This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 36c16c71ed854b5bc43b79be926dd1d00f9091ff (commit) from bca096b453809236775b497e0a3e4c7cd5e5437e (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 36c16c71ed854b5bc43b79be926dd1d00f9091ff Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Jan 18 18:02:10 2024 +0100
core183: replace https rsa key if it is too small
new openssl need at least 2048 bit rsa keys for apache. So if the existing is smaller a new 4096 bit key is generated.
fixes #13527
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/backup/backup.pl | 13 +++++++++++++ config/rootfiles/core/183/filelists/files | 1 + config/rootfiles/core/183/update.sh | 15 +++++++++++++++ 3 files changed, 29 insertions(+)
Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 75a0e4f60..7992f21c5 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -229,6 +229,19 @@ restore_backup() { # Set correct ownership chown nobody:nobody /var/ipfire/ovpn/ovpnconfig
+ # Generate new HTTPS RSA key if the existing is too small + KEYSIZE=$(openssl rsa -in /etc/httpd/server.key -text -noout | sed -n 's/Private-Key:\ ((.*)\ bit.*/\1/p') + if [ $KEYSIZE < 2048 ]; then + openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null + chmod 600 /etc/httpd/server.key + sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \ + openssl req -new -key /etc/httpd/server.key \ + -out /etc/httpd/server.csr &>/dev/null + openssl x509 -req -days 999999 -sha256 \ + -in /etc/httpd/server.csr \ + -signkey /etc/httpd/server.key \ + -out /etc/httpd/server.crt &>/dev/null + fi return 0 }
diff --git a/config/rootfiles/core/183/filelists/files b/config/rootfiles/core/183/filelists/files index 8e58c6ec2..42ddf682e 100644 --- a/config/rootfiles/core/183/filelists/files +++ b/config/rootfiles/core/183/filelists/files @@ -4,3 +4,4 @@ srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat usr/local/bin/backupiso +var/ipfire/backup/bin/backup.pl diff --git a/config/rootfiles/core/183/update.sh b/config/rootfiles/core/183/update.sh index 3312608bc..5930ad324 100644 --- a/config/rootfiles/core/183/update.sh +++ b/config/rootfiles/core/183/update.sh @@ -128,6 +128,21 @@ if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then /etc/rc.d/init.d/ipsec start fi
+# Check apache rsa key and replace if it is too small +KEYSIZE=$(openssl rsa -in /etc/httpd/server.key -text -noout | sed -n 's/Private-Key:\ ((.*)\ bit.*/\1/p') +if [ $KEYSIZE < 2048 ]; then + echo "Generating new HTTPS RSA server key (this will take a moment)..." + openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null + chmod 600 /etc/httpd/server.key + sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \ + openssl req -new -key /etc/httpd/server.key \ + -out /etc/httpd/server.csr &>/dev/null + openssl x509 -req -days 999999 -sha256 \ + -in /etc/httpd/server.csr \ + -signkey /etc/httpd/server.key \ + -out /etc/httpd/server.crt &>/dev/null +fi + # Rebuild initial ramdisks dracut --regenerate-all --force KVER="xxxKVERxxx"
hooks/post-receive -- IPFire 2.x development tree