From patchwork Fri Sep 20 14:20:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 8136 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0k1dBbz3wxp for ; Fri, 20 Sep 2024 14:20:38 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0c6lSfz60t; Fri, 20 Sep 2024 14:20:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X9F0c4Jvdz345d; Fri, 20 Sep 2024 14:20:32 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0Y3QQvz33gx for ; Fri, 20 Sep 2024 14:20:29 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0W52ZDz2MC; Fri, 20 Sep 2024 14:20:27 +0000 (UTC) Received: by people01.haj.ipfire.org (Postfix, from userid 1078) id 4X9F0S74wtz2xg8; Fri, 20 Sep 2024 14:20:24 +0000 (UTC) From: =?utf-8?q?Peter_M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 1/5] sshd: Do not generate new RSA host key on first boot Date: Fri, 20 Sep 2024 14:20:18 +0000 Message-Id: <20240920142022.589371-1-peter.mueller@ipfire.org> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 Message-ID-Hash: 7JAKTVKQ2WNP4BTRLF6EIZDUOGFK3WCU X-Message-ID-Hash: 7JAKTVKQ2WNP4BTRLF6EIZDUOGFK3WCU X-MailFrom: pmueller@people01.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?utf-8?q?Peter_M=C3=BCller?= X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This patch will also ensure the maximum supported key length is used for ECDSA. Existing installations will remain unaffected. Note that the key size for ED25519 is fixed, and explicitly setting it to 521 bytes will not have any impact. Signed-off-by: Peter Müller --- src/initscripts/system/sshd | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/sshd b/src/initscripts/system/sshd index fa40bc11d..e5a9931af 100644 --- a/src/initscripts/system/sshd +++ b/src/initscripts/system/sshd @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,14 +24,14 @@ case "$1" in start) - for algo in rsa ecdsa ed25519; do + for algo in ecdsa ed25519; do keyfile="/etc/ssh/ssh_host_${algo}_key" # If the key already exists, there is nothing to do. [ -e "${keyfile}" ] && continue boot_mesg "Generating SSH key (${algo})..." - ssh-keygen -qf "${keyfile}" -N '' -t ${algo} + ssh-keygen -qf "${keyfile}" -N '' -b 521 -t ${algo} evaluate_retval done From patchwork Fri Sep 20 14:20:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 8138 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0l3W13z3x1v for ; Fri, 20 Sep 2024 14:20:39 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0g0871z6CM; Fri, 20 Sep 2024 14:20:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X9F0f6mVmz342Q; Fri, 20 Sep 2024 14:20:34 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0Y3p3Yz3408 for ; Fri, 20 Sep 2024 14:20:29 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0V4jTzz2DC; Fri, 20 Sep 2024 14:20:26 +0000 (UTC) Received: by people01.haj.ipfire.org (Postfix, from userid 1078) id 4X9F0T08NKz2xjP; Fri, 20 Sep 2024 14:20:25 +0000 (UTC) From: =?utf-8?q?Peter_M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 2/5] apache: Drop RSA key and certificate generation Date: Fri, 20 Sep 2024 14:20:19 +0000 Message-Id: <20240920142022.589371-2-peter.mueller@ipfire.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20240920142022.589371-1-peter.mueller@ipfire.org> References: <20240920142022.589371-1-peter.mueller@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: MNZE7NYROMGEX6TYZU6EIMW7EUFRW54G X-Message-ID-Hash: MNZE7NYROMGEX6TYZU6EIMW7EUFRW54G X-MailFrom: pmueller@people01.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?utf-8?q?Peter_M=C3=BCller?= X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Peter Müller --- src/initscripts/system/apache | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/src/initscripts/system/apache b/src/initscripts/system/apache index e7a62097e..ba7ede670 100644 --- a/src/initscripts/system/apache +++ b/src/initscripts/system/apache @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,13 +25,6 @@ PIDFILE="/var/run/httpd.pid" generate_certificates() { - if [ ! -f "/etc/httpd/server.key" ]; then - boot_mesg "Generating HTTPS RSA server key (this will take a moment)..." - openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null - chmod 600 /etc/httpd/server.key - evaluate_retval - fi - if [ ! -f "/etc/httpd/server-ecdsa.key" ]; then boot_mesg "Generating HTTPS ECDSA server key..." openssl ecparam -genkey -name secp384r1 -noout \ @@ -40,29 +33,12 @@ generate_certificates() { evaluate_retval fi - # Generate RSA CSR - if [ ! -f "/etc/httpd/server.csr" ]; then - sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \ - openssl req -new -key /etc/httpd/server.key \ - -out /etc/httpd/server.csr &>/dev/null - fi - - # Generate ECDSA CSR if [ ! -f "/etc/httpd/server-ecdsa.csr" ]; then sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \ openssl req -new -key /etc/httpd/server-ecdsa.key \ -out /etc/httpd/server-ecdsa.csr &>/dev/null fi - if [ ! -f "/etc/httpd/server.crt" ]; then - boot_mesg "Signing RSA certificate..." - openssl x509 -req -days 999999 -sha256 \ - -in /etc/httpd/server.csr \ - -signkey /etc/httpd/server.key \ - -out /etc/httpd/server.crt &>/dev/null - evaluate_retval - fi - if [ ! -f "/etc/httpd/server-ecdsa.crt" ]; then boot_mesg "Signing ECDSA certificate..." openssl x509 -req -days 999999 -sha256 \ From patchwork Fri Sep 20 14:20:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 8134 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0j15sBz3wxp for ; Fri, 20 Sep 2024 14:20:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0c3YQWz2DC; Fri, 20 Sep 2024 14:20:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X9F0c22gpz33wr; Fri, 20 Sep 2024 14:20:32 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0Y3M3dz2yTm for ; Fri, 20 Sep 2024 14:20:29 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0X4Bnjz60t; Fri, 20 Sep 2024 14:20:28 +0000 (UTC) Received: by people01.haj.ipfire.org (Postfix, from userid 1078) id 4X9F0T0L8Wz2y9M; Fri, 20 Sep 2024 14:20:25 +0000 (UTC) From: =?utf-8?q?Peter_M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 3/5] sshd_config: Drop RSA key Date: Fri, 20 Sep 2024 14:20:20 +0000 Message-Id: <20240920142022.589371-3-peter.mueller@ipfire.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20240920142022.589371-1-peter.mueller@ipfire.org> References: <20240920142022.589371-1-peter.mueller@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: E3LR5AROCQE6OSCF2DGF6D3LSNNMFR3Z X-Message-ID-Hash: E3LR5AROCQE6OSCF2DGF6D3LSNNMFR3Z X-MailFrom: pmueller@people01.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?utf-8?q?Peter_M=C3=BCller?= X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Peter Müller --- config/ssh/sshd_config | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index 76c9b3eb1..630370411 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -24,10 +24,9 @@ KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sh Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com -# Only allow cryptographically safe SSH host keys (adjust paths if needed) +# Only allow cryptographically safe SSH host keys HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_rsa_key # Only allow login via public key by default PubkeyAuthentication yes From patchwork Fri Sep 20 14:20:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 8135 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0k02MCz3x1v for ; Fri, 20 Sep 2024 14:20:38 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0c6kfBz2kn; Fri, 20 Sep 2024 14:20:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X9F0c3Ch8z344r; Fri, 20 Sep 2024 14:20:32 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0Y3PZBz33Lq for ; Fri, 20 Sep 2024 14:20:29 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0X1rzzz2kn; Fri, 20 Sep 2024 14:20:28 +0000 (UTC) Received: by people01.haj.ipfire.org (Postfix, from userid 1078) id 4X9F0T0V6Pz2yRW; Fri, 20 Sep 2024 14:20:25 +0000 (UTC) From: =?utf-8?q?Peter_M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 4/5] Drop RSA key and certificate from HTTPS configuration Date: Fri, 20 Sep 2024 14:20:21 +0000 Message-Id: <20240920142022.589371-4-peter.mueller@ipfire.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20240920142022.589371-1-peter.mueller@ipfire.org> References: <20240920142022.589371-1-peter.mueller@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: 2LCN2GVVG3ZT66Y3HKPKOWNR63GXJR4G X-Message-ID-Hash: 2LCN2GVVG3ZT66Y3HKPKOWNR63GXJR4G X-MailFrom: pmueller@people01.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?utf-8?q?Peter_M=C3=BCller?= X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Peter Müller --- config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 639f1d479..278283d08 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -15,8 +15,6 @@ SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off - SSLCertificateFile /etc/httpd/server.crt - SSLCertificateKeyFile /etc/httpd/server.key SSLCertificateFile /etc/httpd/server-ecdsa.crt SSLCertificateKeyFile /etc/httpd/server-ecdsa.key From patchwork Fri Sep 20 14:20:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 8137 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0k5wRHz3xDT for ; Fri, 20 Sep 2024 14:20:38 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0f63vmz6BN; Fri, 20 Sep 2024 14:20:34 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X9F0f5YkWz33gx; Fri, 20 Sep 2024 14:20:34 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0Y3qPTz33Lq for ; Fri, 20 Sep 2024 14:20:29 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0X3tC7z5t0; Fri, 20 Sep 2024 14:20:28 +0000 (UTC) Received: by people01.haj.ipfire.org (Postfix, from userid 1078) id 4X9F0T0gdFz2yTS; Fri, 20 Sep 2024 14:20:25 +0000 (UTC) From: =?utf-8?q?Peter_M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 5/5] backup: No longer save RSA keys Date: Fri, 20 Sep 2024 14:20:22 +0000 Message-Id: <20240920142022.589371-5-peter.mueller@ipfire.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20240920142022.589371-1-peter.mueller@ipfire.org> References: <20240920142022.589371-1-peter.mueller@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: OCYXCOHJGFPXU5ICFZUKSAXE6Y23ZQS2 X-Message-ID-Hash: OCYXCOHJGFPXU5ICFZUKSAXE6Y23ZQS2 X-MailFrom: pmueller@people01.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?utf-8?q?Peter_M=C3=BCller?= X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Peter Müller --- config/backup/include | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/backup/include b/config/backup/include index aacfaf64a..f0708c87f 100644 --- a/config/backup/include +++ b/config/backup/include @@ -1,12 +1,9 @@ etc/conntrackd/conntrackd.conf etc/group etc/hosts* -etc/httpd/server.crt -etc/httpd/server.csr etc/httpd/server-ecdsa.crt etc/httpd/server-ecdsa.csr etc/httpd/server-ecdsa.key -etc/httpd/server.key etc/ipsec.user.* etc/ipsec.user-post.conf etc/logrotate.d