From a545dc6458c3d38599a1a8cde391de3bb0fecf0a Mon Sep 17 00:00:00 2001 From: Jean-Philippe Pialasse Date: Tue, 18 Mar 2025 00:39:18 -0400 Subject: [PATCH] * Tue Mar 18 2025 Jean-Philippe Pialasse 11.0.0-9.sme - handle dhparams [SME: 12963] --- createlinks | 8 ++++++++ .../e-smith/templates/etc/proftpd.conf/06ModTLS | 16 +++++++++++----- .../dhparam-generator.service.d/52proftpd.conf | 2 ++ smeserver-proftpd.spec | 5 ++++- 4 files changed, 25 insertions(+), 6 deletions(-) create mode 100644 root/usr/lib/systemd/system/dhparam-generator.service.d/52proftpd.conf diff --git a/createlinks b/createlinks index 3702944..703cb99 100755 --- a/createlinks +++ b/createlinks @@ -80,4 +80,12 @@ templates2events("/etc/systemd/system-preset/49-koozali.preset", $event); event_link("systemd-reload", $event, "89"); templates2events("/etc/rsyslog.conf", $event); +$event = "dhparam-update"; +templates2events("/etc/proftpd.conf", $event); +safe_symlink("try-restart", "root/etc/e-smith/events/$event/services2adjust/proftpd"); + +$event = "smeserver-base-update"; +templates2events("/etc/proftpd.conf", $event); +safe_symlink("try-restart", "root/etc/e-smith/events/$event/services2adjust/proftpd"); + exit 0; diff --git a/root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS b/root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS index d6c56d9..fc003e7 100644 --- a/root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS +++ b/root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS @@ -18,29 +18,35 @@ my $chain_file = $modSSL{CertificateChainFile} || "# no chain cert"; - $chain_file = "# no chain cert" unless -e $chain_file; - + $chain_file = "# no chain cert" unless -e $chain_file; $chain_file = ( $chain_file eq "# no chain cert" )? $chain_file : "TLSCertificateChainFile $chain_file"; + + #/home/e-smith/dh.pem/4096.pem + my $ftpdhparam = "#no dh param"; + $ftpdhparam = "SFTPDHParamFile /home/e-smith/dh.pem/2048.pem" if (dh_exists_good_size("2048","/home/e-smith/dh.pem/2048.pem")); + $ftpdhparam = "SFTPDHParamFile /home/e-smith/dh.pem/4096.pem" if (dh_exists_good_size("4096","/home/e-smith/dh.pem/4096.pem")); + my $ciphers = $ftp{CipherSuite} || $modSSL{CipherSuite} || $smeCiphers; #SME11 proftpd 1.3.6 branch does not support TLS v1.3 $smeSSLprotocol =~ s/TLSv1.3//; # NoSessionReuseRequired is required with newer clients and TLS to be bale to list folder - $OUT .= < TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol $smeSSLprotocol -TLSCipherSuite $ciphers +TLSCipherSuite $ciphers TLSOptions NoCertRequest AllowClientRenegotiations NoSessionReuseRequired TLSRSACertificateFile $crt TLSRSACertificateKeyFile $key $chain_file +$ftpdhparam TLSVerifyClient $tlsclient TLSRequired $tlsrequired SSL_END - } + } } diff --git a/root/usr/lib/systemd/system/dhparam-generator.service.d/52proftpd.conf b/root/usr/lib/systemd/system/dhparam-generator.service.d/52proftpd.conf new file mode 100644 index 0000000..dc7bbda --- /dev/null +++ b/root/usr/lib/systemd/system/dhparam-generator.service.d/52proftpd.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPost=-/sbin/e-smith/expand-template /etc/proftpd.conf diff --git a/smeserver-proftpd.spec b/smeserver-proftpd.spec index 49cb10a..68194ed 100644 --- a/smeserver-proftpd.spec +++ b/smeserver-proftpd.spec @@ -4,7 +4,7 @@ Summary: smeserver specific proftpd configuration files and templates %define name smeserver-proftpd Name: %{name} %define version 11.0.0 -%define release 8 +%define release 9 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -26,6 +26,9 @@ Provides: e-smith-proftpd AutoReqProv: no %changelog +* Tue Mar 18 2025 Jean-Philippe Pialasse 11.0.0-9.sme +- handle dhparams [SME: 12963] + * Mon Feb 24 2025 Jean-Philippe Pialasse 11.0.0-8.sme - move peer template from /var/service/ftp to proftpd [SME: 12942]