| Message ID | 20190108193332.24543-1-ummeegge@ipfire.org |
|---|---|
| State | Accepted |
| Commit | a946892338329dbee0289132413d4849e3641f7e |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (unknown [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 36A1E861F12 for <patchwork@web07.i.ipfire.org>; Tue, 8 Jan 2019 19:33:47 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 3C5FD221C75C; Tue, 8 Jan 2019 19:33:46 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1546976026; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references:list-id: list-unsubscribe:list-subscribe:list-post; bh=61ZRp0QQOQxaLl7KRer1TaTBVHKi1IlHMEQWvuYpkcE=; b=I+YdfZ1DRICcAoEnXTP/hCEDwKCc0vBBhN+90MfQSRklUCXBmleqsid6GFBy9Cqgfv86p4 +PxKi9CiPagWS35/KmPkJpjqpUsY11ps3PL5eQcIVUgZdqshzLIDFDngEqh6kP6XMvXLsR IzxsO1ZbFXa2R47r9dT5cmRwIoChTbjUIVwXqaHEFt5dpfbJKCA5B8KaK8zxv1lUY5DwKr jMtPfTO7R44+rY1Pr98ZcSrUKPxv5phHi+NQEwWV8mxObOUueTx4waiBiYhxGCqbC40E1J xNXjJqy3Ik8pbI6TV0iC002bnFHbZFZ08BFgOk7pCmMHVR0rsz92/u2G7av9mA== Received: from ipfire-server.local (i59F5F2BE.versanet.de [89.245.242.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 0400B21B7135; Tue, 8 Jan 2019 19:33:42 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1546976023; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=61ZRp0QQOQxaLl7KRer1TaTBVHKi1IlHMEQWvuYpkcE=; b=aMHPbeu69W/US3ayDZubqmfQ/yRwPAGxnke8tysZfXRFBZ3Z5CdcfPFNp7TwRUJsZvTngu l4qwvDzEPrd5TxprHOVWcPvN8h+OicQXgtuRU7Ax8b09GKWvMqLR9G4RodH5t5WD6CbkVV OpiS8HxWCtb6EsbXpZkwTbNKlplwzOCScoaezSEbMTCNzwwf+WW37o954LuCXFJlSXygIq 9XJsczAcn5mwF2U7rprVa0mRYM0jmSBlUomLotcZS936OMkoN+A5HYL1OQljD1vsBTpf97 Sc2FpsEHDTJFppBiZt4euZqLUKnCC8nBDYTAYSZHor9g/3UPZaRoEUJJL618Ew== From: Erik Kapfer <ummeegge@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] del_rand: Deletion of RAND file in openssl config Date: Tue, 8 Jan 2019 20:33:32 +0100 Message-Id: <20190108193332.24543-1-ummeegge@ipfire.org> X-Mailer: git-send-email 2.12.2 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ummeegge smtp.mailfrom=ummeegge@ipfire.org X-Spamd-Result: default: False [-2.37 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-0.27)[-0.090,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8881, ipnet:89.245.240.0/20, country:DE]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-2.37 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
del_rand: Deletion of RAND file in openssl config
|
|
Commit Message
ummeegge
Jan. 9, 2019, 6:33 a.m. UTC
Fixes #11943
Since the kernel RNG should do this, there is no need for this anymore.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
---
config/ovpn/openssl/ovpn.cnf | 2 --
config/ssl/openssl.cnf | 2 --
2 files changed, 4 deletions(-)
Comments
Just as a reminder cause i haven´t found it in Git, this one might be important for the OpenSSL update and IPSec. Best, Erik Am Dienstag, den 08.01.2019, 20:33 +0100 schrieb Erik Kapfer: > Fixes #11943 > > Since the kernel RNG should do this, there is no need for this > anymore. > > Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> > --- > config/ovpn/openssl/ovpn.cnf | 2 -- > config/ssl/openssl.cnf | 2 -- > 2 files changed, 4 deletions(-) > > diff --git a/config/ovpn/openssl/ovpn.cnf > b/config/ovpn/openssl/ovpn.cnf > index 40daf2a0a..96c3dcb09 100644 > --- a/config/ovpn/openssl/ovpn.cnf > +++ b/config/ovpn/openssl/ovpn.cnf > @@ -1,5 +1,4 @@ > HOME = . > -RANDFILE = /var/ipfire/ovpn/ca/.rnd > oid_section = new_oids > > [ new_oids ] > @@ -17,7 +16,6 @@ certificate = $dir/ca/cacert.pem > serial = $dir/certs/serial > crl = $dir/crl.pem > private_key = $dir/ca/cakey.pem > -RANDFILE = $dir/ca/.rand > x509_extensions = usr_cert > default_days = 999999 > default_crl_days = 30 > diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf > index 9d1e6e1ff..3b980fcd4 100644 > --- a/config/ssl/openssl.cnf > +++ b/config/ssl/openssl.cnf > @@ -1,5 +1,4 @@ > HOME = . > -RANDFILE = /var/tmp/.rnd > oid_section = new_oids > > [ new_oids ] > @@ -17,7 +16,6 @@ certificate = $dir/ca/cacert.pem > serial = $dir/certs/serial > crl = $dir/crls/cacrl.pem > private_key = $dir/private/cakey.pem > -RANDFILE = $dir/tmp/.rand > x509_extensions = usr_cert > default_days = 999999 > default_crl_days= 30
What is the reason that openssl.cnf is excluded in the updater? > On 29 Jan 2019, at 13:17, ummeegge <ummeegge@ipfire.org> wrote: > > Just as a reminder cause i haven´t found it in Git, this one might be > important for the OpenSSL update and IPSec. > > Best, > > Erik > > > Am Dienstag, den 08.01.2019, 20:33 +0100 schrieb Erik Kapfer: >> Fixes #11943 >> >> Since the kernel RNG should do this, there is no need for this >> anymore. >> >> Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> >> --- >> config/ovpn/openssl/ovpn.cnf | 2 -- >> config/ssl/openssl.cnf | 2 -- >> 2 files changed, 4 deletions(-) >> >> diff --git a/config/ovpn/openssl/ovpn.cnf >> b/config/ovpn/openssl/ovpn.cnf >> index 40daf2a0a..96c3dcb09 100644 >> --- a/config/ovpn/openssl/ovpn.cnf >> +++ b/config/ovpn/openssl/ovpn.cnf >> @@ -1,5 +1,4 @@ >> HOME = . >> -RANDFILE = /var/ipfire/ovpn/ca/.rnd >> oid_section = new_oids >> >> [ new_oids ] >> @@ -17,7 +16,6 @@ certificate = $dir/ca/cacert.pem >> serial = $dir/certs/serial >> crl = $dir/crl.pem >> private_key = $dir/ca/cakey.pem >> -RANDFILE = $dir/ca/.rand >> x509_extensions = usr_cert >> default_days = 999999 >> default_crl_days = 30 >> diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf >> index 9d1e6e1ff..3b980fcd4 100644 >> --- a/config/ssl/openssl.cnf >> +++ b/config/ssl/openssl.cnf >> @@ -1,5 +1,4 @@ >> HOME = . >> -RANDFILE = /var/tmp/.rnd >> oid_section = new_oids >> >> [ new_oids ] >> @@ -17,7 +16,6 @@ certificate = $dir/ca/cacert.pem >> serial = $dir/certs/serial >> crl = $dir/crls/cacrl.pem >> private_key = $dir/private/cakey.pem >> -RANDFILE = $dir/tmp/.rand >> x509_extensions = usr_cert >> default_days = 999999 >> default_crl_days= 30 >
I merged it. For some reason I thought this was part of the OpenSSL patchset. Best, -Michael > On 29 Jan 2019, at 13:51, Michael Tremer <michael.tremer@ipfire.org> wrote: > > What is the reason that openssl.cnf is excluded in the updater? > >> On 29 Jan 2019, at 13:17, ummeegge <ummeegge@ipfire.org> wrote: >> >> Just as a reminder cause i haven´t found it in Git, this one might be >> important for the OpenSSL update and IPSec. >> >> Best, >> >> Erik >> >> >> Am Dienstag, den 08.01.2019, 20:33 +0100 schrieb Erik Kapfer: >>> Fixes #11943 >>> >>> Since the kernel RNG should do this, there is no need for this >>> anymore. >>> >>> Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> >>> --- >>> config/ovpn/openssl/ovpn.cnf | 2 -- >>> config/ssl/openssl.cnf | 2 -- >>> 2 files changed, 4 deletions(-) >>> >>> diff --git a/config/ovpn/openssl/ovpn.cnf >>> b/config/ovpn/openssl/ovpn.cnf >>> index 40daf2a0a..96c3dcb09 100644 >>> --- a/config/ovpn/openssl/ovpn.cnf >>> +++ b/config/ovpn/openssl/ovpn.cnf >>> @@ -1,5 +1,4 @@ >>> HOME = . >>> -RANDFILE = /var/ipfire/ovpn/ca/.rnd >>> oid_section = new_oids >>> >>> [ new_oids ] >>> @@ -17,7 +16,6 @@ certificate = $dir/ca/cacert.pem >>> serial = $dir/certs/serial >>> crl = $dir/crl.pem >>> private_key = $dir/ca/cakey.pem >>> -RANDFILE = $dir/ca/.rand >>> x509_extensions = usr_cert >>> default_days = 999999 >>> default_crl_days = 30 >>> diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf >>> index 9d1e6e1ff..3b980fcd4 100644 >>> --- a/config/ssl/openssl.cnf >>> +++ b/config/ssl/openssl.cnf >>> @@ -1,5 +1,4 @@ >>> HOME = . >>> -RANDFILE = /var/tmp/.rnd >>> oid_section = new_oids >>> >>> [ new_oids ] >>> @@ -17,7 +16,6 @@ certificate = $dir/ca/cacert.pem >>> serial = $dir/certs/serial >>> crl = $dir/crls/cacrl.pem >>> private_key = $dir/private/cakey.pem >>> -RANDFILE = $dir/tmp/.rand >>> x509_extensions = usr_cert >>> default_days = 999999 >>> default_crl_days= 30 >> >
OK, thanks. But good that you mentioned the updater cause we wanted to delete then also the .rnd files under /var/ipfire/ovpn/ca and under /var/tmp/.rnd since both openssl configuration files did exclude them with this patch. Would send a patch for this too but i am currently on a travel and back again next week. A list of all available .rnd´s are: -rw------- 1 nobody nobody 1024 Sep 1 09:07 /home/nobody/.rnd -rw------- 1 nobody nobody 1024 Nov 16 01:27 /var/ipfire/ovpn/ca/.rnd -rw------- 1 nobody nobody 1024 Sep 22 12:14 /var/tmp/.rnd -rw------- 1 root root 1024 Jun 25 12:59 /.rnd -rw------- 1 root root 1024 Nov 19 14:29 /root/.rnd Should they be deleted too ? Best, Erik Am Dienstag, den 29.01.2019, 13:52 +0000 schrieb Michael Tremer: > I merged it. > > For some reason I thought this was part of the OpenSSL patchset. > > Best, > -Michael > > > On 29 Jan 2019, at 13:51, Michael Tremer <michael.tremer@ipfire.org > > > wrote: > > > > What is the reason that openssl.cnf is excluded in the updater? > > > > > On 29 Jan 2019, at 13:17, ummeegge <ummeegge@ipfire.org> wrote: > > > > > > Just as a reminder cause i haven´t found it in Git, this one > > > might be > > > important for the OpenSSL update and IPSec. > > > > > > Best, > > > > > > Erik > > > > > > > > > Am Dienstag, den 08.01.2019, 20:33 +0100 schrieb Erik Kapfer: > > > > Fixes #11943 > > > > > > > > Since the kernel RNG should do this, there is no need for this > > > > anymore. > > > > > > > > Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> > > > > --- > > > > config/ovpn/openssl/ovpn.cnf | 2 -- > > > > config/ssl/openssl.cnf | 2 -- > > > > 2 files changed, 4 deletions(-) > > > > > > > > diff --git a/config/ovpn/openssl/ovpn.cnf > > > > b/config/ovpn/openssl/ovpn.cnf > > > > index 40daf2a0a..96c3dcb09 100644 > > > > --- a/config/ovpn/openssl/ovpn.cnf > > > > +++ b/config/ovpn/openssl/ovpn.cnf > > > > @@ -1,5 +1,4 @@ > > > > HOME = . > > > > -RANDFILE = /var/ipfire/ovpn/ca/.rnd > > > > oid_section = new_oids > > > > > > > > [ new_oids ] > > > > @@ -17,7 +16,6 @@ certificate = > > > > $dir/ca/cacert.pem > > > > serial = $dir/certs/serial > > > > crl = $dir/crl.pem > > > > private_key = $dir/ca/cakey.pem > > > > -RANDFILE = $dir/ca/.rand > > > > x509_extensions = usr_cert > > > > default_days = 999999 > > > > default_crl_days = 30 > > > > diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf > > > > index 9d1e6e1ff..3b980fcd4 100644 > > > > --- a/config/ssl/openssl.cnf > > > > +++ b/config/ssl/openssl.cnf > > > > @@ -1,5 +1,4 @@ > > > > HOME = . > > > > -RANDFILE = /var/tmp/.rnd > > > > oid_section = new_oids > > > > > > > > [ new_oids ] > > > > @@ -17,7 +16,6 @@ certificate = $dir/ca/cacert.pem > > > > serial = $dir/certs/serial > > > > crl = $dir/crls/cacrl.pem > > > > private_key = $dir/private/cakey.pem > > > > -RANDFILE = $dir/tmp/.rand > > > > x509_extensions = usr_cert > > > > default_days = 999999 > > > > default_crl_days= 30 > >
Yes, I think we can delete them. They don’t serve any purpose. > On 29 Jan 2019, at 15:11, ummeegge <ummeegge@ipfire.org> wrote: > > OK, thanks. > But good that you mentioned the updater cause we wanted to delete then > also the .rnd files under /var/ipfire/ovpn/ca and under /var/tmp/.rnd > since both openssl configuration files did exclude them with this > patch. > > Would send a patch for this too but i am currently on a travel and back > again next week. > > A list of all available .rnd´s are: > -rw------- 1 nobody nobody 1024 Sep 1 09:07 /home/nobody/.rnd > -rw------- 1 nobody nobody 1024 Nov 16 01:27 /var/ipfire/ovpn/ca/.rnd > -rw------- 1 nobody nobody 1024 Sep 22 12:14 /var/tmp/.rnd > -rw------- 1 root root 1024 Jun 25 12:59 /.rnd > -rw------- 1 root root 1024 Nov 19 14:29 /root/.rnd > > Should they be deleted too ? > > Best, > > Erik > > Am Dienstag, den 29.01.2019, 13:52 +0000 schrieb Michael Tremer: >> I merged it. >> >> For some reason I thought this was part of the OpenSSL patchset. >> >> Best, >> -Michael >> >>> On 29 Jan 2019, at 13:51, Michael Tremer <michael.tremer@ipfire.org >>>> wrote: >>> >>> What is the reason that openssl.cnf is excluded in the updater? >>> >>>> On 29 Jan 2019, at 13:17, ummeegge <ummeegge@ipfire.org> wrote: >>>> >>>> Just as a reminder cause i haven´t found it in Git, this one >>>> might be >>>> important for the OpenSSL update and IPSec. >>>> >>>> Best, >>>> >>>> Erik >>>> >>>> >>>> Am Dienstag, den 08.01.2019, 20:33 +0100 schrieb Erik Kapfer: >>>>> Fixes #11943 >>>>> >>>>> Since the kernel RNG should do this, there is no need for this >>>>> anymore. >>>>> >>>>> Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> >>>>> --- >>>>> config/ovpn/openssl/ovpn.cnf | 2 -- >>>>> config/ssl/openssl.cnf | 2 -- >>>>> 2 files changed, 4 deletions(-) >>>>> >>>>> diff --git a/config/ovpn/openssl/ovpn.cnf >>>>> b/config/ovpn/openssl/ovpn.cnf >>>>> index 40daf2a0a..96c3dcb09 100644 >>>>> --- a/config/ovpn/openssl/ovpn.cnf >>>>> +++ b/config/ovpn/openssl/ovpn.cnf >>>>> @@ -1,5 +1,4 @@ >>>>> HOME = . >>>>> -RANDFILE = /var/ipfire/ovpn/ca/.rnd >>>>> oid_section = new_oids >>>>> >>>>> [ new_oids ] >>>>> @@ -17,7 +16,6 @@ certificate = >>>>> $dir/ca/cacert.pem >>>>> serial = $dir/certs/serial >>>>> crl = $dir/crl.pem >>>>> private_key = $dir/ca/cakey.pem >>>>> -RANDFILE = $dir/ca/.rand >>>>> x509_extensions = usr_cert >>>>> default_days = 999999 >>>>> default_crl_days = 30 >>>>> diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf >>>>> index 9d1e6e1ff..3b980fcd4 100644 >>>>> --- a/config/ssl/openssl.cnf >>>>> +++ b/config/ssl/openssl.cnf >>>>> @@ -1,5 +1,4 @@ >>>>> HOME = . >>>>> -RANDFILE = /var/tmp/.rnd >>>>> oid_section = new_oids >>>>> >>>>> [ new_oids ] >>>>> @@ -17,7 +16,6 @@ certificate = $dir/ca/cacert.pem >>>>> serial = $dir/certs/serial >>>>> crl = $dir/crls/cacrl.pem >>>>> private_key = $dir/private/cakey.pem >>>>> -RANDFILE = $dir/tmp/.rand >>>>> x509_extensions = usr_cert >>>>> default_days = 999999 >>>>> default_crl_days= 30 >> >> >
diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf index 40daf2a0a..96c3dcb09 100644 --- a/config/ovpn/openssl/ovpn.cnf +++ b/config/ovpn/openssl/ovpn.cnf @@ -1,5 +1,4 @@ HOME = . -RANDFILE = /var/ipfire/ovpn/ca/.rnd oid_section = new_oids [ new_oids ] @@ -17,7 +16,6 @@ certificate = $dir/ca/cacert.pem serial = $dir/certs/serial crl = $dir/crl.pem private_key = $dir/ca/cakey.pem -RANDFILE = $dir/ca/.rand x509_extensions = usr_cert default_days = 999999 default_crl_days = 30 diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf index 9d1e6e1ff..3b980fcd4 100644 --- a/config/ssl/openssl.cnf +++ b/config/ssl/openssl.cnf @@ -1,5 +1,4 @@ HOME = . -RANDFILE = /var/tmp/.rnd oid_section = new_oids [ new_oids ] @@ -17,7 +16,6 @@ certificate = $dir/ca/cacert.pem serial = $dir/certs/serial crl = $dir/crls/cacrl.pem private_key = $dir/private/cakey.pem -RANDFILE = $dir/tmp/.rand x509_extensions = usr_cert default_days = 999999 default_crl_days= 30