Development September 2017

development@lists.ipfire.org

12 participants
43 discussions

[PATCH] WebUI: print more information on used nameservers
by Peter Müller 08 Sep '17

08 Sep '17

Show rDNS/PTR entry and country flag of the used nameservers on the nameserver status list at "netexternal.cgi". These information might be useful for debugging, or are just "nice to have" and do not harm anything. :-) Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi index 299612d4c..a091afdf7 100644 --- a/html/cgi-bin/netexternal.cgi +++ b/html/cgi-bin/netexternal.cgi @@ -25,9 +25,13 @@ use strict; #use warnings; #use CGI::Carp 'fatalsToBrowser'; +use IO::Socket; +use Geo::IP::PurePerl; + require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; +require "${General::swroot}/geoip-functions.pl"; require "${General::swroot}/graphs.pl"; my %color = (); @@ -99,6 +103,12 @@ if ( $querry[0] ne~ ""){ $Lang::tr{'nameserver'} </th> <th align="center"> + $Lang::tr{'flag'} + </th> + <th align="center"> + $Lang::tr{'rdns'} + </th> + <th align="center"> $Lang::tr{'status'} </th> </tr> @@ -139,9 +149,22 @@ END my $table_colour = ($id++ % 2) ? $color{'color22'} : $color{'color20'}; + # Get rDNS entry for nameserver (might be useful) + my $iaddr = inet_aton($nameserver); + my $rdns = gethostbyaddr($iaddr, AF_INET); + if (!$rdns) { $rdns = $Lang::tr{'lookup failed'}; } + + # Get country flag for the nameserver (might be useful) + my $gi = Geo::IP::PurePerl->new(); + my $ccode = $gi->country_code_by_name($nameserver); + my $fcode = lc($ccode); + my $flag_icon = &GeoIP::get_flag_icon($fcode); + print <<END; <tr bgcolor="$table_colour"> <td>$nameserver</td> + <td align="center"><a href="../country.cgi#$fcode"><img src="$flag_icon" border="0" align="absmiddle" alt="$ccode"></a></td> + <td>$rdns</td> <td bgcolor="$bgcolour" align="center"> $message </td> @@ -271,3 +294,4 @@ sub check_dnssec($$) { return $aware + $validating; } + diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 0138cbc02..a63eb3160 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1902,6 +1902,7 @@ 'quick playlist' => 'Quick Playlist', 'ram' => 'RAM-Speicher', 'random number generator daemon' => 'Random Number Generator Daemon', +'rdns' => 'rDNS', 'read bytes' => 'Gelesene Bytes', 'read list' => 'Liste der Leseberechtigten', 'real address' => 'Reale Addresse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index b3aee5a2b..13c18f4c8 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1936,6 +1936,7 @@ 'quick playlist' => 'Quick Playlist', 'ram' => 'RAM', 'random number generator daemon' => 'Random Number Generator Daemon', +'rdns' => 'rDNS', 'read bytes' => 'Read Bytes', 'read list' => 'list with readonly hosts', 'real address' => 'Real Address',

1 0

[PATCH 1/5] kernel: update to 4.12.8
by Arne Fitzenreiter 07 Sep '17

07 Sep '17

Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> --- kernel/kernel.nm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/kernel.nm b/kernel/kernel.nm index 8b1b67d..15e72c2 100644 --- a/kernel/kernel.nm +++ b/kernel/kernel.nm @@ -4,8 +4,8 @@ ############################################################################### name = kernel -version = 4.12.4 -release = 2 +version = 4.12.8 +release = 1 thisapp = linux-%{version} maintainer = Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> -- 2.6.3

1 4

Re: [PATCH 1/2] ipsec: only accept valid options for a connection type
by Jonatan Schlag 07 Sep '17

07 Sep '17

Hi, Am Do, 7. Sep, 2017 um 9:44 schrieb Michael Tremer <michael.tremer(a)ipfire.org>: > Hi, > > sorry for the very late review. See the comments below: > > On Mon, 2017-08-28 at 17:32 +0200, Jonatan Schlag wrote: >> The valid options for a host-to-net ipsec connection and a >> net-to-net >> are different so we nedd to check if we get a valid option for the >> connection >> type. >> >> Fixes: #11444 >> >> Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org> >> --- >> src/functions/functions.ipsec | 129 >> ++++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 129 insertions(+) >> >> diff --git a/src/functions/functions.ipsec >> b/src/functions/functions.ipsec >> index 6f14c8e..11a1d9a 100644 >> --- a/src/functions/functions.ipsec >> +++ b/src/functions/functions.ipsec >> @@ -54,6 +54,46 @@ IPSEC_DEFAULT_TYPE="net-to-net" >> IPSEC_VALID_MODES="gre-transport tunnel vti" >> IPSEC_VALID_AUTH_MODES="PSK" >> >> +# Valid options for all types of connetions >> +IPSEC_ALL_VALID_OPTIONS="\ >> + authentication \ >> + down \ >> + disable \ >> + dpd \ >> + enable \ >> + inactivity_timeout \ >> + local \ >> + mode \ >> + remote \ >> + security_policy \ >> + start_action \ >> + up \ >> + color \ >> + description \ >> + show" > > Could we order those alphabetically? > >> + >> +# Valid options for net-to-net >> +IPSEC_NET_TOT_NET_VALID_OPTIONS="${IPSEC_ALL_VALID_OPTIONS} \ >> + peer" > > I think it should be "TO" in the variable name. You could also use > "N2N" to make > it a little bit shorter maybe. > >> + >> +# Valid options for RW >> +IPSEC_RW_VALID_OPTIONS="${IPSEC_ALL_VALID_OPTIONS} \ >> + pool" >> + >> +# Valid dpd options for all types of connetions >> +IPSEC_DPD_ALL_VALID_OPTIONS="\ >> + delay \ >> + timeout" >> + >> +# Valid dpd options for net-to-net >> >> +IPSEC_DPD_NET_TOT_NET_VALID_OPTIONS="${IPSEC_DPD_ALL_VALID_OPTIONS} >> \ >> + action" > > Same as above. > >> + >> +# Valid dpd options for RW >> +IPSEC_DPD_RW_VALID_OPTIONS="${IPSEC_DPD_ALL_VALID_OPTIONS}" >> + >> + >> + > > Three lines of whitespace. One should do. > >> cli_ipsec() { >> local action=${1} >> shift 1 >> @@ -79,6 +119,10 @@ cli_ipsec_connection() { >> key=${key//-/_} >> shift 2 >> >> + if ! ipsec_connection_check_option "${connection}" "first" >> "${key}"; then >> + return ${EXITR_ERROR} >> + fi >> + > > Typo in the EXIT_ERROR variable. > >> case "${key}" in >> authentication|down|disable|dpd|enable|inactivity_tim >> eout|local|mode|peer|pool|remote|security_policy|start_action|up) >> ipsec_connection_${key} ${connection} "$@" >> @@ -148,6 +192,67 @@ ipsec_connection_get_description_title() { >> description_title_read $(description_format_filename "ipsec- >> connection" "${name}") >> } >> >> +# This functions returns all options which are valid for this type >> of >> connection >> +ipsec_get_valid_options() { >> + assert [ $# -eq 2 ] >> + >> + local connection="${1}" >> + local type="${2}" >> + >> + local con_type=$(ipsec_connection_get_type "${connection}") >> + assert isset con_type >> + >> + case ${con_type} in >> + host-to-net) >> + case ${type} in >> + first) >> + echo "${IPSEC_RW_VALID_OPTIONS}" >> + ;; >> + dpd) >> + echo "${IPSEC_DPD_RW_VALID_OPTIONS}" >> + ;; >> + esac >> + ;; >> + net-to-net) >> + case ${type} in >> + first) >> + echo >> "${IPSEC_NET_TOT_NET_VALID_OPTIONS}" >> + ;; >> + dpd) >> + echo >> "${IPSEC_DPD_NET_TOT_NET_VALID_OPTIONS}" >> + ;; >> + esac >> + ;; >> + esac >> +} >> + >> +# This Function checks if a option is valid for a given type >> +ipsec_connection_check_option() { >> + assert [ $# -eq 3 ] >> + >> + local connection="${1}" >> + local type="${2}" >> + local key="${3}" >> + >> + local con_type=$(ipsec_connection_get_type "${connection}") >> + assert isset con_type >> + >> + case ${con_type} in >> + host-to-net) >> + if ! isoneof key $(ipsec_get_valid_options >> "${connection}" "${type}"); then >> + log ERROR "Invalid Argument: ${key}" >> + return ${EXIT_ERROR} >> + fi >> + ;; >> + net-to-net) >> + if ! isoneof key $(ipsec_get_valid_options >> "${connection}" "${type}"); then >> + log ERROR "Invalid Argument: ${key}" >> + return ${EXIT_ERROR} >> + fi >> + ;; >> + esac >> +} >> + >> cli_ipsec_connection_show() { >> local connection="${1}" >> >> @@ -443,6 +548,26 @@ ipsec_reload() { >> ipsec_strongswan_load >> } >> >> +# Returns the type of a connection >> +ipsec_connection_get_type() { >> + assert [ $# -eq 1 ] >> + >> + local connection=${1} >> + >> + if ! ipsec_connection_exists "${connection}"; then >> + log ERROR "No such VPN ipsec connection: ${connection}" >> + return ${EXIT_ERROR} >> + fi > > It is called a "IPsec VPN connection". > > IPsec is spelled like this and the rest sounds like Yoda :) > >> + >> + local TYPE >> + >> + if ! ipsec_connection_read_config "${connection}" TYPE; then >> + return ${EXIT_ERROR} >> + fi >> + >> + echo ${TYPE} >> +} >> + >> # Handle the cli after authentification >> ipsec_connection_authentication() { >> if [ ! $# -gt 1 ]; then >> @@ -551,6 +676,10 @@ ipsec_connection_dpd() { >> local cmd=${2} >> shift 2 >> >> + if ! ipsec_connection_check_option "${connection}" "dpd" "${cmd}"; >> then >> + return ${EXITR_ERROR} >> + fi >> + > > Should the user not get a better message when DPD commands are not > available? I thought about it, there two ways to achieve that. One way would be to put the error messages here and remove the error message inside the function. Or we check what type we get a report a better error message back. But from my point of view "Invalid argument" should be ok here, because we always get here when the user has some typos or use wrong commands. So keeping the generic error message should be cleaner. > > >> case ${cmd} in >> action) >> ipsec_connection_dpd_action "${connection}" "$@" > > -Michael Hopefully, the WIFI in the ICE from Berlin to Munich is good (If there would be WIFI, it would be even better than my ride from Munich to Berlin without WIFI ) so I can correct this patch tomorrow afternoon. Jonatan

1 0

[PATCH] Fixup for apache and aprutil, do not include whole directory
by Wolfgang Apolinarski 07 Sep '17

07 Sep '17

--- config/rootfiles/common/apache2 | 2 +- config/rootfiles/common/aprutil | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 53b6ce9f0..233301a71 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1524,7 +1524,7 @@ usr/bin/htpasswd #usr/include/apache/util_time.h #usr/include/apache/util_varbuf.h #usr/include/apache/util_xml.h -usr/lib/apache +#usr/lib/apache #usr/lib/apache/build #usr/lib/apache/build/config.nice #usr/lib/apache/build/config_vars.mk diff --git a/config/rootfiles/common/aprutil b/config/rootfiles/common/aprutil index 9a56ad13b..e9cf3e0da 100644 --- a/config/rootfiles/common/aprutil +++ b/config/rootfiles/common/aprutil @@ -35,7 +35,7 @@ usr/bin/apu-1-config #usr/include/apr-1/apu_version.h #usr/include/apr-1/apu_want.h #usr/include/apr-1/expat.h -usr/lib/apr-util-1 +#usr/lib/apr-util-1 usr/lib/apr-util-1/apr_crypto_openssl-1.so #usr/lib/apr-util-1/apr_crypto_openssl.la usr/lib/apr-util-1/apr_crypto_openssl.so -- 2.13.0

2 1

Apache Updates
by Wolfgang Apolinarski 05 Sep '17

05 Sep '17

Hi everyone, after Matthias Fischer was able to test the patches, I update them here again, only two small changes. Apparently, the tar process packs the whole directory, when a directory is in the rootfile. This is why the /usr/lib/apache and the /usr/lib/apr-util-1 directory are now commented out. During an update, the following files should be deleted (thanks to Matthias for testing that): In /usr/lib/apache: mod_authn_default.so mod_authz_default.so mod_cern_meta.so mod_cgi.so mod_ident.so mod_imagemap.so In /usr/sbin: htpasswd The directory: /usr/lib/php/extensions/no-debug-non-zts-20090626/ In /usr/lib: libapr-1.so.0.5.1 libapr-1.so libaprutil-1.so.0.5.3 In /usr/lib/apr-util-1: apr_dbd_sqlite3-1.so apr_dbd_sqlite3.so Best regards, Wolfgang PS.: I support the latest discussions about updates for the configuration of apache, but it could make sense to first make the transition to Apache 2.4 and then apply them.

2 1

[PATCH 2/3] add ECDSA certificate and key files to Apache configuration
by Peter Müller 04 Sep '17

04 Sep '17

Make Apache use the ECDSA certificate and key, too. Depends on PATCH 1/3 and on PATCH 3/3 in case of existing installations. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..1af6b5ff1 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -9,10 +9,12 @@ TransferLog /var/log/httpd/access_log SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA SSLHonorCipherOrder on SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key + SSLCertificateFile /etc/httpd/server-ecdsa.crt + SSLCertiticateKeyFile /etc/httpd/server-ecdsa.key <Directory /srv/web/ipfire/html> Options ExecCGI

1 0

[PATCH] disable obsolete and unused ciphers in Apache SSL configuration
by Peter Müller 04 Sep '17

04 Sep '17

Perform these modifications to the Apache SSL cipherlist: - disable unused suites (SRP, DSS, PSK) - disable DH, DHE and EDH suites (slow and rarely used, vulnerable to LOGJAM) - prefer ECDSA over RSA - prefer suites with PFS over those without - only allow listed cipher suites (makes the list a bit shorter) This fixes bug #10856. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..dce40b416 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -9,7 +9,7 @@ TransferLog /var/log/httpd/access_log SSLEngine on SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA SSLHonorCipherOrder on SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key

1 0

[PATCH 1/2] apr and aprutil: Added as requirement for apache 2.4
by Wolfgang Apolinarski 04 Sep '17

04 Sep '17

- APR 1.6.2 is a requirement for building apache httpd 2.4 - APR-Util 1.6.0 is a requirement for building apache httpd 2.4 --- config/rootfiles/common/apache2 | 8 ++-- config/rootfiles/common/apr | 57 ++++++++++++++++++++++++++++ config/rootfiles/common/aprutil | 52 +++++++++++++++++++++++++ lfs/apr | 84 +++++++++++++++++++++++++++++++++++++++++ lfs/aprutil | 84 +++++++++++++++++++++++++++++++++++++++++ make.sh | 2 + 6 files changed, 283 insertions(+), 4 deletions(-) create mode 100644 config/rootfiles/common/apr create mode 100644 config/rootfiles/common/aprutil create mode 100644 lfs/apr create mode 100644 lfs/aprutil diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2 index 7e33a155e..360f5ae61 100644 --- a/config/rootfiles/common/apache2 +++ b/config/rootfiles/common/apache2 @@ -1342,22 +1342,22 @@ usr/lib/apache/mod_usertrack.so usr/lib/apache/mod_version.so usr/lib/apache/mod_vhost_alias.so #usr/lib/apr-util-1 -usr/lib/apr-util-1/apr_dbd_sqlite3-1.so +#usr/lib/apr-util-1/apr_dbd_sqlite3-1.so #usr/lib/apr-util-1/apr_dbd_sqlite3.a #usr/lib/apr-util-1/apr_dbd_sqlite3.la -usr/lib/apr-util-1/apr_dbd_sqlite3.so +#usr/lib/apr-util-1/apr_dbd_sqlite3.so #usr/lib/apr.exp #usr/lib/aprutil.exp #usr/lib/libapr-1.a #usr/lib/libapr-1.la usr/lib/libapr-1.so usr/lib/libapr-1.so.0 -usr/lib/libapr-1.so.0.5.1 +#usr/lib/libapr-1.so.0.5.1 #usr/lib/libaprutil-1.a #usr/lib/libaprutil-1.la usr/lib/libaprutil-1.so usr/lib/libaprutil-1.so.0 -usr/lib/libaprutil-1.so.0.5.3 +#usr/lib/libaprutil-1.so.0.5.3 #usr/lib/pkgconfig/apr-1.pc #usr/lib/pkgconfig/apr-util-1.pc #usr/sbin/ab diff --git a/config/rootfiles/common/apr b/config/rootfiles/common/apr new file mode 100644 index 000000000..abc825623 --- /dev/null +++ b/config/rootfiles/common/apr @@ -0,0 +1,57 @@ +usr/bin/apr-1-config +#usr/include/apr-1 +#usr/include/apr-1/apr.h +#usr/include/apr-1/apr_allocator.h +#usr/include/apr-1/apr_atomic.h +#usr/include/apr-1/apr_cstr.h +#usr/include/apr-1/apr_dso.h +#usr/include/apr-1/apr_env.h +#usr/include/apr-1/apr_errno.h +#usr/include/apr-1/apr_escape.h +#usr/include/apr-1/apr_file_info.h +#usr/include/apr-1/apr_file_io.h +#usr/include/apr-1/apr_fnmatch.h +#usr/include/apr-1/apr_general.h +#usr/include/apr-1/apr_getopt.h +#usr/include/apr-1/apr_global_mutex.h +#usr/include/apr-1/apr_hash.h +#usr/include/apr-1/apr_inherit.h +#usr/include/apr-1/apr_lib.h +#usr/include/apr-1/apr_mmap.h +#usr/include/apr-1/apr_network_io.h +#usr/include/apr-1/apr_perms_set.h +#usr/include/apr-1/apr_poll.h +#usr/include/apr-1/apr_pools.h +#usr/include/apr-1/apr_portable.h +#usr/include/apr-1/apr_proc_mutex.h +#usr/include/apr-1/apr_random.h +#usr/include/apr-1/apr_ring.h +#usr/include/apr-1/apr_shm.h +#usr/include/apr-1/apr_signal.h +#usr/include/apr-1/apr_skiplist.h +#usr/include/apr-1/apr_strings.h +#usr/include/apr-1/apr_support.h +#usr/include/apr-1/apr_tables.h +#usr/include/apr-1/apr_thread_cond.h +#usr/include/apr-1/apr_thread_mutex.h +#usr/include/apr-1/apr_thread_proc.h +#usr/include/apr-1/apr_thread_rwlock.h +#usr/include/apr-1/apr_time.h +#usr/include/apr-1/apr_user.h +#usr/include/apr-1/apr_version.h +#usr/include/apr-1/apr_want.h +usr/lib/libapr-1.so.0.6.2 +usr/lib/apr.exp +usr/lib/libapr-1.la +usr/lib/libapr-1.so +usr/lib/libapr-1.so.0 +#usr/lib/pkgconfig/apr-1.pc +#usr/share/apr-1 +#usr/share/apr-1/build +#usr/share/apr-1/build/apr_common.m4 +#usr/share/apr-1/build/apr_rules.mk +#usr/share/apr-1/build/find_apr.m4 +#usr/share/apr-1/build/libtool +#usr/share/apr-1/build/make_exports.awk +#usr/share/apr-1/build/make_var_export.awk +#usr/share/apr-1/build/mkdir.sh diff --git a/config/rootfiles/common/aprutil b/config/rootfiles/common/aprutil new file mode 100644 index 000000000..7b0bbb8d7 --- /dev/null +++ b/config/rootfiles/common/aprutil @@ -0,0 +1,52 @@ +usr/bin/apu-1-config +#usr/include/apr-1/apr_anylock.h +#usr/include/apr-1/apr_base64.h +#usr/include/apr-1/apr_buckets.h +#usr/include/apr-1/apr_crypto.h +#usr/include/apr-1/apr_date.h +#usr/include/apr-1/apr_dbd.h +#usr/include/apr-1/apr_dbm.h +#usr/include/apr-1/apr_hooks.h +#usr/include/apr-1/apr_ldap.h +#usr/include/apr-1/apr_ldap_init.h +#usr/include/apr-1/apr_ldap_option.h +#usr/include/apr-1/apr_ldap_rebind.h +#usr/include/apr-1/apr_ldap_url.h +#usr/include/apr-1/apr_md4.h +#usr/include/apr-1/apr_md5.h +#usr/include/apr-1/apr_memcache.h +#usr/include/apr-1/apr_optional.h +#usr/include/apr-1/apr_optional_hooks.h +#usr/include/apr-1/apr_queue.h +#usr/include/apr-1/apr_redis.h +#usr/include/apr-1/apr_reslist.h +#usr/include/apr-1/apr_rmm.h +#usr/include/apr-1/apr_sdbm.h +#usr/include/apr-1/apr_sha1.h +#usr/include/apr-1/apr_siphash.h +#usr/include/apr-1/apr_strmatch.h +#usr/include/apr-1/apr_thread_pool.h +#usr/include/apr-1/apr_uri.h +#usr/include/apr-1/apr_uuid.h +#usr/include/apr-1/apr_xlate.h +#usr/include/apr-1/apr_xml.h +#usr/include/apr-1/apu.h +#usr/include/apr-1/apu_errno.h +#usr/include/apr-1/apu_version.h +#usr/include/apr-1/apu_want.h +#usr/include/apr-1/expat.h +usr/lib/libaprutil-1.la +usr/lib/libaprutil-1.so +usr/lib/libaprutil-1.so.0 +usr/lib/libaprutil-1.so.0.6.0 +#usr/lib/libexpat.a +#usr/lib/libexpat.la +#usr/lib/libexpat.so +#usr/lib/libexpat.so.0 +#usr/lib/libexpat.so.0.5.0 +#usr/lib/pkgconfig/apr-util-1.pc +usr/lib/apr-util-1 +usr/lib/apr-util-1/apr_crypto_openssl-1.so +usr/lib/apr-util-1/apr_crypto_openssl.la +usr/lib/apr-util-1/apr_crypto_openssl.so +usr/lib/aprutil.exp diff --git a/lfs/apr b/lfs/apr new file mode 100644 index 000000000..24ab1d79e --- /dev/null +++ b/lfs/apr @@ -0,0 +1,84 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2014 IPFire Team <info(a)ipfire.org> # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see <http://www.gnu.org/licenses/>. # +# # +############################################################################### + + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 1.6.2 + +THISAPP = apr-$(VER) +DL_FILE = $(THISAPP).tar.bz2 +DL_FROM = http://archive.apache.org/dist/apr +DIR_APP = $(DIR_SRC)/$(THISAPP) + +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = e81a851967c79b5ce9bfbc909e4bf735 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) + + cd $(DIR_APP) && sed -i "/seems to be moved/s/^/#/" build/ltmain.sh + + cd $(DIR_APP) && ./configure --prefix=/usr \ + --disable-static --with-installbuilddir=/usr/share/apr-1/build + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/aprutil b/lfs/aprutil new file mode 100644 index 000000000..cf8f4a8a9 --- /dev/null +++ b/lfs/aprutil @@ -0,0 +1,84 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2014 IPFire Team <info(a)ipfire.org> # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see <http://www.gnu.org/licenses/>. # +# # +############################################################################### + + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 1.6.0 + +THISAPP = apr-util-$(VER) +DL_FILE = $(THISAPP).tar.bz2 +DL_FROM = http://archive.apache.org/dist/apr +DIR_APP = $(DIR_SRC)/$(THISAPP) + +TARGET = $(DIR_INFO)/$(THISAPP) + +DEPS = "apr" + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 069a9a980776acab05212c5f37ef8368 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) + + cd $(DIR_APP) && ./configure --prefix=/usr \ + --with-apr=/usr --with-gdbm=/usr --with-openssl=/usr --with-crypto + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 663f23fbb..dd57c914e 100755 --- a/make.sh +++ b/make.sh @@ -358,6 +358,7 @@ buildbase() { lfsmake2 bzip2 lfsmake2 pcre lfsmake2 pcre-compat + lfsmake2 apr lfsmake2 bash lfsmake2 diffutils lfsmake2 e2fsprogs @@ -497,6 +498,7 @@ buildipfire() { lfsmake2 libevent2 lfsmake2 libevent2-compat lfsmake2 expat + lfsmake2 aprutil lfsmake2 unbound lfsmake2 gnutls lfsmake2 bind -- 2.13.0

2 7

Developer Telephone Conference Tonight
by Michael Tremer 04 Sep '17

04 Sep '17

Hello, just as a quick reminder: Tonight is our monthly telephone conference. http://wiki.ipfire.org/devel/telco/start Please don't forget! Best, -Michael

1 0

SSL/TLS changes in Apache
by Peter Müller 04 Sep '17

04 Sep '17

Hello development list, sorry for dropping in here. Because I am an absolute newbie, I guess it might be better to explain major changes before I submit them in a patch. The first section affected by this the SSL/TLS configuration used by Apache. As far as I am concerned, there are these issues at the moment: (a) DH cipher suites Because of several reasons, I would like to see them disabled. First, they are more or less obsolete since all modern User Agents (i.e. Web Browsers) does not support them, they mostly use ECDHE instead. (Note that this is valid for web sites only; other type of servers - especially mail servers - are often maintained very badly and therefore do not support anything better.) Second, DH is much slower and needs more CPU time on both server and client than ECDHE. While this not a problem on up-to-date hardware, it might be an issue for older systems. Third, DH is vulnerable to LOGJAM, which is the most important reason to disable it. Fixing LOGJAM is not that easy since it would require i) Apache 2.4.x, which seems to be in development since some patches appeared here the other day ii) an individually created DH prime file, which takes usually more than 20 minutes and requires a huge amount of CPU time. So, disabling the DH cipher suites would be a relatively simple workaround. (b) Cipher strength Currently, AES128 is preferred over AES265 nearly all the time. Since I do not see any reason for this, I would suggest to order them by strength. (c) Unused ciphers Further, there are many unused cipher suites listed (such as SRP, DSS and PSK) which are not supported by any modern browser - and probably never will. Thereof it might make sense to remove them, since they cause the cipherlist to be quite complex and hard to understand. (d) Certificate dual-stack At the first boot, IPFire generates an RSA host key for Apache with a size of 4096 bits. However, there is another key exchange algorithm, called ECDSA. It has several advantages over RSA: i) Compared by key size, it is more secure. An ECDSA key with 256 bits provides the same strength as a RSA key with 3072 bits. ii) Key generation is much faster (384 bits should be sufficient for most applications, it equals about 9216 bits RSA). Especially on slower hardware or systems without a HWRNG, this will accelerate the first boot. iii) It needs less CPU resources on both server and client than RSA. Again, this might be relevant for systems running on legacy hardware. Since ECDSA and RSA can be used parallel (clients that do not understand one key exchange algorithm use the other), I suggest to generate an ECDSA key, too. Most modern User Agents even prefer it over RSA. What do you think of those? (If I made a mistake somewhere - now or in the future -, I would be frightfully grateful for feedback. :-) ) Best regards, Peter Müller

2 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development September 2017