* Sun Mar 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-31.sme
- handle dh params with template [SME: 12826] TODO timer and event - foolproofing dummy.module
This commit is contained in:
27
root/etc/e-smith/events/actions/dhgenerator
Executable file
27
root/etc/e-smith/events/actions/dhgenerator
Executable file
@@ -0,0 +1,27 @@
|
||||
#!/usr/bin/perl
|
||||
use strict;
|
||||
use warnings;
|
||||
use esmith::ssl;
|
||||
|
||||
my $event=shift||"program";
|
||||
my $folder="/home/e-smith/dh.pem";
|
||||
my $KeySize = 2048;
|
||||
# load config db
|
||||
|
||||
mkdir($folder, 0700) unless(-d $folder );
|
||||
# if program (or during updates) we only generate the 2048 to start all programs after install without waiting too much
|
||||
if ( $event eq "program" || $event eq "temp" ) {
|
||||
my $exit_code=dh_exists_good_size($KeySize,"$folder/$KeySize.pem") || system("/usr/bin/openssl","dhparam","-out","$folder/$KeySize.pem", $KeySize);
|
||||
exit 0;
|
||||
}
|
||||
# if called as event, we generate a 4096 if 2096 exist, and then expand templates for services in need of this
|
||||
# then the event will restart the service to use stronger dh.pem
|
||||
else {
|
||||
$KeySize = 4096 if (dh_exists_good_size($KeySize,"$folder/$KeySize.pem"));
|
||||
print "Key size is $KeySize\n";
|
||||
exit 0 if (dh_exists_good_size($KeySize,"$folder/$KeySize.pem"));
|
||||
# here we should test if uptime > 2 hours and return if not enough uptime
|
||||
system("/usr/bin/openssl","dhparam","-out","$folder/$KeySize.pem", $KeySize);
|
||||
exit 0;
|
||||
}
|
||||
|
8
root/etc/e-smith/templates/etc/crontab/dhgenerate
Normal file
8
root/etc/e-smith/templates/etc/crontab/dhgenerate
Normal file
@@ -0,0 +1,8 @@
|
||||
{
|
||||
use esmith::ssl;
|
||||
my $folder="/home/e-smith/dh.pem";
|
||||
my $KeySize = 4096;
|
||||
$OUT = "#4096 dhparam exists";
|
||||
$OUT = '@reboot root sleep 2d && /sbin/e-smith/signal-event dhparam-update'."\n" unless (dh_exists_good_size($KeySize,"$folder/$KeySize.pem"));
|
||||
}
|
||||
|
35
root/etc/e-smith/templates/home/e-smith/dh.pem
Normal file
35
root/etc/e-smith/templates/home/e-smith/dh.pem
Normal file
@@ -0,0 +1,35 @@
|
||||
{
|
||||
use esmith::ssl;
|
||||
# for the generation of originals in /home/e-smith/dh.pem/
|
||||
# we check that 4096 exist, if not we default to 2048. If not we generate it
|
||||
# for replication : we copy what we have
|
||||
|
||||
my $DHSize = $modSSL{DHSize} ||'4096';
|
||||
my $key = "/home/e-smith/dh.pem";
|
||||
for my $DHSize (qw(4096 2048))
|
||||
{
|
||||
# if key exists and good size, we use it
|
||||
if ( dh_exists_good_size($DHSize,"$key/$DHSize.pem") )
|
||||
{
|
||||
# Old key file is still good. Read it out - processTemplate will work
|
||||
# out that it hasn't changed, and leave the old one in place
|
||||
open(K, "$key/$DHSize.pem") or die "Couldn't open key file: $!";
|
||||
my @key = <K>;
|
||||
chomp @key;
|
||||
$OUT = join "\n", @key;
|
||||
close(K);
|
||||
return;
|
||||
}
|
||||
}
|
||||
# if nothing have ever been generated we call the action script as program
|
||||
# it will generate a 2048, which 'should' be faster than 4096
|
||||
# later if uptime is sufficient 4096 will be generated.
|
||||
my $program = "/etc/e-smith/events/actions/dhgenerator";
|
||||
system($program);
|
||||
open(K, "$key/2048.pem") or die "Couldn't open dh file: $!";
|
||||
my @key = <K>;
|
||||
chomp @key;
|
||||
$OUT = join "\n", @key;
|
||||
close(K);
|
||||
return;
|
||||
}
|
Reference in New Issue
Block a user