From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. e735d91f03adf2e0eed8780de52473fe40419bb3
Date: Wed, 11 Oct 2017 20:16:26 +0100 [thread overview]
Message-ID: <20171011191627.22FDF1081BCF@git01.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 14251 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via e735d91f03adf2e0eed8780de52473fe40419bb3 (commit)
via 50846453cb2dee4bd80220a01c714ea7add2e7a3 (commit)
via 78fa47700d39c3f84a5c31e72140472564328aea (commit)
via fbc9cfd7697ad09d6022c2c858f0d942d35ee388 (commit)
via 73ba2286201fbcf2bfb9786f29d2758e6aa380c6 (commit)
via 5760f93a74dc8569f206b742b3aa3035d9d582fd (commit)
via f227ae4fd2336f86b2e0ada26144bca7190e0548 (commit)
via 5c6ae344fc30101566d82fa44dbb7d11a3b7ee9b (commit)
via 0b289b3af01080c802a8559a1c86327b77b1f7b9 (commit)
from e2bd5a6eb9385b82970c0e0afff5825950772fe1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e735d91f03adf2e0eed8780de52473fe40419bb3
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Wed Oct 11 17:37:23 2017 +0200
unbound: Update to 1.6.7
For details see:
http://www.unbound.net/download.html
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 50846453cb2dee4bd80220a01c714ea7add2e7a3
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Wed Oct 11 18:30:50 2017 +0200
also force TLS when requiring user authentication in WebUI
Force TLS _and_ a valid login when accessing protected directories.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 78fa47700d39c3f84a5c31e72140472564328aea
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Wed Oct 11 19:46:35 2017 +0200
generate ECDSA key on existing installations
This is required since Apache crashes if any of the key/certificate files
does not exist.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit fbc9cfd7697ad09d6022c2c858f0d942d35ee388
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Wed Oct 11 19:47:19 2017 +0200
ship changed files for Apache and ECDSA
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 73ba2286201fbcf2bfb9786f29d2758e6aa380c6
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Wed Oct 11 19:45:19 2017 +0200
enable dual-stack ECDSA and RSA certificates in Apache
Note: Apache crashes if any of these files does not exist. Thereof it
is necessary to generate missing keys on existing installations.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 5760f93a74dc8569f206b742b3aa3035d9d582fd
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Wed Oct 11 19:45:33 2017 +0200
generate ECDSA key on existing installations
Generate ECDSA key (and sign it) in case it does not exist. That way,
httpscert can be ran on existing installations without breaking already
generated (RSA) keys.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f227ae4fd2336f86b2e0ada26144bca7190e0548
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Wed Oct 11 19:24:10 2017 +0200
prefer ECDSA over RSA and remove clutter
Priorize ECDSA before RSA and remove unused cipher suites.
Remove redundant OpenSSL directives to make SSL configuration more readable.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 5c6ae344fc30101566d82fa44dbb7d11a3b7ee9b
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Wed Oct 11 18:08:30 2017 +0200
web-user-interface: Removed 'dial.cgi' from lfs-file
'dial.cgi' was removed in
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=dc6ed83537e1bcc1347ad16bee095ef4d641bc69
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0b289b3af01080c802a8559a1c86327b77b1f7b9
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Oct 11 19:59:48 2017 +0100
netboot: Update to 1.2
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/httpd/vhosts.d/ipfire-interface-ssl.conf | 19 ++++++++++---
config/rootfiles/common/unbound | 2 +-
config/rootfiles/core/115/filelists/files | 3 ++
config/rootfiles/core/115/update.sh | 4 +++
lfs/ipfire-netboot | 8 +++---
lfs/unbound | 4 +--
lfs/web-user-interface | 2 +-
src/scripts/httpscert | 37 +++++++++++++++++++------
8 files changed, 58 insertions(+), 21 deletions(-)
Difference in files:
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index e9ad26a..c9ccd5b 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -9,10 +9,12 @@
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
SSLHonorCipherOrder on
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
+ SSLCertificateFile /etc/httpd/server-ecdsa.crt
+ SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
<Directory /srv/web/ipfire/html>
Options ExecCGI
@@ -23,7 +25,10 @@
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
- Require user admin
+ <RequireAll>
+ Require user admin
+ Require ssl
+ </RequireAll>
</DirectoryMatch>
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
<Directory /srv/web/ipfire/cgi-bin>
@@ -32,7 +37,10 @@
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
- Require user admin
+ <RequireAll>
+ Require user admin
+ Require ssl
+ </RequireAll>
<Files chpasswd.cgi>
Require all granted
</Files>
@@ -74,6 +82,9 @@
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
- Require user admin
+ <RequireAll>
+ Require user admin
+ Require ssl
+ </RequireAll>
</Directory>
</VirtualHost>
diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound
index 6d153f2..1c39945 100644
--- a/config/rootfiles/common/unbound
+++ b/config/rootfiles/common/unbound
@@ -11,7 +11,7 @@ etc/unbound/unbound.conf
#usr/lib/libunbound.la
#usr/lib/libunbound.so
usr/lib/libunbound.so.2
-usr/lib/libunbound.so.2.5.5
+usr/lib/libunbound.so.2.5.6
usr/sbin/unbound
usr/sbin/unbound-anchor
usr/sbin/unbound-checkconf
diff --git a/config/rootfiles/core/115/filelists/files b/config/rootfiles/core/115/filelists/files
index 7274d7e..4cf39b0 100644
--- a/config/rootfiles/core/115/filelists/files
+++ b/config/rootfiles/core/115/filelists/files
@@ -1,6 +1,8 @@
etc/system-release
etc/issue
etc/httpd/conf/vhosts.d/captive.conf
+etc/httpd/conf/vhosts.d/ipfire-interface.conf
+etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf
etc/rc.d/init.d/firewall
srv/web/ipfire/cgi-bin/captive/index.cgi
srv/web/ipfire/cgi-bin/captive/logo.cgi
@@ -13,6 +15,7 @@ srv/web/ipfire/html/captive
usr/bin/captive-cleanup
usr/local/bin/backupiso
usr/local/bin/captivectrl
+usr/local/bin/httpscert
usr/local/bin/wirelessctrl
var/ipfire/backup/include
var/ipfire/captive
diff --git a/config/rootfiles/core/115/update.sh b/config/rootfiles/core/115/update.sh
index 4b30cd8..941f8df 100644
--- a/config/rootfiles/core/115/update.sh
+++ b/config/rootfiles/core/115/update.sh
@@ -35,6 +35,7 @@ done
openvpnctrl -k
openvpnctrl -kn2n
+
# Extract files
extract_files
@@ -48,6 +49,9 @@ ldconfig
# Update Language cache
/usr/local/bin/update-lang-cache
+# generate ECDSA key on existing installations to prevent Apache from crashing
+/usr/local/bin/httpscert
+
# Start services
/etc/rc.d/init.d/apache2 restart
openvpnctrl -s
diff --git a/lfs/ipfire-netboot b/lfs/ipfire-netboot
index 984c044..6cfae8a 100644
--- a/lfs/ipfire-netboot
+++ b/lfs/ipfire-netboot
@@ -24,8 +24,8 @@
include Config
-VER = v1.1
-PXE_VER = 300a371
+VER = v1.2
+PXE_VER = 1b67a05
THISAPP = ipfire-netboot-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -43,8 +43,8 @@ objects = $(DL_FILE) ipxe-$(PXE_VER).tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
ipxe-$(PXE_VER).tar.gz = $(URL_IPFIRE)/ipxe-$(PXE_VER).tar.gz
-$(DL_FILE)_MD5 = 0dccbcfbc1eafb9d510bd15935b87ef6
-ipxe-$(PXE_VER).tar.gz_MD5 = 8a17fb4d6866214feb28cca55630b85f
+$(DL_FILE)_MD5 = 88350bd0e17052f213f41de6f4cb30a0
+ipxe-$(PXE_VER).tar.gz_MD5 = 300fe0e096e58bfb4318bc39b63f9a88
install : $(TARGET)
diff --git a/lfs/unbound b/lfs/unbound
index 39ad0de..0648fb7 100644
--- a/lfs/unbound
+++ b/lfs/unbound
@@ -24,7 +24,7 @@
include Config
-VER = 1.6.6
+VER = 1.6.7
THISAPP = unbound-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = f2cc56bd88c9634fe18334d2421205f1
+$(DL_FILE)_MD5 = 67ed382add11134d689f5e88f8efc43e
install : $(TARGET)
diff --git a/lfs/web-user-interface b/lfs/web-user-interface
index 3e9eb9a..0c56882 100644
--- a/lfs/web-user-interface
+++ b/lfs/web-user-interface
@@ -64,7 +64,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
chown -R root:root /srv/web/ipfire
chmod -R 755 /srv/web/ipfire/cgi-bin
chmod -R 644 /srv/web/ipfire/html
- chmod 755 /srv/web/ipfire/html /srv/web/ipfire/html/{index.cgi,redirect.cgi,dial.cgi,images,include,themes,themes/*,themes/*/*}
+ chmod 755 /srv/web/ipfire/html /srv/web/ipfire/html/{index.cgi,redirect.cgi,images,include,themes,themes/*,themes/*/*}
ln -svf ipfire /srv/web/ipfire/html/themes/ipfire-rounded
# Reset permissions of redirect templates and theme directories
diff --git a/src/scripts/httpscert b/src/scripts/httpscert
index e20f789..cae39fb 100644
--- a/src/scripts/httpscert
+++ b/src/scripts/httpscert
@@ -7,17 +7,36 @@
case "$1" in
new)
if [ ! -f /etc/httpd/server.key ]; then
- echo "Generating https server key."
+ echo "Generating HTTPS RSA server key."
/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
fi
- echo "Generating CSR"
- /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
- req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
- echo "Signing certificate"
- /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
- /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
- /etc/httpd/server.crt
- ;;
+ if [ ! -f /etc/httpd/server-ecdsa.key ]; then
+ echo "Generating HTTPS ECDSA server key."
+ /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
+ fi
+
+ echo "Generating CSRs"
+ if [ ! -f /etc/httpd/server.csr ]; then
+ /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+ req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
+ fi
+ if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
+ /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+ req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+ fi
+
+ echo "Signing certificates"
+ if [ ! -f /etc/httpd/server.crt ]; then
+ /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+ /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
+ /etc/httpd/server.crt
+ fi
+ if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
+ /usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+ /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
+ /etc/httpd/server-ecdsa.crt
+ fi
+ ;;
read)
if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='`
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2017-10-11 19:16 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171011191627.22FDF1081BCF@git01.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox