* Sun Mar 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-31.sme

- handle dh params with template [SME: 12826] TODO timer and event - foolproofing dummy.module
2025-03-17 22:55:51 -04:00
parent ccd94a71e2
commit 8615e569eb
9 changed files with 149 additions and 10 deletions
--- a/root/usr/lib/systemd/system-preset/50-koozali.preset
+++ b/root/usr/lib/systemd/system-preset/50-koozali.preset
@@ -15,12 +15,6 @@ enable networking.service
 enable wan.service
 enable masq.service
 enable php-fpm.service
-enable php55-php-fpm.service
-enable php56-php-fpm.service
-enable php70-php-fpm.service
-enable php71-php-fpm.service
-enable php72-php-fpm.service
-enable php73-php-fpm.service
 enable php74-php-fpm.service
 enable php80-php-fpm.service
 enable httpd-e-smith.service
@@ -73,3 +67,4 @@ disable ntpdate.service
 disable ftp.service
 disable proftpd.service

+enable dhparam-generator.service
--- a/root/usr/lib/systemd/system/dhparam-generator.service
+++ b/root/usr/lib/systemd/system/dhparam-generator.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Diffie Hellman parameter generator
+#TODO: add Requires= or Wants= to those:
+Before=ftp.service
+Before=dovecot.service
+Before=qpsmtpd.service sqpsmtpd.service uqpsmtpd.service
+Before=radiusd.service
+
+[Service]
+Type=oneshot
+ExecStart=/etc/e-smith/events/actions/dhgenerator
+# sqpsmtpd and uqpsmtpd use a symlink to /var/service/qpsmtpd/ssl
+ExecStartPost=-/sbin/e-smith/expand-template /var/service/qpsmtpd/ssl/dhparam.pem
+ExecStartPost=-/sbin/e-smith/expand-template /etc/dovecot/ssl/dhparam.pem
+ExecStartPost=-/sbin/e-smith/expand-template /etc/raddb/certs/dh 
+
+PrivateTmp=true
+ProtectSystem=no
+ProtectHome=no
+PrivateDevices=false
+
+[Install]
+WantedBy=sme-server.target
+
--- a/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
+++ b/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
@@ -6,7 +6,7 @@ use esmith::ConfigDB;


 our @ISA = qw(Exporter);
-our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert SSLproto SSLprotoApache SSLprotoComa SSLprotoHyphen SSLprotoMin SSLprotoLDAP SSLprotoQpsmtpd $smeCiphers $smeSSLprotocol %existingSSLprotos);
+our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert SSLproto SSLprotoApache SSLprotoComa SSLprotoHyphen SSLprotoMin SSLprotoLDAP SSLprotoQpsmtpd $smeCiphers $smeSSLprotocol %existingSSLprotos dh_exists_good_size);

 my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
 our $SystemName = $configdb->get('SystemName')->value;
@@ -162,6 +162,38 @@ sub related_key_cert {
    return 0;
 }

+=head2 dh_exists_good_size
+# check dh exist
+# check dh is indeed dh
+# check dh size 
+# openssl rsa -noout -modulus -in domain.key | openssl md5
+# openssl x509 -noout -modulus -in domain.crt | openssl md5
+=cut
+
+sub dh_exists_good_size {
+    my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
+    my %modSSL = $configdb->as_hash('modSSL');
+    my $KeySize = shift || $modSSL{DHSize} ||'4096';
+		my $dh = shift || "/home/e-smith/dh.pem/$KeySize.pem";
+    if ( -f $dh )
+    {
+  my $signatureKeySize = `openssl dhparam -text -noout -in $dh 2>/dev/null | grep "DH Parameters:" | head -1`;
+  chomp $signatureKeySize;
+  $signatureKeySize =~ s/^.*DH Parameters: \((.*) bit\)/$1/p;
+  if ( $signatureKeySize == $KeySize ) {
+    #print "$signatureKeySize\n";
+    # cert is  correct size and exists, we can proceed.
+    # next check key and cert are related
+    # next check cert is still valid
+    # next check alt name are still the same
+    return 1;
+  }
+    }
+    return 0;
+}
+
+
+
 ##TODO write sub and migrate those actions from template fragments
 # check cert is related to key
 # => /etc/e-smith/templates/home/e-smith/ssl.crt