From patchwork Thu Oct 5 06:38:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1437 Return-Path: Received: from mail01.ipfire.org by mail01.ipfire.org (Dovecot) with LMTP id UQ7wH8o41VntSwAAmDronw ; Wed, 04 Oct 2017 21:38:50 +0200 Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id D323E2835; Wed, 4 Oct 2017 21:38:49 +0200 (CEST) Received: from mx.link38.eu (mx.link38.eu [188.68.43.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPS id 077812828 for ; Wed, 4 Oct 2017 21:38:44 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id DCE6B4153E for ; Wed, 4 Oct 2017 21:38:37 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 623DD9F6C5 for ; Wed, 4 Oct 2017 21:38:33 +0200 (CEST) Date: Wed, 4 Oct 2017 21:38:27 +0200 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH v2 1/3] add ECDSA key generation to httpscert Message-ID: <20171004213827.77e5b5b7.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" X-Evolution-Source: 1292431680.19116.5@rice-oxley.tremer.info Add ECDSA server certificate and key generation to httpscert. The key has a length of 384 bits, which equals > 4096 bits RSA and should be sufficient. Changed since v1: Do not regenerate or oversign existing keys or CSRs. This patch depends on: - v1 2/3 add ECDSA certificate and key files to Apache configuration - v2 3/3 generate ECDSA certificate and key on existing installations Signed-off-by: Peter Müller diff --git a/src/scripts/httpscert b/src/scripts/httpscert index e20f789ed..52932bc70 100644 --- a/src/scripts/httpscert +++ b/src/scripts/httpscert @@ -7,16 +7,35 @@ case "$1" in new) if [ ! -f /etc/httpd/server.key ]; then - echo "Generating https server key." + echo "Generating HTTPS RSA server key." /usr/bin/openssl genrsa -out /etc/httpd/server.key 4096 fi - echo "Generating CSR" - /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ - req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr - echo "Signing certificate" - /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ - /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ - /etc/httpd/server.crt + if [ ! -f /etc/httpd/server-ecdsa.key ]; then + echo "Generating HTTPS ECDSA server key." + /usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key + fi + + echo "Generating CSRs" + if [ ! -f /etc/httpd/server.csr ]; then + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr + fi + if [ ! -f /etc/httpd/server-ecdsa.csr ]; then + /bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \ + req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr + fi + + echo "Signing certificates" + if [ ! -f /etc/httpd/server.crt ]; then + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server.csr -signkey /etc/httpd/server.key -out \ + /etc/httpd/server.crt + fi + if [ ! -f /etc/httpd/server-ecdsa.crt ]; then + /usr/bin/openssl x509 -req -days 999999 -sha256 -in \ + /etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \ + /etc/httpd/server-ecdsa.crt + fi ;; read) if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then From patchwork Thu Oct 5 06:38:20 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1438 Return-Path: Received: from mail01.ipfire.org by mail01.ipfire.org (Dovecot) with LMTP id zX4IJMU41VntSwAAmDronw ; Wed, 04 Oct 2017 21:38:45 +0200 Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 95913282B; Wed, 4 Oct 2017 21:38:44 +0200 (CEST) Received: from mx.link38.eu (mx.link38.eu [IPv6:2a03:4000:17:39a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPS id 325872828 for ; Wed, 4 Oct 2017 21:38:40 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id 7F0EE414DA for ; Wed, 4 Oct 2017 21:38:32 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id EA2169F24E for ; Wed, 4 Oct 2017 21:38:32 +0200 (CEST) Date: Wed, 4 Oct 2017 21:38:20 +0200 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH v2 3/3] generate ECDSA certificate and key on existing installations Message-ID: <20171004213820.125b7aae.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" X-Evolution-Source: 1292431680.19116.5@rice-oxley.tremer.info Generate ECDSA certificate and key file on existing installations via the update.sh script. This is required since Apache crashes if some Certificate(Key)File directives point to non-existing files: Restarting Apache daemon... Syntax error on line 17 of /etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf: SSLCertificateFile: file '/etc/httpd/server-ecdsa.crt' does not exist or is empty Key generation only takes a few seconds even on legacy systems. Also existing installations will then use ECDSA/RSA certificate dual-stack. Changes from v1: Use the httpscert script (never repeat yourself) and restart Apache afterwards to load the changes. Signed-off-by: Peter Müller diff --git a/config/rootfiles/core/115/update.sh b/config/rootfiles/core/115/update.sh index e0ee121ce..afeeca14a 100644 --- a/config/rootfiles/core/115/update.sh +++ b/config/rootfiles/core/115/update.sh @@ -35,6 +35,7 @@ done openvpnctrl -k openvpnctrl -kn2n + # Extract files extract_files @@ -44,10 +45,13 @@ ldconfig # Update Language cache #/usr/local/bin/update-lang-cache +# generate ECDSA certificate and key file to prevent Apache from crashing on existing installations +/usr/local/bin/httpscert + # Start services openvpnctrl -s openvpnctrl -sn2n - +/etc/init.d/apache restart # This update need a reboot... #touch /var/run/need_reboot