Verified Commit 48244977 authored by Karel Koci's avatar Karel Koci 🤘
Browse files

Merge branch 'hotfix/turris-cagen-dhparam' into develop

parents 7222ed26 e8836234
......@@ -3,17 +3,11 @@ set -e
dhparam="/etc/ssl/ca/openvpn/dhparam.pem"
if [ -f "$dhparam" ] && ! uci get openvpn.server_turris >/dev/null 2>&1; then
if [ -f "$dhparam" ] || ! uci get openvpn.server_turris >/dev/null 2>&1; then
exit 0
fi
old="/etc/dhparam/dh-default.pem"
if [ -f "$old" ]; then
# Just to make it faster we copy original file if it is still present.
cp "$old" "$dhparam"
else
turris-cagen switch openvpn gen_dh
fi
turris-cagen switch openvpn link_dh
uci set openvpn.server_turris.dh="$dhparam"
uci commit openvpn.server_turris.dh
......@@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=turris-cagen
PKG_VERSION:=5
PKG_VERSION:=6
PKG_RELEASE:=1
PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz>
......@@ -36,6 +36,9 @@ define Package/turris-cagen/install
$(INSTALL_DIR) $(1)/usr/bin/
$(INSTALL_BIN) files/cagen.sh $(1)/usr/bin/turris-cagen
$(INSTALL_BIN) files/cagen-status.sh $(1)/usr/bin/turris-cagen-status
$(INSTALL_DIR) $(1)/usr/share/turris-cagen/
$(INSTALL_DATA) files/dhparam.pem $(1)/usr/share/turris-cagen/dhparam.pem
endef
......
#!/bin/ash
#!/bin/sh
#Copyright 2018 CZ.NIC z.s.p.o. (http://www.nic.cz/)
#Copyright 2018-2021 CZ.NIC z.s.p.o. (http://www.nic.cz/)
#
#This file as originaly part of NUCI configuration server.
#
......@@ -21,6 +21,7 @@ set -e
SCRIPT="$0"
OPENSSL_CONF=/etc/cagen/openssl.cnf
PREGENERATED_DHPARAM=/usr/share/turris-cagen/dhparam.pem
CA_DIR=${CA_DIR:-/etc/ssl/ca/}
LOCKFILE=
......@@ -125,6 +126,11 @@ do_gen_ca() {
msg gen_ca "finished ($CA)"
}
do_link_dh() {
test_active_ca link_dh
ln -sf "$PREGENERATED_DHPARAM" dhparam.pem
}
do_gen_dh() {
msg gen_dh "started"
test_active_ca gen_dh
......@@ -220,6 +226,9 @@ while [ "$1" ] ; do
gen_ca)
do_gen_ca
;;
link_dh)
do_link_dh
;;
gen_dh)
do_gen_dh
;;
......@@ -259,6 +268,7 @@ Commands:
background Terminate now and run the rest of the commands in background
new_ca <name> Create a new CA (without any keys or certificates) and switch to it
gen_ca Generate the certificates for the CA itself (invalidates all current certificates)
link_dh Link pregenerated DH parameters
gen_dh Generate new DH parameters
gen_server <name> Generate a server-side certificate
gen_client <name> Generate a client-side certificate
......
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA8JO83/NczcJ5icCyaBPUIYCbDIA9wkr4HPZzWRO6p2hBueqRCh23
UvLRvglFtlZ3QnTIi0ywtqZPKE+OErhaTfRbkRb6t/WmMnwa3yzAvEVDmTDW2AAq
u1akqyjPc7BCYNiOnRYIpCkxpI2symza6BA8GhBjfKkgA1NucJZEYddIEKYIk3N+
eGJo4dvbq2Zp7CP0Pnb+Y7Xh/G7YDkG9guevIXDKfxIz9DVJc1e5PiVq4xNsB9V6
tzI1Navc+L9Q+tG+kcKpsVEtNU+B/o0xvWnmuTW2MxM3rTpYI6YWVFCgbeU50EQw
YVQ1savks1qPr3U6SIjw33s1uItb+V9gxONnLrjoK9jFadSDTwqn+SAGqil5C7TY
HDY6e93Vd5naCed9tZrH18QyETCHWhL9Q3mT1MTT9hnGR0SIzw+D3FNaI74rCpN5
EV0IM4aSm+q5eED7BgmKoPXngIHn53J4KeY7nkedDurNlS4oijY85mqqwnEvh0Wo
3jXRLLvGdPgiC9l2yCbkVDBtVwEYs9qne8BXMEerT93DPY0UR5vbCpZOK7V4vSWV
HfOphZ7HqWsoPEdVUD4ZEYygjigvnYGJkGjECcVXncEQtO6J+qJfaQZ4xnp/YNSw
MQrAn/M4mtnOQ63HVvqQ8jgs8jmvatSBXc5zF+UDpAHGwkvul84+FSMCAQI=
-----END DH PARAMETERS-----
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment