -G factotum > factotum.old
	grep -v 'service=tls role=client owner=*' factotum.old > factotum
	cat key.rsa >> factotum
	diff factotum factotum.old
	auth/secstore -p factotum

install the certificate here to allow httpd to speak https

	cp key.pem /usr/web/sitename.pem
	chmod 644 /usr/web/sitename.pem

install the certificate here to allow smtpd to speak EHLO 

	cp key.pem /sys/lib/tls/mail
	chmod 644 /sys/lib/tls/mail

reboot server so it re-reads bootes factotum

you can check check email is working using:

	https://www.checktls.com/perl/live/TestReceiver.pl


-Steve