From mboxrd@z Thu Jan 1 00:00:00 1970 From: git@ipfire.org To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. e735d91f03adf2e0eed8780de52473fe40419bb3 Date: Wed, 11 Oct 2017 20:16:26 +0100 Message-ID: <20171011191627.22FDF1081BCF@git01.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6388747658136849636==" List-Id: --===============6388747658136849636== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via e735d91f03adf2e0eed8780de52473fe40419bb3 (commit) via 50846453cb2dee4bd80220a01c714ea7add2e7a3 (commit) via 78fa47700d39c3f84a5c31e72140472564328aea (commit) via fbc9cfd7697ad09d6022c2c858f0d942d35ee388 (commit) via 73ba2286201fbcf2bfb9786f29d2758e6aa380c6 (commit) via 5760f93a74dc8569f206b742b3aa3035d9d582fd (commit) via f227ae4fd2336f86b2e0ada26144bca7190e0548 (commit) via 5c6ae344fc30101566d82fa44dbb7d11a3b7ee9b (commit) via 0b289b3af01080c802a8559a1c86327b77b1f7b9 (commit) from e2bd5a6eb9385b82970c0e0afff5825950772fe1 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit e735d91f03adf2e0eed8780de52473fe40419bb3 Author: Matthias Fischer Date: Wed Oct 11 17:37:23 2017 +0200 unbound: Update to 1.6.7 =20 For details see: http://www.unbound.net/download.html =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 50846453cb2dee4bd80220a01c714ea7add2e7a3 Author: Peter M=C3=BCller Date: Wed Oct 11 18:30:50 2017 +0200 also force TLS when requiring user authentication in WebUI =20 Force TLS _and_ a valid login when accessing protected directories. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 78fa47700d39c3f84a5c31e72140472564328aea Author: Peter M=C3=BCller Date: Wed Oct 11 19:46:35 2017 +0200 generate ECDSA key on existing installations =20 This is required since Apache crashes if any of the key/certificate files does not exist. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit fbc9cfd7697ad09d6022c2c858f0d942d35ee388 Author: Peter M=C3=BCller Date: Wed Oct 11 19:47:19 2017 +0200 ship changed files for Apache and ECDSA =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 73ba2286201fbcf2bfb9786f29d2758e6aa380c6 Author: Peter M=C3=BCller Date: Wed Oct 11 19:45:19 2017 +0200 enable dual-stack ECDSA and RSA certificates in Apache =20 Note: Apache crashes if any of these files does not exist. Thereof it is necessary to generate missing keys on existing installations. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 5760f93a74dc8569f206b742b3aa3035d9d582fd Author: Peter M=C3=BCller Date: Wed Oct 11 19:45:33 2017 +0200 generate ECDSA key on existing installations =20 Generate ECDSA key (and sign it) in case it does not exist. That way, httpscert can be ran on existing installations without breaking already generated (RSA) keys. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit f227ae4fd2336f86b2e0ada26144bca7190e0548 Author: Peter M=C3=BCller Date: Wed Oct 11 19:24:10 2017 +0200 prefer ECDSA over RSA and remove clutter =20 Priorize ECDSA before RSA and remove unused cipher suites. Remove redundant OpenSSL directives to make SSL configuration more readab= le. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 5c6ae344fc30101566d82fa44dbb7d11a3b7ee9b Author: Matthias Fischer Date: Wed Oct 11 18:08:30 2017 +0200 web-user-interface: Removed 'dial.cgi' from lfs-file =20 'dial.cgi' was removed in =20 https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommit;h=3Ddc6ed83537e1bcc= 1347ad16bee095ef4d641bc69 =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 0b289b3af01080c802a8559a1c86327b77b1f7b9 Author: Michael Tremer Date: Wed Oct 11 19:59:48 2017 +0100 netboot: Update to 1.2 =20 Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/httpd/vhosts.d/ipfire-interface-ssl.conf | 19 ++++++++++--- config/rootfiles/common/unbound | 2 +- config/rootfiles/core/115/filelists/files | 3 ++ config/rootfiles/core/115/update.sh | 4 +++ lfs/ipfire-netboot | 8 +++--- lfs/unbound | 4 +-- lfs/web-user-interface | 2 +- src/scripts/httpscert | 37 +++++++++++++++++++----= -- 8 files changed, 58 insertions(+), 21 deletions(-) Difference in files: diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/v= hosts.d/ipfire-interface-ssl.conf index e9ad26a..c9ccd5b 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -9,10 +9,12 @@ TransferLog /var/log/httpd/access_log SSLEngine on SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256= :ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM= -SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-E= CDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES2= 56-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-S= HA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES= 256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM= -SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:E= CDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384= :ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:E= CDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE= -RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AE= S256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA SSLHonorCipherOrder on SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key + SSLCertificateFile /etc/httpd/server-ecdsa.crt + SSLCertificateKeyFile /etc/httpd/server-ecdsa.key =20 Options ExecCGI @@ -23,7 +25,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + + Require user admin + Require ssl + ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ @@ -32,7 +37,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + + Require user admin + Require ssl + Require all granted @@ -74,6 +82,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + + Require user admin + Require ssl + diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index 6d153f2..1c39945 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -11,7 +11,7 @@ etc/unbound/unbound.conf #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.2 -usr/lib/libunbound.so.2.5.5 +usr/lib/libunbound.so.2.5.6 usr/sbin/unbound usr/sbin/unbound-anchor usr/sbin/unbound-checkconf diff --git a/config/rootfiles/core/115/filelists/files b/config/rootfiles/cor= e/115/filelists/files index 7274d7e..4cf39b0 100644 --- a/config/rootfiles/core/115/filelists/files +++ b/config/rootfiles/core/115/filelists/files @@ -1,6 +1,8 @@ etc/system-release etc/issue etc/httpd/conf/vhosts.d/captive.conf +etc/httpd/conf/vhosts.d/ipfire-interface.conf +etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf etc/rc.d/init.d/firewall srv/web/ipfire/cgi-bin/captive/index.cgi srv/web/ipfire/cgi-bin/captive/logo.cgi @@ -13,6 +15,7 @@ srv/web/ipfire/html/captive usr/bin/captive-cleanup usr/local/bin/backupiso usr/local/bin/captivectrl +usr/local/bin/httpscert usr/local/bin/wirelessctrl var/ipfire/backup/include var/ipfire/captive diff --git a/config/rootfiles/core/115/update.sh b/config/rootfiles/core/115/= update.sh index 4b30cd8..941f8df 100644 --- a/config/rootfiles/core/115/update.sh +++ b/config/rootfiles/core/115/update.sh @@ -35,6 +35,7 @@ done openvpnctrl -k openvpnctrl -kn2n =20 + # Extract files extract_files =20 @@ -48,6 +49,9 @@ ldconfig # Update Language cache /usr/local/bin/update-lang-cache =20 +# generate ECDSA key on existing installations to prevent Apache from crashi= ng +/usr/local/bin/httpscert + # Start services /etc/rc.d/init.d/apache2 restart openvpnctrl -s diff --git a/lfs/ipfire-netboot b/lfs/ipfire-netboot index 984c044..6cfae8a 100644 --- a/lfs/ipfire-netboot +++ b/lfs/ipfire-netboot @@ -24,8 +24,8 @@ =20 include Config =20 -VER =3D v1.1 -PXE_VER =3D 300a371 +VER =3D v1.2 +PXE_VER =3D 1b67a05 =20 THISAPP =3D ipfire-netboot-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -43,8 +43,8 @@ objects =3D $(DL_FILE) ipxe-$(PXE_VER).tar.gz $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) ipxe-$(PXE_VER).tar.gz =3D $(URL_IPFIRE)/ipxe-$(PXE_VER).tar.gz =20 -$(DL_FILE)_MD5 =3D 0dccbcfbc1eafb9d510bd15935b87ef6 -ipxe-$(PXE_VER).tar.gz_MD5 =3D 8a17fb4d6866214feb28cca55630b85f +$(DL_FILE)_MD5 =3D 88350bd0e17052f213f41de6f4cb30a0 +ipxe-$(PXE_VER).tar.gz_MD5 =3D 300fe0e096e58bfb4318bc39b63f9a88 =20 install : $(TARGET) =20 diff --git a/lfs/unbound b/lfs/unbound index 39ad0de..0648fb7 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 1.6.6 +VER =3D 1.6.7 =20 THISAPP =3D unbound-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D f2cc56bd88c9634fe18334d2421205f1 +$(DL_FILE)_MD5 =3D 67ed382add11134d689f5e88f8efc43e =20 install : $(TARGET) =20 diff --git a/lfs/web-user-interface b/lfs/web-user-interface index 3e9eb9a..0c56882 100644 --- a/lfs/web-user-interface +++ b/lfs/web-user-interface @@ -64,7 +64,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown -R root:root /srv/web/ipfire chmod -R 755 /srv/web/ipfire/cgi-bin chmod -R 644 /srv/web/ipfire/html - chmod 755 /srv/web/ipfire/html /srv/web/ipfire/html/{index.cgi,redirect.cgi= ,dial.cgi,images,include,themes,themes/*,themes/*/*} + chmod 755 /srv/web/ipfire/html /srv/web/ipfire/html/{index.cgi,redirect.cgi= ,images,include,themes,themes/*,themes/*/*} ln -svf ipfire /srv/web/ipfire/html/themes/ipfire-rounded =20 # Reset permissions of redirect templates and theme directories diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789..cae39fb 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,17 +7,36 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then - echo "Generating https server key." + echo "Generating HTTPS RSA server key." /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096 fi - echo "Generating CSR" - /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/opens= sl \ - req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr - echo "Signing certificate" - /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ - /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ - /etc/httpd/server.crt - ;; + if [ ! -f /etc/httpd/server-ecdsa.key ]; then + echo "Generating HTTPS ECDSA server key." + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/ht= tpd/server-ecdsa.key + fi + + echo "Generating CSRs" + if [ ! -f /etc/httpd/server.csr ]; then + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/open= ssl \ + req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr + fi + if [ ! -f /etc/httpd/server-ecdsa.csr ]; then + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/open= ssl \ + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr + fi + + echo "Signing certificates" + if [ ! -f /etc/httpd/server.crt ]; then + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ + /etc/httpd/server.crt + fi + if [ ! -f /etc/httpd/server-ecdsa.crt ]; then + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ + /etc/httpd/server-ecdsa.crt + fi + ;; read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/= server.csr ]; then ISSUER=3D`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issue= r | /usr/bin/cut -f2 -d '=3D'` hooks/post-receive -- IPFire 2.x development tree --===============6388747658136849636==--