From 2a87d8e1bae3dc8cc71187c424e01d963b91e21a Mon Sep 17 00:00:00 2001 From: Jean-Philippe Pialasse Date: Wed, 17 Apr 2024 16:42:12 -0400 Subject: [PATCH] * Wed Apr 17 2024 Jean-Philippe Pialasse 11.0.0-9.sme - fix self-signed cert renewd when not necessary [SME: 12606] --- .../e-smith/templates/home/e-smith/ssl.crt | 22 ++++++++++++------- smeserver-base.spec | 5 ++++- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/root/etc/e-smith/templates/home/e-smith/ssl.crt b/root/etc/e-smith/templates/home/e-smith/ssl.crt index ae02617..06aadb4 100644 --- a/root/etc/e-smith/templates/home/e-smith/ssl.crt +++ b/root/etc/e-smith/templates/home/e-smith/ssl.crt @@ -4,6 +4,8 @@ use Date::Parse; use Cwd; use Net::IP qw(ip_is_ipv4 ip_is_ipv6); + use esmith::Logger; + tie *FH, 'esmith::Logger'; my $here = getcwd; my $Country = $modSSL{Country} || "--"; @@ -52,16 +54,16 @@ my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`; if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) { - my $expected_issuer = '/C='.$Country . - '/ST='.$State; - $expected_issuer .= '/L=' . ($defaultCity ? $defaultCity : 'Default City'); - $expected_issuer .= '/O=' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd'); - $expected_issuer .= "/OU=$defaultDepartment" if $defaultDepartment; - $expected_issuer .= "/CN=$commonName" . - "/emailAddress=$email"; + my $expected_issuer = 'C = '.$Country . + ', ST = '.$State; + $expected_issuer .= ', L = ' . ($defaultCity ? $defaultCity : 'Default City'); + $expected_issuer .= ', O = ' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd'); + $expected_issuer .= ", OU = $defaultDepartment" if $defaultDepartment; + $expected_issuer .= ", CN = $commonName" . + ", emailAddress = $email"; my $issuer = `openssl x509 -issuer -noout -in $crt`; chomp $issuer; - $issuer =~ s/^issuer= //; + $issuer =~ s/^issuer=//; my $signatureAlg = `openssl x509 -text -noout -in $crt | grep "Signature Algorithm" | head -1`; chomp $signatureAlg; $signatureAlg =~ s/^ *Signature Algorithm: //; @@ -70,6 +72,9 @@ # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }' $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`; chomp $expected_subjectAltName; + print FH "Self-Signed Cert: $issuer\n expected $expected_issuer" unless ($issuer eq $expected_issuer); + print FH "Self-Signed Cert: $signatureAlg "unless ($signatureAlg ne "sha1WithRSAEncryption"); + print FH "Self-Signed Cert: $subjectAltName\n expected: $expected_subjectAltName" unless ($subjectAltName eq $expected_subjectAltName); if ( ($issuer eq $expected_issuer) && ($signatureAlg ne "sha1WithRSAEncryption") @@ -117,4 +122,5 @@ } close(SSL) or die "Closing openssl pipe reported: $!"; chdir $here; + close FH; } diff --git a/smeserver-base.spec b/smeserver-base.spec index 36132ef..d8b4bcd 100644 --- a/smeserver-base.spec +++ b/smeserver-base.spec @@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module %define name smeserver-base Name: %{name} %define version 11.0.0 -%define release 8 +%define release 9 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -184,6 +184,9 @@ fi %changelog +* Wed Apr 17 2024 Jean-Philippe Pialasse 11.0.0-9.sme +- fix self-signed cert renewd when not necessary [SME: 12606] + * Tue Apr 16 2024 Jean-Philippe Pialasse 11.0.0-8.sme - add requirement for ppp [SME: 12622] - add requirement for rp-pppoe [SME: 12628]