From patchwork Tue Sep 5 04:21:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1403 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 03C2661AB5 for ; Mon, 4 Sep 2017 20:21:54 +0200 (CEST) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 29E6D2845; Mon, 4 Sep 2017 20:21:52 +0200 (CEST) Received: from mx.link38.eu (mx.link38.eu [188.68.43.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPS id 7B1E22845 for ; Mon, 4 Sep 2017 20:21:50 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id 3B2AB410BC for ; Mon, 4 Sep 2017 20:21:40 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id F2E0F9F315 for ; Mon, 4 Sep 2017 20:21:39 +0200 (CEST) Date: Mon, 4 Sep 2017 20:21:39 +0200 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH 1/3] add ECDSA key generation to httpscert Message-ID: <20170904202139.4255a2fe.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Add ECDSA server certificate and key generation to httpscert. The key has a length of 384 bits, which equals > 4096 bits RSA and should be sufficient. Signed-off-by: Peter Müller diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789ed..b38db9fbb 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,16 +7,23 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then - echo "Generating https server key." + echo "Generating https RSA server key." /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096 + echo "Generating https ECDSA server key." + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key fi - echo "Generating CSR" + echo "Generating CSRs" /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr - echo "Signing certificate" + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr + echo "Signing certificates" /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ /etc/httpd/server.crt + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ + /etc/httpd/server-ecdsa.crt ;; read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then From patchwork Tue Sep 5 04:22:48 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1404 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 8DBD561AB5 for ; Mon, 4 Sep 2017 20:23:04 +0200 (CEST) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 15F962852; Mon, 4 Sep 2017 20:23:04 +0200 (CEST) Received: from mx.link38.eu (mx.link38.eu [188.68.43.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPS id 1AFBB284B for ; Mon, 4 Sep 2017 20:23:00 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id 96FF9410BC for ; Mon, 4 Sep 2017 20:22:49 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 714859F315 for ; Mon, 4 Sep 2017 20:22:49 +0200 (CEST) Date: Mon, 4 Sep 2017 20:22:48 +0200 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH 2/3] add ECDSA certificate and key files to Apache configuration Message-ID: <20170904202248.6b2b914f.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Make Apache use the ECDSA certificate and key, too. Depends on PATCH 1/3 and on PATCH 3/3 in case of existing installations. Signed-off-by: Peter Müller diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..1af6b5ff1 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -9,10 +9,12 @@ TransferLog /var/log/httpd/access_log SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA SSLHonorCipherOrder on SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key + SSLCertificateFile /etc/httpd/server-ecdsa.crt + SSLCertiticateKeyFile /etc/httpd/server-ecdsa.key Options ExecCGI From patchwork Tue Sep 5 04:23:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1405 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 95CD761AB5 for ; Mon, 4 Sep 2017 20:23:20 +0200 (CEST) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 2B03F2858; Mon, 4 Sep 2017 20:23:20 +0200 (CEST) Received: from mx.link38.eu (mx.link38.eu [188.68.43.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPS id EBBF3284F for ; Mon, 4 Sep 2017 20:23:17 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id B8145410BF for ; Mon, 4 Sep 2017 20:23:06 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 0C1DE9F451 for ; Mon, 4 Sep 2017 20:23:06 +0200 (CEST) Date: Mon, 4 Sep 2017 20:23:05 +0200 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH 3/3] generate ECDSA certificate and key on existing installations Message-ID: <20170904202305.28c45ae6.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Generate ECDSA certificate and key file on existing installations via the update.sh script. This is required since Apache crashes if some Certificate(Key)File directives point to non-existing files: Restarting Apache daemon... Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf: SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty Key generation only takes a few seconds even on legacy systems. Also existing installations will then use ECDSA/RSA certificate dual-stack. Signed-off-by: Peter Müller diff --git a/config/rootfiles/core/114/update.sh b/config/rootfiles/core/114/update.sh index 6d7a10b5e..c5d945b21 100644 --- a/config/rootfiles/core/114/update.sh +++ b/config/rootfiles/core/114/update.sh @@ -60,6 +60,14 @@ rm -f /usr/sbin/htpasswd # Update Language cache /usr/local/bin/update-lang-cache +# Generate ECDSA certificate and key file to prevent Apache from crashing on existing installations +/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key +/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr +/usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ + /etc/httpd/server-ecdsa.crt + # Start services /etc/init.d/unbound start /etc/init.d/apache start