[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 9bc17600521eabca8238fc9116d1fae47800a6af

[Michael Tremer <git@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3704 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  9bc17600521eabca8238fc9116d1fae47800a6af (commit)
      from  256070e92fed192f80c0c4fcdbbf9102fdc8e6b4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9bc17600521eabca8238fc9116d1fae47800a6af
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Sun Feb 17 13:46:51 2019 +0000

    unbound: Drop certificates for local control connection
    
    These are a cause of worry because they are sometimes generated with
    an invalid timestamp and therefore render unbound being unusable.
    
    There is no strong reason to use self-signed certificates for extra
    security here.
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/rootfiles/core/128/filelists/files | 2 ++
 config/rootfiles/core/128/update.sh       | 1 +
 config/unbound/unbound.conf               | 6 +-----
 src/initscripts/system/unbound            | 5 -----
 4 files changed, 4 insertions(+), 10 deletions(-)

Difference in files:
diff --git a/config/rootfiles/core/128/filelists/files b/config/rootfiles/core/128/filelists/files
index 1998a08c0..9a34f756b 100644
--- a/config/rootfiles/core/128/filelists/files
+++ b/config/rootfiles/core/128/filelists/files
@@ -5,8 +5,10 @@ var/ipfire/langs
 etc/rc.d/helper/aws-setup
 etc/rc.d/init.d/aws
 etc/rc.d/init.d/firewall
+etc/rc.d/init.d/unbound
 etc/ssl/openssl.cnf
 etc/sysctl.conf
+etc/unbound/unbound.conf
 srv/web/ipfire/cgi-bin/proxy.cgi
 usr/local/bin/xt_geoip_update
 var/ipfire/ovpn/openssl/ovpn.cnf
diff --git a/config/rootfiles/core/128/update.sh b/config/rootfiles/core/128/update.sh
index dc185ed70..99c036d60 100644
--- a/config/rootfiles/core/128/update.sh
+++ b/config/rootfiles/core/128/update.sh
@@ -62,6 +62,7 @@ if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
 fi
 /etc/init.d/sshd restart
 /etc/init.d/apache restart
+/etc/init.d/unbound restart
 
 # This update needs a reboot...
 touch /var/run/need_reboot
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 2cc5bab8a..e20c3330d 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -83,12 +83,8 @@ server:
 
 remote-control:
 	control-enable: yes
-	control-use-cert: yes
+	control-use-cert: no
 	control-interface: 127.0.0.1
-	server-key-file: "/etc/unbound/unbound_server.key"
-	server-cert-file: "/etc/unbound/unbound_server.pem"
-	control-key-file: "/etc/unbound/unbound_control.key"
-	control-cert-file: "/etc/unbound/unbound_control.pem"
 
 # Import any local configurations
 include: "/etc/unbound/local.d/*.conf"
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 08007f50a..2ef994e96 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -507,11 +507,6 @@ case "$1" in
 
 		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
-		# Create control keys at first run
-		if [ ! -r "/etc/unbound/unbound_control.key" ]; then
-			unbound-control-setup -d /etc/unbound &>/dev/null
-		fi
-
 		# Update configuration files
 		write_tuning_conf
 		write_forward_conf


hooks/post-receive
--
IPFire 2.x development tree