[PATCH] del_rand: Deletion of RAND file in openssl config

[PATCH] del_rand: Deletion of RAND file in openssl config

[Erik Kapfer]

[-- Attachment #1: Type: text/plain, Size: 1290 bytes --]

Fixes #11943

Since the kernel RNG should do this, there is no need for this anymore.

Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
---
 config/ovpn/openssl/ovpn.cnf | 2 --
 config/ssl/openssl.cnf       | 2 --
 2 files changed, 4 deletions(-)

diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf
index 40daf2a0a..96c3dcb09 100644
--- a/config/ovpn/openssl/ovpn.cnf
+++ b/config/ovpn/openssl/ovpn.cnf
@@ -1,5 +1,4 @@
 HOME				= .
-RANDFILE			= /var/ipfire/ovpn/ca/.rnd
 oid_section			= new_oids
 
 [ new_oids ]
@@ -17,7 +16,6 @@ certificate			= $dir/ca/cacert.pem
 serial				= $dir/certs/serial
 crl				= $dir/crl.pem
 private_key			= $dir/ca/cakey.pem
-RANDFILE			= $dir/ca/.rand
 x509_extensions			= usr_cert
 default_days			= 999999
 default_crl_days		= 30
diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf
index 9d1e6e1ff..3b980fcd4 100644
--- a/config/ssl/openssl.cnf
+++ b/config/ssl/openssl.cnf
@@ -1,5 +1,4 @@
 HOME		= .
-RANDFILE	= /var/tmp/.rnd
 oid_section	= new_oids
 
 [ new_oids ]
@@ -17,7 +16,6 @@ certificate	= $dir/ca/cacert.pem
 serial		= $dir/certs/serial
 crl		= $dir/crls/cacrl.pem
 private_key	= $dir/private/cakey.pem
-RANDFILE	= $dir/tmp/.rand
 x509_extensions	= usr_cert
 default_days	= 999999
 default_crl_days= 30
-- 
2.12.2

Re: [PATCH] del_rand: Deletion of RAND file in openssl config

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 1567 bytes --]

Just as a reminder cause i haven´t found it in Git, this one might be
important for the OpenSSL update and IPSec.

Best,

Erik


Am Dienstag, den 08.01.2019, 20:33 +0100 schrieb Erik Kapfer:
> Fixes #11943
> 
> Since the kernel RNG should do this, there is no need for this
> anymore.
> 
> Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
> ---
>  config/ovpn/openssl/ovpn.cnf | 2 --
>  config/ssl/openssl.cnf       | 2 --
>  2 files changed, 4 deletions(-)
> 
> diff --git a/config/ovpn/openssl/ovpn.cnf
> b/config/ovpn/openssl/ovpn.cnf
> index 40daf2a0a..96c3dcb09 100644
> --- a/config/ovpn/openssl/ovpn.cnf
> +++ b/config/ovpn/openssl/ovpn.cnf
> @@ -1,5 +1,4 @@
>  HOME				= .
> -RANDFILE			= /var/ipfire/ovpn/ca/.rnd
>  oid_section			= new_oids
>  
>  [ new_oids ]
> @@ -17,7 +16,6 @@ certificate			= $dir/ca/cacert.pem
>  serial				= $dir/certs/serial
>  crl				= $dir/crl.pem
>  private_key			= $dir/ca/cakey.pem
> -RANDFILE			= $dir/ca/.rand
>  x509_extensions			= usr_cert
>  default_days			= 999999
>  default_crl_days		= 30
> diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf
> index 9d1e6e1ff..3b980fcd4 100644
> --- a/config/ssl/openssl.cnf
> +++ b/config/ssl/openssl.cnf
> @@ -1,5 +1,4 @@
>  HOME		= .
> -RANDFILE	= /var/tmp/.rnd
>  oid_section	= new_oids
>  
>  [ new_oids ]
> @@ -17,7 +16,6 @@ certificate	= $dir/ca/cacert.pem
>  serial		= $dir/certs/serial
>  crl		= $dir/crls/cacrl.pem
>  private_key	= $dir/private/cakey.pem
> -RANDFILE	= $dir/tmp/.rand
>  x509_extensions	= usr_cert
>  default_days	= 999999
>  default_crl_days= 30

Re: [PATCH] del_rand: Deletion of RAND file in openssl config

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1749 bytes --]

What is the reason that openssl.cnf is excluded in the updater?

> On 29 Jan 2019, at 13:17, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Just as a reminder cause i haven´t found it in Git, this one might be
> important for the OpenSSL update and IPSec.
> 
> Best,
> 
> Erik
> 
> 
> Am Dienstag, den 08.01.2019, 20:33 +0100 schrieb Erik Kapfer:
>> Fixes #11943
>> 
>> Since the kernel RNG should do this, there is no need for this
>> anymore.
>> 
>> Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
>> ---
>> config/ovpn/openssl/ovpn.cnf | 2 --
>> config/ssl/openssl.cnf       | 2 --
>> 2 files changed, 4 deletions(-)
>> 
>> diff --git a/config/ovpn/openssl/ovpn.cnf
>> b/config/ovpn/openssl/ovpn.cnf
>> index 40daf2a0a..96c3dcb09 100644
>> --- a/config/ovpn/openssl/ovpn.cnf
>> +++ b/config/ovpn/openssl/ovpn.cnf
>> @@ -1,5 +1,4 @@
>> HOME				= .
>> -RANDFILE			= /var/ipfire/ovpn/ca/.rnd
>> oid_section			= new_oids
>> 
>> [ new_oids ]
>> @@ -17,7 +16,6 @@ certificate			= $dir/ca/cacert.pem
>> serial				= $dir/certs/serial
>> crl				= $dir/crl.pem
>> private_key			= $dir/ca/cakey.pem
>> -RANDFILE			= $dir/ca/.rand
>> x509_extensions			= usr_cert
>> default_days			= 999999
>> default_crl_days		= 30
>> diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf
>> index 9d1e6e1ff..3b980fcd4 100644
>> --- a/config/ssl/openssl.cnf
>> +++ b/config/ssl/openssl.cnf
>> @@ -1,5 +1,4 @@
>> HOME		= .
>> -RANDFILE	= /var/tmp/.rnd
>> oid_section	= new_oids
>> 
>> [ new_oids ]
>> @@ -17,7 +16,6 @@ certificate	= $dir/ca/cacert.pem
>> serial		= $dir/certs/serial
>> crl		= $dir/crls/cacrl.pem
>> private_key	= $dir/private/cakey.pem
>> -RANDFILE	= $dir/tmp/.rand
>> x509_extensions	= usr_cert
>> default_days	= 999999
>> default_crl_days= 30
> 

Re: [PATCH] del_rand: Deletion of RAND file in openssl config

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2068 bytes --]

I merged it.

For some reason I thought this was part of the OpenSSL patchset.

Best,
-Michael

> On 29 Jan 2019, at 13:51, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
> 
> What is the reason that openssl.cnf is excluded in the updater?
> 
>> On 29 Jan 2019, at 13:17, ummeegge <ummeegge(a)ipfire.org> wrote:
>> 
>> Just as a reminder cause i haven´t found it in Git, this one might be
>> important for the OpenSSL update and IPSec.
>> 
>> Best,
>> 
>> Erik
>> 
>> 
>> Am Dienstag, den 08.01.2019, 20:33 +0100 schrieb Erik Kapfer:
>>> Fixes #11943
>>> 
>>> Since the kernel RNG should do this, there is no need for this
>>> anymore.
>>> 
>>> Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
>>> ---
>>> config/ovpn/openssl/ovpn.cnf | 2 --
>>> config/ssl/openssl.cnf       | 2 --
>>> 2 files changed, 4 deletions(-)
>>> 
>>> diff --git a/config/ovpn/openssl/ovpn.cnf
>>> b/config/ovpn/openssl/ovpn.cnf
>>> index 40daf2a0a..96c3dcb09 100644
>>> --- a/config/ovpn/openssl/ovpn.cnf
>>> +++ b/config/ovpn/openssl/ovpn.cnf
>>> @@ -1,5 +1,4 @@
>>> HOME				= .
>>> -RANDFILE			= /var/ipfire/ovpn/ca/.rnd
>>> oid_section			= new_oids
>>> 
>>> [ new_oids ]
>>> @@ -17,7 +16,6 @@ certificate			= $dir/ca/cacert.pem
>>> serial				= $dir/certs/serial
>>> crl				= $dir/crl.pem
>>> private_key			= $dir/ca/cakey.pem
>>> -RANDFILE			= $dir/ca/.rand
>>> x509_extensions			= usr_cert
>>> default_days			= 999999
>>> default_crl_days		= 30
>>> diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf
>>> index 9d1e6e1ff..3b980fcd4 100644
>>> --- a/config/ssl/openssl.cnf
>>> +++ b/config/ssl/openssl.cnf
>>> @@ -1,5 +1,4 @@
>>> HOME		= .
>>> -RANDFILE	= /var/tmp/.rnd
>>> oid_section	= new_oids
>>> 
>>> [ new_oids ]
>>> @@ -17,7 +16,6 @@ certificate	= $dir/ca/cacert.pem
>>> serial		= $dir/certs/serial
>>> crl		= $dir/crls/cacrl.pem
>>> private_key	= $dir/private/cakey.pem
>>> -RANDFILE	= $dir/tmp/.rand
>>> x509_extensions	= usr_cert
>>> default_days	= 999999
>>> default_crl_days= 30
>> 
> 

Re: [PATCH] del_rand: Deletion of RAND file in openssl config

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 3014 bytes --]

OK, thanks.
But good that you mentioned the updater cause we wanted to delete then
also the .rnd files under /var/ipfire/ovpn/ca and under /var/tmp/.rnd
since both openssl configuration files did exclude them with this
patch.

Would send a patch for this too but i am currently on a travel and back
again next week.

A list of all available .rnd´s are:
-rw------- 1 nobody nobody 1024 Sep  1 09:07 /home/nobody/.rnd
-rw------- 1 nobody nobody 1024 Nov 16 01:27 /var/ipfire/ovpn/ca/.rnd
-rw------- 1 nobody nobody 1024 Sep 22 12:14 /var/tmp/.rnd
-rw------- 1 root root 1024 Jun 25 12:59 /.rnd
-rw------- 1 root root 1024 Nov 19 14:29 /root/.rnd

Should they be deleted too ?

Best,

Erik

Am Dienstag, den 29.01.2019, 13:52 +0000 schrieb Michael Tremer:
> I merged it.
> 
> For some reason I thought this was part of the OpenSSL patchset.
> 
> Best,
> -Michael
> 
> > On 29 Jan 2019, at 13:51, Michael Tremer <michael.tremer(a)ipfire.org
> > > wrote:
> > 
> > What is the reason that openssl.cnf is excluded in the updater?
> > 
> > > On 29 Jan 2019, at 13:17, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > 
> > > Just as a reminder cause i haven´t found it in Git, this one
> > > might be
> > > important for the OpenSSL update and IPSec.
> > > 
> > > Best,
> > > 
> > > Erik
> > > 
> > > 
> > > Am Dienstag, den 08.01.2019, 20:33 +0100 schrieb Erik Kapfer:
> > > > Fixes #11943
> > > > 
> > > > Since the kernel RNG should do this, there is no need for this
> > > > anymore.
> > > > 
> > > > Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
> > > > ---
> > > > config/ovpn/openssl/ovpn.cnf | 2 --
> > > > config/ssl/openssl.cnf       | 2 --
> > > > 2 files changed, 4 deletions(-)
> > > > 
> > > > diff --git a/config/ovpn/openssl/ovpn.cnf
> > > > b/config/ovpn/openssl/ovpn.cnf
> > > > index 40daf2a0a..96c3dcb09 100644
> > > > --- a/config/ovpn/openssl/ovpn.cnf
> > > > +++ b/config/ovpn/openssl/ovpn.cnf
> > > > @@ -1,5 +1,4 @@
> > > > HOME				= .
> > > > -RANDFILE			= /var/ipfire/ovpn/ca/.rnd
> > > > oid_section			= new_oids
> > > > 
> > > > [ new_oids ]
> > > > @@ -17,7 +16,6 @@ certificate			=
> > > > $dir/ca/cacert.pem
> > > > serial				= $dir/certs/serial
> > > > crl				= $dir/crl.pem
> > > > private_key			= $dir/ca/cakey.pem
> > > > -RANDFILE			= $dir/ca/.rand
> > > > x509_extensions			= usr_cert
> > > > default_days			= 999999
> > > > default_crl_days		= 30
> > > > diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf
> > > > index 9d1e6e1ff..3b980fcd4 100644
> > > > --- a/config/ssl/openssl.cnf
> > > > +++ b/config/ssl/openssl.cnf
> > > > @@ -1,5 +1,4 @@
> > > > HOME		= .
> > > > -RANDFILE	= /var/tmp/.rnd
> > > > oid_section	= new_oids
> > > > 
> > > > [ new_oids ]
> > > > @@ -17,7 +16,6 @@ certificate	= $dir/ca/cacert.pem
> > > > serial		= $dir/certs/serial
> > > > crl		= $dir/crls/cacrl.pem
> > > > private_key	= $dir/private/cakey.pem
> > > > -RANDFILE	= $dir/tmp/.rand
> > > > x509_extensions	= usr_cert
> > > > default_days	= 999999
> > > > default_crl_days= 30
> 
> 

Re: [PATCH] del_rand: Deletion of RAND file in openssl config

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3098 bytes --]

Yes, I think we can delete them. They don’t serve any purpose.

> On 29 Jan 2019, at 15:11, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> OK, thanks.
> But good that you mentioned the updater cause we wanted to delete then
> also the .rnd files under /var/ipfire/ovpn/ca and under /var/tmp/.rnd
> since both openssl configuration files did exclude them with this
> patch.
> 
> Would send a patch for this too but i am currently on a travel and back
> again next week.
> 
> A list of all available .rnd´s are:
> -rw------- 1 nobody nobody 1024 Sep  1 09:07 /home/nobody/.rnd
> -rw------- 1 nobody nobody 1024 Nov 16 01:27 /var/ipfire/ovpn/ca/.rnd
> -rw------- 1 nobody nobody 1024 Sep 22 12:14 /var/tmp/.rnd
> -rw------- 1 root root 1024 Jun 25 12:59 /.rnd
> -rw------- 1 root root 1024 Nov 19 14:29 /root/.rnd
> 
> Should they be deleted too ?
> 
> Best,
> 
> Erik
> 
> Am Dienstag, den 29.01.2019, 13:52 +0000 schrieb Michael Tremer:
>> I merged it.
>> 
>> For some reason I thought this was part of the OpenSSL patchset.
>> 
>> Best,
>> -Michael
>> 
>>> On 29 Jan 2019, at 13:51, Michael Tremer <michael.tremer(a)ipfire.org
>>>> wrote:
>>> 
>>> What is the reason that openssl.cnf is excluded in the updater?
>>> 
>>>> On 29 Jan 2019, at 13:17, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>> 
>>>> Just as a reminder cause i haven´t found it in Git, this one
>>>> might be
>>>> important for the OpenSSL update and IPSec.
>>>> 
>>>> Best,
>>>> 
>>>> Erik
>>>> 
>>>> 
>>>> Am Dienstag, den 08.01.2019, 20:33 +0100 schrieb Erik Kapfer:
>>>>> Fixes #11943
>>>>> 
>>>>> Since the kernel RNG should do this, there is no need for this
>>>>> anymore.
>>>>> 
>>>>> Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
>>>>> ---
>>>>> config/ovpn/openssl/ovpn.cnf | 2 --
>>>>> config/ssl/openssl.cnf       | 2 --
>>>>> 2 files changed, 4 deletions(-)
>>>>> 
>>>>> diff --git a/config/ovpn/openssl/ovpn.cnf
>>>>> b/config/ovpn/openssl/ovpn.cnf
>>>>> index 40daf2a0a..96c3dcb09 100644
>>>>> --- a/config/ovpn/openssl/ovpn.cnf
>>>>> +++ b/config/ovpn/openssl/ovpn.cnf
>>>>> @@ -1,5 +1,4 @@
>>>>> HOME				= .
>>>>> -RANDFILE			= /var/ipfire/ovpn/ca/.rnd
>>>>> oid_section			= new_oids
>>>>> 
>>>>> [ new_oids ]
>>>>> @@ -17,7 +16,6 @@ certificate			=
>>>>> $dir/ca/cacert.pem
>>>>> serial				= $dir/certs/serial
>>>>> crl				= $dir/crl.pem
>>>>> private_key			= $dir/ca/cakey.pem
>>>>> -RANDFILE			= $dir/ca/.rand
>>>>> x509_extensions			= usr_cert
>>>>> default_days			= 999999
>>>>> default_crl_days		= 30
>>>>> diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf
>>>>> index 9d1e6e1ff..3b980fcd4 100644
>>>>> --- a/config/ssl/openssl.cnf
>>>>> +++ b/config/ssl/openssl.cnf
>>>>> @@ -1,5 +1,4 @@
>>>>> HOME		= .
>>>>> -RANDFILE	= /var/tmp/.rnd
>>>>> oid_section	= new_oids
>>>>> 
>>>>> [ new_oids ]
>>>>> @@ -17,7 +16,6 @@ certificate	= $dir/ca/cacert.pem
>>>>> serial		= $dir/certs/serial
>>>>> crl		= $dir/crls/cacrl.pem
>>>>> private_key	= $dir/private/cakey.pem
>>>>> -RANDFILE	= $dir/tmp/.rand
>>>>> x509_extensions	= usr_cert
>>>>> default_days	= 999999
>>>>> default_crl_days= 30
>> 
>> 
>