Patrick’s Blog(2)

No less than 15 years in the making the final release candidate for Wine 1.0 (RC5) is scheduled to be released this Friday with Wine 1.0 to follow in a few days. What an amazing accomplishment! Congrats to the WineHQ developers.

Update June 17, 2008: Wine 1.0 has been released. Read the article over at WineHQ.

A while back Phoronix reported that Via would jump on the Open Source bandwagon. Well, think again. Xavier Bachelot posted today that “via can probably be considered dead” and that “they are still ‘collecting the idea inside the VIA Linux group’ and they still don’t know what they ‘can do for the first step’”. Way to go Via…

In case you missed it go read Pamela Jones’ great analysis of Red Hat’s settlement. Kudo’s to Red Hat & Mark Webbink for making this happen. For a good laugh read Greg DeKoenigsberg’s screenplay of the whole affair.

A while back the excellent Dutch ISP Xs4all introduced a VoIP service for its subscribers. Here is the configuration to make Asterisk 1.2 work with Xs4all. But before we go into the config one remark. There is a problem with Asterisk and how the Cirpack switch that Xs4all uses sends DTMF tones. You have to patch the file rtp.c of the Asterisk source and rebuild Asterisk. If you use Fedora, RHEL or CentOS then you can use these (S)RPMs that already have this problem solved.

Search in rtp.c for the following lines:

[34] = {1, AST_FORMAT_H263},
[103] = {1, AST_FORMAT_H263_PLUS},
[97] = {1, AST_FORMAT_ILBC},
[101] = {0, AST_RTP_DTMF},
[110] = {1, AST_FORMAT_SPEEX},

and add this line:
[96] = {0, AST_RTP_DTMF},

Now let’s get on with the configuration.

In sip.conf add the following lines. Obviously you need to replace 08787xxxxx with your number and replace ******** with your password.

register => 08787xxxxx:********@sip.xs4all.nl/08787xxxxx

[xs4all-in]
type=friend
username=08787xxxxx
fromuser=08787xxxxx
fromdomain=sip.xs4all.nl
secret=********
host=sip.xs4all.nl
insecure=invite
context=from-xs4all
canreinvite=no
dtmfmode=inband
disallow=all
allow=alaw


In extensions.conf add something like the following (adjust to your needs):

[from-xs4all]
exten => 08787xxxxx,1,Dial(SIP/100,30,t)
exten => 08787xxxxx,n,Hangup()

I did not need to use “nat=yes” although my Asterisk box is behind nat. It may depend on the modem. This setup works with a Thomson SpeedTouch 716.

The quest for today’s holy grail is to setup a subversion repository that can be accessed through Apache with DAV and SSL and setting up WebSVN, both using self-signed certificates. These steps apply to Fedora 7 (F7) and should probably also work for CentOS and RHEL.

Assumptions:
a) public svn repos are available through https://FQDN/svn
Don’t use anything other than the Fully Qualified Domain Name (FQDN) or this setup will not work.
b) The source for the public svn repos can basically be anything. I took /var/www/svnrepos. Make sure the directory you choose exists.

$ sudo mkdir -p /var/www/svnrepos

1) Install prerequisite packages
If you want to be able to use Apache with SVN then you need to install mod_dav_svn:

$ sudo yum install mod_dav_svn

2) Create the self-signed SSL certificates
Generate your own Certificate Authority (CA).

$ cd
$ openssl genrsa -des3 -out ca.key 1024

Here is what the output should look like:

[patrick@test ~]$ openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
………………………………….++++++
e is 65537 (0×10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

With this next command when asked for the “Common Name” (CN) use something like “FQDN CA”. Whatever you put here, do *not* use this same CN with the server certificate that you are going to create below.

$ openssl req -new -x509 -days 365 -key ca.key \
-out ca.crt

Here is what the output should look like:

[patrick@test ~]$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:NL
State or Province Name (full name) [Berkshire]:.
Locality Name (eg, city) [Newbury]:The Hague
Organization Name (eg, company) [My Company Ltd]:Acme CA
Organizational Unit Name (eg, section) []:Acme CA Security
Common Name (eg, your name or your server’s hostname) []:Acme CA
Email Address []:root@example.org

Generate a server key and request for signing (csr). This step creates an unsigned server key, and a request that you want it signed (the .csr file) by the CA that you just created.

Create the unsigned server key:
$ openssl genrsa -des3 -out server.key 4096

Here is what the ouput should look like:

[patrick@test ~]$ openssl genrsa -des3 -out server.key 4096
Generating RSA private key, 4096 bit long modulus
……………………………………………………………………………………………………..++
……………………………………………………………………………++
e is 65537 (0×10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

Next create the Certificate Signing Request. For the CN do not use the same as you used for the CA. Instead use for example the FQDN of your webserver. Leave the challenge password and optional company name empty (just press enter).
$ openssl req -new -key server.key -out server.csr

Here is what the output should look like:

[patrick@test ~]$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:NL
State or Province Name (full name) [Berkshire]:.
Locality Name (eg, city) [Newbury]:The Hague
Organization Name (eg, company) [My Company Ltd]:Acme Server Corp.
Organizational Unit Name (eg, section) []:Acme Server Certificates
Common Name (eg, your name or your server’s hostname) []:www.example.org
Email Address []:root@example.org

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Sign the certificate signing request (csr) with the self-created certificate authority (CA) that you made earlier.

$ openssl x509 -req -days 365 -in server.csr \
-CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Here is what the output should look like:

[patrick@test ~]$ openssl x509 -req -days 365 -in server.csr \
> -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Signature ok
subject=/C=NL/L=The Hague/O=Acme Server Corp./OU=Acme Server Certificates/CN=www.example.org/emailAddress=root@example.org
Getting CA Private Key
Enter pass phrase for ca.key:

Make a server.key which doesn’t cause apache to prompt for a password. Guard it for permissions VERY carefully!

$ openssl rsa -in server.key -out server.key.insecure
$ mv server.key server.key.secure
$ mv server.key.insecure server.key

If you want to have a look what’s in all the resulting files use these commands:

$ openssl rsa -noout -text -in server.key
$ openssl req -noout -text -in server.csr
$ openssl rsa -noout -text -in ca.key
$ openssl x509 -noout -text -in ca.crt

3) Copy the certificates where Apache can find them

$ sudo mkdir /etc/httpd/ssl
$ sudo cp server.key /etc/httpd/ssl/
$ sudo cp server.crt /etc/httpd/ssl/
$ sudo cp ca.crt /etc/httpd/ssl/

4) Change the default certificates in ssl.conf
Change the SSLCertificateFile, SSLCertificateKeyFile and the SSLCACertificateFile as follows:

SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt


5) Create and edit /etc/subversion/servers
Add the following lines to /etc/subversion servers

[globals]
ssl-trust-default-ca = true

[groups]
some_name = FQDN

[some_name]
ssl-authority-files = /etc/httpd/ssl/ca.crt

6) Add the CA certificate to the ca-bundle.crt file

$ cd
$ echo '' > ca.tmp
$ openssl x509 -noout -text -in ca.crt >> ca.tmp
$ cat ca.crt >> ca.tmp
$ echo '' >> ca.tmp
$ sudo cp /etc/pki/tls/certs/ca-bundle.crt \
/etc/pki/tls/certs/ca-bundle.crt.org
$ sudo cat ca.tmp >> /etc/pki/tls/certs/ca-bundle.crt


7) Edit /etc/httpd/httpd.conf
Here I use a NameVirtualHost setup. If you need a different setup please check the Apache documentation. Put the following lines in /etc/httpd/httpd.conf. Make sure that the FQDN you use for ServerName is the same that you used when you created the self-signed SSL certificates!

Replace FQDN with the name of your webserver
Replace 10.1.2.3 with the IP address of your webserver

ServerName FQDN
NameVirtualHost 10.1.2.3:80
NameVirtualHost 10.1.2.3:443

<VirtualHost 10.1.2.3:80>
ServerAdmin you@FQDN
DocumentRoot /var/www/html
DirectoryIndex index.php index.html index.htm index.shtml
ServerName FQDN
ErrorLog logs/error_log
CustomLog logs/access_log combined
ServerSignature email
LogLevel warn
HostNameLookups off
</VirtualHost>

<virtualhost 10.1.2.3:443>
ServerAdmin you@FQDN
ServerName FQDN
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLOptions
</virtualhost>

SVNAutoVersioning On

<Location /svn>
DAV svn
SVNPath /var/www/svnrepos
SVNListParentPath on
SSLRequireSSL
# allow read access to the repos but authenticate a user
# if they want to write etc.
AuthType Basic
AuthName “Subversion repository”
AuthUserFile /var/www/svnrepos/svnuserpass
# For other operations require an authenticated user.
<Limitexcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</limitexcept>
</Location>

If you want to force a redirect to https if the websvn page is browsed through http than also add the following lines:

<Location /websvn>
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
</Location>

8) Create the password file for users that need write access to the repos

$ sudo htpasswd -c /var/www/svnrepos/svnuserpass \
some_user

9) Restart Apache

$ sudo /sbin/service httpd restart

Check /var/log/httpd/error_log for any errors!

10) Create the svn repo structure

$ sudo svnadmin create /var/www/svnrepos/

11) Create svnusers group and add user apache to it
In order to give the apache user access to the svn repo we need to create the svnusers group (or whatever you want to call it) and add the apache user to this group.

$ sudo groupadd svnusers
$ sudo usermod -G svnusers -a apache

12) Change the group of the svn repo

$ sudo chgrp -R svnusers /var/www/svnrepos/

13) Give write access to the svnusers group

$ sudo chmod -R g+w /var/www/svnrepos/

14) Prepare to import some data into the svn repo
I will be using my setup with Asterisk so I setup my svn repo with:

$ mkdir ~/svn_temp
$ cd ~/svn_temp
$ mkdir -p Asterisk12/zaptel/{trunk,branches,tags}
$ mkdir -p Asterisk14/zaptel/{trunk,branches,tags}


Import the data into the svn repo:

$ svn import ~/svn_temp/Asterisk12 \
https://FQDN/svn/Asterisk/Asterisk12 -m "Initial import"
$ svn import ~/svn_temp/Asterisk14 \
https://FQDN/svn/Asterisk/Asterisk14 -m "Initial import"


When you are done then you can remove the ~/svn_temp directory

$ rm -rf ~/svn_temp

15) Get and install the latest WebSVN
Download the latest WebSVN
Install it for example in /var/www/html/websvn and create the config file

$ sudo tar -xvzf websvn-2.0.tar.gz /var/www/html/
sudo mv /var/www/html/websvn-2.0 /var/www/html/websvn

Edit /var/www/html/websvn/include/config.php:

$config->addRepository(’Asterisk’, ‘https://FQDN/svn/Asterisk’, NULL, ”, ”);
$config->allowDownload();
$config->setMinDownloadLevel(2);
$config->setMinDownloadLevel(3, ‘Asterisk’);
$config->useEnscript();

16) Test

$ svn list https://FQDN/svn/Asterisk

Point Firefox at https://FQDN/websvn or https://FQDN/svn