This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via e735d91f03adf2e0eed8780de52473fe40419bb3 (commit) via 50846453cb2dee4bd80220a01c714ea7add2e7a3 (commit) via 78fa47700d39c3f84a5c31e72140472564328aea (commit) via fbc9cfd7697ad09d6022c2c858f0d942d35ee388 (commit) via 73ba2286201fbcf2bfb9786f29d2758e6aa380c6 (commit) via 5760f93a74dc8569f206b742b3aa3035d9d582fd (commit) via f227ae4fd2336f86b2e0ada26144bca7190e0548 (commit) via 5c6ae344fc30101566d82fa44dbb7d11a3b7ee9b (commit) via 0b289b3af01080c802a8559a1c86327b77b1f7b9 (commit) from e2bd5a6eb9385b82970c0e0afff5825950772fe1 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit e735d91f03adf2e0eed8780de52473fe40419bb3 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Wed Oct 11 17:37:23 2017 +0200
unbound: Update to 1.6.7
For details see: http://www.unbound.net/download.html
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 50846453cb2dee4bd80220a01c714ea7add2e7a3 Author: Peter Müller peter.mueller@link38.eu Date: Wed Oct 11 18:30:50 2017 +0200
also force TLS when requiring user authentication in WebUI
Force TLS _and_ a valid login when accessing protected directories.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 78fa47700d39c3f84a5c31e72140472564328aea Author: Peter Müller peter.mueller@link38.eu Date: Wed Oct 11 19:46:35 2017 +0200
generate ECDSA key on existing installations
This is required since Apache crashes if any of the key/certificate files does not exist.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fbc9cfd7697ad09d6022c2c858f0d942d35ee388 Author: Peter Müller peter.mueller@link38.eu Date: Wed Oct 11 19:47:19 2017 +0200
ship changed files for Apache and ECDSA
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 73ba2286201fbcf2bfb9786f29d2758e6aa380c6 Author: Peter Müller peter.mueller@link38.eu Date: Wed Oct 11 19:45:19 2017 +0200
enable dual-stack ECDSA and RSA certificates in Apache
Note: Apache crashes if any of these files does not exist. Thereof it is necessary to generate missing keys on existing installations.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5760f93a74dc8569f206b742b3aa3035d9d582fd Author: Peter Müller peter.mueller@link38.eu Date: Wed Oct 11 19:45:33 2017 +0200
generate ECDSA key on existing installations
Generate ECDSA key (and sign it) in case it does not exist. That way, httpscert can be ran on existing installations without breaking already generated (RSA) keys.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f227ae4fd2336f86b2e0ada26144bca7190e0548 Author: Peter Müller peter.mueller@link38.eu Date: Wed Oct 11 19:24:10 2017 +0200
prefer ECDSA over RSA and remove clutter
Priorize ECDSA before RSA and remove unused cipher suites. Remove redundant OpenSSL directives to make SSL configuration more readable.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5c6ae344fc30101566d82fa44dbb7d11a3b7ee9b Author: Matthias Fischer matthias.fischer@ipfire.org Date: Wed Oct 11 18:08:30 2017 +0200
web-user-interface: Removed 'dial.cgi' from lfs-file
'dial.cgi' was removed in
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=dc6ed83537e1bcc1347ad16b...
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0b289b3af01080c802a8559a1c86327b77b1f7b9 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Oct 11 19:59:48 2017 +0100
netboot: Update to 1.2
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/httpd/vhosts.d/ipfire-interface-ssl.conf | 19 ++++++++++--- config/rootfiles/common/unbound | 2 +- config/rootfiles/core/115/filelists/files | 3 ++ config/rootfiles/core/115/update.sh | 4 +++ lfs/ipfire-netboot | 8 +++--- lfs/unbound | 4 +-- lfs/web-user-interface | 2 +- src/scripts/httpscert | 37 +++++++++++++++++++------ 8 files changed, 58 insertions(+), 21 deletions(-)
Difference in files: diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index e9ad26a..c9ccd5b 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -9,10 +9,12 @@ TransferLog /var/log/httpd/access_log SSLEngine on SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA SSLHonorCipherOrder on SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key + SSLCertificateFile /etc/httpd/server-ecdsa.crt + SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
<Directory /srv/web/ipfire/html> Options ExecCGI @@ -23,7 +25,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> @@ -32,7 +37,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> <Files chpasswd.cgi> Require all granted </Files> @@ -74,6 +82,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </Directory> </VirtualHost> diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index 6d153f2..1c39945 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -11,7 +11,7 @@ etc/unbound/unbound.conf #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.2 -usr/lib/libunbound.so.2.5.5 +usr/lib/libunbound.so.2.5.6 usr/sbin/unbound usr/sbin/unbound-anchor usr/sbin/unbound-checkconf diff --git a/config/rootfiles/core/115/filelists/files b/config/rootfiles/core/115/filelists/files index 7274d7e..4cf39b0 100644 --- a/config/rootfiles/core/115/filelists/files +++ b/config/rootfiles/core/115/filelists/files @@ -1,6 +1,8 @@ etc/system-release etc/issue etc/httpd/conf/vhosts.d/captive.conf +etc/httpd/conf/vhosts.d/ipfire-interface.conf +etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf etc/rc.d/init.d/firewall srv/web/ipfire/cgi-bin/captive/index.cgi srv/web/ipfire/cgi-bin/captive/logo.cgi @@ -13,6 +15,7 @@ srv/web/ipfire/html/captive usr/bin/captive-cleanup usr/local/bin/backupiso usr/local/bin/captivectrl +usr/local/bin/httpscert usr/local/bin/wirelessctrl var/ipfire/backup/include var/ipfire/captive diff --git a/config/rootfiles/core/115/update.sh b/config/rootfiles/core/115/update.sh index 4b30cd8..941f8df 100644 --- a/config/rootfiles/core/115/update.sh +++ b/config/rootfiles/core/115/update.sh @@ -35,6 +35,7 @@ done openvpnctrl -k openvpnctrl -kn2n
+ # Extract files extract_files
@@ -48,6 +49,9 @@ ldconfig # Update Language cache /usr/local/bin/update-lang-cache
+# generate ECDSA key on existing installations to prevent Apache from crashing +/usr/local/bin/httpscert + # Start services /etc/rc.d/init.d/apache2 restart openvpnctrl -s diff --git a/lfs/ipfire-netboot b/lfs/ipfire-netboot index 984c044..6cfae8a 100644 --- a/lfs/ipfire-netboot +++ b/lfs/ipfire-netboot @@ -24,8 +24,8 @@
include Config
-VER = v1.1 -PXE_VER = 300a371 +VER = v1.2 +PXE_VER = 1b67a05
THISAPP = ipfire-netboot-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -43,8 +43,8 @@ objects = $(DL_FILE) ipxe-$(PXE_VER).tar.gz $(DL_FILE) = $(DL_FROM)/$(DL_FILE) ipxe-$(PXE_VER).tar.gz = $(URL_IPFIRE)/ipxe-$(PXE_VER).tar.gz
-$(DL_FILE)_MD5 = 0dccbcfbc1eafb9d510bd15935b87ef6 -ipxe-$(PXE_VER).tar.gz_MD5 = 8a17fb4d6866214feb28cca55630b85f +$(DL_FILE)_MD5 = 88350bd0e17052f213f41de6f4cb30a0 +ipxe-$(PXE_VER).tar.gz_MD5 = 300fe0e096e58bfb4318bc39b63f9a88
install : $(TARGET)
diff --git a/lfs/unbound b/lfs/unbound index 39ad0de..0648fb7 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@
include Config
-VER = 1.6.6 +VER = 1.6.7
THISAPP = unbound-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = f2cc56bd88c9634fe18334d2421205f1 +$(DL_FILE)_MD5 = 67ed382add11134d689f5e88f8efc43e
install : $(TARGET)
diff --git a/lfs/web-user-interface b/lfs/web-user-interface index 3e9eb9a..0c56882 100644 --- a/lfs/web-user-interface +++ b/lfs/web-user-interface @@ -64,7 +64,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown -R root:root /srv/web/ipfire chmod -R 755 /srv/web/ipfire/cgi-bin chmod -R 644 /srv/web/ipfire/html - chmod 755 /srv/web/ipfire/html /srv/web/ipfire/html/{index.cgi,redirect.cgi,dial.cgi,images,include,themes,themes/*,themes/*/*} + chmod 755 /srv/web/ipfire/html /srv/web/ipfire/html/{index.cgi,redirect.cgi,images,include,themes,themes/*,themes/*/*} ln -svf ipfire /srv/web/ipfire/html/themes/ipfire-rounded
# Reset permissions of redirect templates and theme directories diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789..cae39fb 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,17 +7,36 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then - echo "Generating https server key." + echo "Generating HTTPS RSA server key." /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096 fi - echo "Generating CSR" - /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ - req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr - echo "Signing certificate" - /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ - /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ - /etc/httpd/server.crt - ;; + if [ ! -f /etc/httpd/server-ecdsa.key ]; then + echo "Generating HTTPS ECDSA server key." + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key + fi + + echo "Generating CSRs" + if [ ! -f /etc/httpd/server.csr ]; then + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr + fi + if [ ! -f /etc/httpd/server-ecdsa.csr ]; then + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr + fi + + echo "Signing certificates" + if [ ! -f /etc/httpd/server.crt ]; then + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ + /etc/httpd/server.crt + fi + if [ ! -f /etc/httpd/server-ecdsa.crt ]; then + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ + /etc/httpd/server-ecdsa.crt + fi + ;; read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='`
hooks/post-receive -- IPFire 2.x development tree