From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2 1/3] add ECDSA key generation to httpscert
Date: Wed, 11 Oct 2017 12:02:29 +0100
Message-ID: <1507719749.4045.69.camel@ipfire.org>
In-Reply-To: <20171004213827.77e5b5b7.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8066059458688907517=="
List-Id: <development.lists.ipfire.org>

--===============8066059458688907517==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

this patch doesn't apply because all tabs seem to have been converted to spac=
es.

Also, where is patch 2 of this patchset?

-Michael

On Wed, 2017-10-04 at 21:38 +0200, Peter M=C3=BCller wrote:
> Add ECDSA server certificate and key generation to httpscert.
> The key has a length of 384 bits, which equals > 4096 bits RSA
> and should be sufficient.
>=20
> Changed since v1: Do not regenerate or oversign existing keys
> or CSRs.
>=20
> This patch depends on:
> - v1 2/3 add ECDSA certificate and key files to Apache configuration
> - v2 3/3 generate ECDSA certificate and key on existing installations
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> ---
> diff --git a/src/scripts/httpscert b/src/scripts/httpscert
> index e20f789ed..52932bc70 100644
> --- a/src/scripts/httpscert
> +++ b/src/scripts/httpscert
> @@ -7,16 +7,35 @@
>  case "$1" in
>    new)
>         if [ ! -f /etc/httpd/server.key ]; then
> -               echo "Generating https server key."
> +               echo "Generating HTTPS RSA server key."
>                 /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
>         fi
> -       echo "Generating CSR"
> -       /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" |
> /usr/bin/openssl \
> -               req -new -key /etc/httpd/server.key -out /etc/httpd/server.=
csr
> -       echo "Signing certificate"
> -       /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> -               /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
> -               /etc/httpd/server.crt
> +       if [ ! -f /etc/httpd/server-ecdsa.key ]; then
> +               echo "Generating HTTPS ECDSA server key."
> +               /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl =
ec
> -out /etc/httpd/server-ecdsa.key
> +       fi
> +
> +       echo "Generating CSRs"
> +       if [ ! -f /etc/httpd/server.csr ]; then
> +               /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" |
> /usr/bin/openssl \
> +                       req -new -key /etc/httpd/server.key -out
> /etc/httpd/server.csr
> +       fi
> +       if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
> +               /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" |
> /usr/bin/openssl \
> +                       req -new -key /etc/httpd/server-ecdsa.key -out
> /etc/httpd/server-ecdsa.csr
> +       fi
> +
> +       echo "Signing certificates"
> +       if [ ! -f /etc/httpd/server.crt ]; then
> +               /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> +                       /etc/httpd/server.csr -signkey /etc/httpd/server.key
> -out \
> +                       /etc/httpd/server.crt
> +       fi
> +       if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
> +               /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
> +                       /etc/httpd/server-ecdsa.csr -signkey
> /etc/httpd/server-ecdsa.key -out \
> +                       /etc/httpd/server-ecdsa.crt
> +       fi
>         ;;
>    read)
>         if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f
> /etc/httpd/server.csr ]; then

--===============8066059458688907517==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl
Mnlwa3R4Z0hudy8yK1FDUWNGQWxuZCtrVUFDZ2tRZ0hudy8yK1EKQ1FlRXB3LzlFM3BVaDBkQmxK
V09Pbk9LTmVtdTlwZFRzWnRnRHl4Zmt4S0NSK1RMRmdBeGhGTWt3OWR1anRqaQpCYzNCYjFoclJ1
SlI0cWRwUGVNaTMxMkJIVU9Oc293cGl1d29jWlQ3b3ArN0R3Rm42cm12KytPVi9SV2FkOWtMCmlX
SVRSN2ZwVkRsMmJMczBJUGtIRzMvYTBPbmZWSy9NYkxHZkVCaHl5ZDYrU1l5QjZoRUpFNWhMVDVT
aFdGNkcKelpFV2NhcFU1R3VjcEZ4SlhPTzhVdThESWM3TjFpMVUzZ3BxM2JNd3pZeTl4WXdGSVpG
ckJIejUwNWRBVTYxbApkNEtnQnFtZzlOYTRJVkZwMGR1d29pdlMrVERqT0RncCtuTU94VnZsWFlh
dDlsaTJPalJtM1MyM0hGL0dNNGpBCnQ4aUxtYk9BN1pVK2NCYVIwR1J1ZVFrNlUrTXljUHFzb2tU
TDVSSWFEK2w0TlNjTDVUdGU5eERSb0pHVjBSTXcKRjB2Ykg2OC9vd1Fnd0o4Nko0ZFg5UDVUV09Q
M2pPVWxoWExobWh0a1BOL2wwTFYwYzk3Z3hrOGVuNTlPVXpwSgo1N0ZLeTZ6OElnYng5bkZoR0wv
dWU3UjBoWlV6NmxVMDgxV1BtbklPeUUyY08vc21rMzJvWXBlUGMvWjErdXNQCndFeFlEQnRDY2pS
Y1hqMVRlZnQ4blJDQXhDaXd3NG9Fc0N2b0ZxT0cvbG9oRFMraHAxdHpZaHhSS2s4Q3h6TlIKMmNV
SDFFL2g2MW91eXdMak4vZ1dqOFJ1Z1hadUIyaE1iUDdMV2JGSDFta0owU3VURzk5MitlNGQ1UUpj
Qld1dQpDaVgzcGI4cm1OK3kxRi9oZVkxRTlEcVEzYzNpeWhJMDBGTGwyNkoyWWliSVhaNHl6d1E9
Cj1jbHNnCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============8066059458688907517==--