Development October 2017

development@lists.ipfire.org

14 participants
88 discussions

[PATCH] generate ECDSA key on existing installations
by Peter Müller 11 Oct '17

11 Oct '17

This is required since Apache crashes if any of the key/certificate files does not exist. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- config/rootfiles/core/115/update.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/rootfiles/core/115/update.sh b/config/rootfiles/core/115/update.sh index 4b30cd8b6..941f8df87 100644 --- a/config/rootfiles/core/115/update.sh +++ b/config/rootfiles/core/115/update.sh @@ -35,6 +35,7 @@ done openvpnctrl -k openvpnctrl -kn2n + # Extract files extract_files @@ -48,6 +49,9 @@ ldconfig # Update Language cache /usr/local/bin/update-lang-cache +# generate ECDSA key on existing installations to prevent Apache from crashing +/usr/local/bin/httpscert + # Start services /etc/rc.d/init.d/apache2 restart openvpnctrl -s -- 2.13.6

1 0

[PATCH 3/3] generate ECDSA key on existing installations
by Peter Müller 11 Oct '17

11 Oct '17

Generate ECDSA key (and sign it) in case it does not exist. That way, httpscert can be ran on existing installations without breaking already generated (RSA) keys. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- src/scripts/httpscert | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789ed..cae39fb74 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,17 +7,36 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then - echo "Generating https server key." + echo "Generating HTTPS RSA server key." /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096 fi - echo "Generating CSR" - /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ - req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr - echo "Signing certificate" - /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ - /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ - /etc/httpd/server.crt - ;; + if [ ! -f /etc/httpd/server-ecdsa.key ]; then + echo "Generating HTTPS ECDSA server key." + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key + fi + + echo "Generating CSRs" + if [ ! -f /etc/httpd/server.csr ]; then + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr + fi + if [ ! -f /etc/httpd/server-ecdsa.csr ]; then + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr + fi + + echo "Signing certificates" + if [ ! -f /etc/httpd/server.crt ]; then + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ + /etc/httpd/server.crt + fi + if [ ! -f /etc/httpd/server-ecdsa.crt ]; then + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ + /etc/httpd/server-ecdsa.crt + fi + ;; read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='` -- 2.13.6

1 0

[PATCH 2/3] enable dual-stack ECDSA and RSA certificates in Apache
by Peter Müller 11 Oct '17

11 Oct '17

Note: Apache crashes if any of these files does not exist. Thereof it is necessary to generate missing keys on existing installations. Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 995c28e52..c9ccd5be5 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -13,6 +13,8 @@ SSLHonorCipherOrder on SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key + SSLCertificateFile /etc/httpd/server-ecdsa.crt + SSLCertificateKeyFile /etc/httpd/server-ecdsa.key <Directory /srv/web/ipfire/html> Options ExecCGI -- 2.13.6

1 0

[PATCH] also force TLS when requiring user authentication in WebUI
by Peter Müller 11 Oct '17

11 Oct '17

Force TLS _and_ a valid login when accessing protected directories. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- config/httpd/vhosts.d/ipfire-interface-ssl.conf | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index e9ad26a96..816b9e637 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> @@ -32,7 +35,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> <Files chpasswd.cgi> Require all granted </Files> @@ -74,6 +80,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </Directory> </VirtualHost> -- 2.13.6

1 0

[PATCH] unbound: Update to 1.6.7
by Matthias Fischer 11 Oct '17

11 Oct '17

For details see: http://www.unbound.net/download.html Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/common/unbound | 2 +- lfs/unbound | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index 6d153f265..1c3994558 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -11,7 +11,7 @@ etc/unbound/unbound.conf #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.2 -usr/lib/libunbound.so.2.5.5 +usr/lib/libunbound.so.2.5.6 usr/sbin/unbound usr/sbin/unbound-anchor usr/sbin/unbound-checkconf diff --git a/lfs/unbound b/lfs/unbound index 39ad0def7..0648fb77e 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@ include Config -VER = 1.6.6 +VER = 1.6.7 THISAPP = unbound-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = f2cc56bd88c9634fe18334d2421205f1 +$(DL_FILE)_MD5 = 67ed382add11134d689f5e88f8efc43e install : $(TARGET) -- 2.14.2

1 0

[PATCH] redirect to TLS WebUI if authorisation required
by Peter Müller 11 Oct '17

11 Oct '17

Do not allow credentials being submitted in plaintext to Apache. Instead, redirect the user with a 301 to the TLS version of IPFire's web interface. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- config/httpd/vhosts.d/ipfire-interface.conf | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 27fd25a95..be15cd041 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,25 +12,17 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache> -- 2.13.6

1 0

Broken patches
by Peter Müller 11 Oct '17

11 Oct '17

Hello Michael, thanks for notifying me about these broken patches. I have absolutely no idea why this is happening - git does not seem to like me. :-( Working on this... Best regards, Peter Müller

2 2

[PATCH v2] also force TLS when requiring user authentication in WebUI
by Peter Müller 11 Oct '17

11 Oct '17

Force TLS _and_ a valid login when accessing protected directories. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index e9ad26a96..816b9e637 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> @@ -32,7 +35,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> <Files chpasswd.cgi> Require all granted </Files> @@ -74,6 +80,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </Directory> </VirtualHost>

1 0

[PATCH] python-pyblock: Drop package
by Stefan Schantl 11 Oct '17

11 Oct '17

This package is not used anymore and therefore can be dropped. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- python-pyblock/python-pyblock.nm | 51 ---------------------------------------- 1 file changed, 51 deletions(-) delete mode 100644 python-pyblock/python-pyblock.nm diff --git a/python-pyblock/python-pyblock.nm b/python-pyblock/python-pyblock.nm deleted file mode 100644 index 7400453..0000000 --- a/python-pyblock/python-pyblock.nm +++ /dev/null @@ -1,51 +0,0 @@ -############################################################################### -# IPFire.org - An Open Source Firewall Solution # -# Copyright (C) - IPFire Development Team <info(a)ipfire.org> # -############################################################################### - -name = python-pyblock -version = 0.46 -release = 3 -thisapp = pyblock-%{version} - -groups = System/Libraries -url = http://git.fedorahosted.org/git/?p=pyblock.git;a=summary -license = GPLv2 or GPLv3 -summary = Python modules for dealing with block devices. - -description - The pyblock contains Python modules for dealing with block devices. -end - -source_dl = -sources = %{thisapp}.tar.bz2 - -build - requires - dmraid-devel >= 1.0.0.rc15-2 - libdevmapper-devel - libselinux-devel - python-devel - python-parted - end - - prepare_cmds - sed -e "s/-Werror//g" -i Makefile - end - - build - make USESELINUX=1 - end - - install - make install USESELINUX=0 DESTDIR=%{BUILDROOT} - end -end - -packages - package %{name} - - package %{name}-debuginfo - template DEBUGINFO - end -end -- 2.9.4

1 0

[PATCH] krb5: Fix dependencies of krb5-devel package
by Stefan Schantl 11 Oct '17

11 Oct '17

In commit 6ea98370152c0de4d0da35fe58708a3dba574895 the support for SElinux has been removed from krb5. Accidently selinux-devel has been keept as a dependency when installing the development package. This commit removes this kind of dependency. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- krb5/krb5.nm | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/krb5/krb5.nm b/krb5/krb5.nm index 62065a9..6370a9c 100644 --- a/krb5/krb5.nm +++ b/krb5/krb5.nm @@ -8,7 +8,7 @@ name = krb5 version = %{version_maj} version_maj= 1.15 version_min= -release = 1 +release = 2 groups = System/Libraries url = http://web.mit.edu/kerberos/www/ @@ -179,7 +179,6 @@ packages requires libcom_err-devel - libselinux-devel end end -- 2.9.4

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development October 2017