Development October 2017

development@lists.ipfire.org

14 participants
88 discussions

[PATCH v2 1/3] add ECDSA key generation to httpscert
by Peter Müller 11 Oct '17

11 Oct '17

Add ECDSA server certificate and key generation to httpscert. The key has a length of 384 bits, which equals > 4096 bits RSA and should be sufficient. Changed since v1: Do not regenerate or oversign existing keys or CSRs. This patch depends on: - v1 2/3 add ECDSA certificate and key files to Apache configuration - v2 3/3 generate ECDSA certificate and key on existing installations Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789ed..52932bc70 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,16 +7,35 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then - echo "Generating https server key." + echo "Generating HTTPS RSA server key." /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096 fi - echo "Generating CSR" - /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ - req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr - echo "Signing certificate" - /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ - /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ - /etc/httpd/server.crt + if [ ! -f /etc/httpd/server-ecdsa.key ]; then + echo "Generating HTTPS ECDSA server key." + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key + fi + + echo "Generating CSRs" + if [ ! -f /etc/httpd/server.csr ]; then + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr + fi + if [ ! -f /etc/httpd/server-ecdsa.csr ]; then + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr + fi + + echo "Signing certificates" + if [ ! -f /etc/httpd/server.crt ]; then + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ + /etc/httpd/server.crt + fi + if [ ! -f /etc/httpd/server-ecdsa.crt ]; then + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ + /etc/httpd/server-ecdsa.crt + fi ;; read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then

2 1

[PATCH] remove unused dial.cgi directives from Apache vhosts config
by Peter Müller 11 Oct '17

11 Oct '17

Remove configuration lines in Apache vhosts files which are not used anymore (old dial.cgi stuff). Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..e9ad26a96 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -39,17 +39,6 @@ <Files webaccess.cgi> Require all granted </Files> - <Files dial.cgi> - Require user admin - </Files> - </Directory> - <Directory /srv/web/ipfire/cgi-bin/dial> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin </Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..27fd25a95 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -31,17 +31,6 @@ <Files webaccess.cgi> Require all granted </Files> - <Files dial.cgi> - Require user admin - </Files> - </Directory> - <Directory /srv/web/ipfire/cgi-bin/dial> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>

2 1

[PATCH] also force TLS when requiring user authentication in WebUI
by Peter Müller 11 Oct '17

11 Oct '17

Force TLS _and_ a valid login when accessing protected directories. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..50e257f16 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> @@ -32,24 +35,16 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> + <RequireAll> + Require user admin + Require ssl + </RequireAll> + <Files chpasswd.cgi> Require all granted </Files> <Files webaccess.cgi> Require all granted </Files> </Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars @@ -85,6 +80,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </Directory> </VirtualHost>

2 1

[PATCH] redirect to TLS WebUI if authorisation required
by Peter Müller 11 Oct '17

11 Oct '17

Do not allow credentials being submitted in plaintext to Apache. Instead, redirect the user with a 301 to the TLS version of IPFire's web interface. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..41d10c874 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,17 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - </Directory> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>

2 1

[MERGE REQUEST] vim: Update to 8.0
by Stefan Schantl 11 Oct '17

11 Oct '17

Dear Mailinglist, this is a request for merging the update to vim 8.0. Sadly the commit is to big for sending it as a patch. The commit can be found on my personal ipfire-3.x git repository in the branch named "vim-8.0". The commit directly can be accessed by the following link: https://cgit.ipfire.org/people/stevee/ipfire-3.x.git/commit/?h=vim-8.0& id=4f2ca13dfb3b95aafe8c5323acd6b6df3d303d08 Thanks in advance, -Stefan

2 1

[PATCH] dracut: Update to 046.
by Stefan Schantl 11 Oct '17

11 Oct '17

* Drop runtime dependency to libselinux. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- dracut/dracut.nm | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dracut/dracut.nm b/dracut/dracut.nm index 449e261..b7e72c2 100644 --- a/dracut/dracut.nm +++ b/dracut/dracut.nm @@ -4,7 +4,7 @@ ############################################################################### name = dracut -version = 045 +version = 046 release = 1 groups = System/Boot @@ -82,7 +82,6 @@ packages kbd kpartx less - libselinux lvm2 mdadm sysvinit -- 2.9.4

1 0

[PATCH] cairo: Update to 1.14.10
by Stefan Schantl 11 Oct '17

11 Oct '17

This is a minor update to the latest available version of the cairo 1.14 series. * Drop backend support for X11 and Xext. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- cairo/cairo.nm | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/cairo/cairo.nm b/cairo/cairo.nm index ee3c1c3..4fdd382 100644 --- a/cairo/cairo.nm +++ b/cairo/cairo.nm @@ -4,7 +4,7 @@ ############################################################################### name = cairo -version = 1.14.6 +version = 1.14.10 release = 1 groups = System/Graphics @@ -27,8 +27,6 @@ build freetype-devel glib2-devel >= 2.14 gobject-introspection-devel - libX11-devel - libXext-devel>=1.3.1 libxml2-devel libpng-devel pixman-devel >= 0.30.0 @@ -37,7 +35,6 @@ build end configure_options += \ - --enable-xlib \ --enable-xml \ --enable-gobject \ --disable-gtk-doc \ -- 2.9.4

1 0

[PATCH] python3: Update to 3.6.3
by Stefan Schantl 11 Oct '17

11 Oct '17

This is a minor update to the latest stable version of the python 3.6 series. * Drop support for X11 and GL (mesa) Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- python3/python3.nm | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/python3/python3.nm b/python3/python3.nm index cc26941..ce14fdd 100644 --- a/python3/python3.nm +++ b/python3/python3.nm @@ -5,7 +5,7 @@ name = python3 major_ver = 3.6 -version = %{major_ver}.0 +version = %{major_ver}.3 release = 1 thisapp = Python-%{version} @@ -42,8 +42,6 @@ build gmp-devel libdb-devel libffi-devel - libGL-devel - libX11-devel ncurses-devel openssl-devel pkg-config -- 2.9.4

1 0

[PATCH] remove unused directories in Apache vhosts and force TLS for logins
by Peter Müller 10 Oct '17

10 Oct '17

- remove unused dial.cgi stuff - redirect to TLS version for directories requiring an authentication - force TLS for directories requiring an authentication Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..433103fdc 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> @@ -32,24 +35,16 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> <Files chpasswd.cgi> Require all granted </Files> <Files webaccess.cgi> Require all granted </Files> - <Files dial.cgi> - Require user admin - </Files> - </Directory> - <Directory /srv/web/ipfire/cgi-bin/dial> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin </Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars @@ -85,6 +80,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </Directory> </VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..41d10c874 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,17 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> - </Directory> - <Directory /srv/web/ipfire/cgi-bin/dial> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>

2 2

[PATCH] remove unused directories from Apache vhost configs
by Peter Müller 10 Oct '17

10 Oct '17

Remove unused vhost configuration directives. They are related to "dial.cgi" and /cgi-bin/dial/, which both do not exist in IPFire. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index bec0d580b..eef2d45e2 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -45,29 +45,12 @@ <Files webaccess.cgi> Require all granted </Files> - <Files dial.cgi> - <RequireAll> - Require user admin - Require ssl - </RequireAll> - </Files> - </Directory> - <Directory /srv/web/ipfire/cgi-bin/dial> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - <RequireAll> - Require user admin dial - Require ssl - </RequireAll> </Directory> <Files ~ "\.(cgi|shtml?)$"> - SSLOptions +StdEnvVars + SSLOptions +StdEnvVars </Files> <Directory /srv/web/ipfire/cgi-bin> - SSLOptions +StdEnvVars + SSLOptions +StdEnvVars </Directory> SetEnv HOME /home/nobody SetEnvIf User-Agent ".*MSIE.*" \ diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index a0537b392..57cf8ba17 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -25,13 +25,6 @@ RewriteCond %{HTTPS} off RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> - <Directory /srv/web/ipfire/cgi-bin/dial> - AllowOverride None - Options SymLinksIfOwnerMatch - RewriteEngine on - RewriteCond %{HTTPS} off - RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] - </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache> Options ExecCGI

2 3

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development October 2017