Povecana velicina generiranog kljuca na 2048 bit, manje izmjene.

diff --git a/README.CARNet b/README.CARNet
index d38f06b..1ad99a8 100644 (file)
--- a/README.CARNet
+++ b/README.CARNet
@@ -4,14 +4,14 @@ apache2-cn
 Ovaj paket donosi CARNetovu dodatnu konfiguraciju za apache2 paket
 iz Debian wheezy distribucije.
 
-Paket dodaje VirtualHost zapise za slijedece webove:
+Paket dodaje VirtualHost zapise za sljedece webove:
 
   http://stroj.domena.hr/
   http://www.domena.hr/
   https://www.domena.hr/
 
-Zadnji web koristi certifikat potpisan sa lokalno generiranim CA 
-parom kljuceva.  Za sve navedene web stranice DocumentRoot je 
+Zadnji web koristi SSL certifikat potpisan s lokalno generiranim
+CA parom kljuceva.  Za sve navedene web stranice DocumentRoot je
 postavljen tako da se sadrzaj sprema i cita iz
 
   /var/www/www.domena.hr

diff --git a/carnet-generate-ssl b/carnet-generate-ssl
index 7f618ba..9a17f02 100755 (executable)
--- a/carnet-generate-ssl
+++ b/carnet-generate-ssl
@@ -20,8 +20,9 @@ FQDN="$2"
 WEBMASTER="$3"
 DOMAIN="$4"
 
-sslcrt=/etc/ssl/certs
-sslkey=/etc/ssl/private
+SSLDIR=/etc/ssl
+SSLCRTDIR=${SSLDIR}/certs
+SSLKEYDIR=${SSLDIR}/private
 A2CNDIR=$(dirname $0)
 KEYS=
 
@@ -38,23 +39,23 @@ trap "rm -f $TMPFILE $TMPFILE2" 1 2 15;
 
 
 export RANDFILE=/dev/urandom
-cd /etc/ssl
+cd ${SSLDIR}
 
 
 # Generate CA
 #
-if [ ! -f ${sslkey}/apache2-ca.key ]; then
+if [ ! -f ${SSLKEYDIR}/apache2-ca.key ]; then
 
-    (umask 077; openssl genrsa -out ${sslkey}/apache2-ca.key 1024)
+    (umask 077; openssl genrsa -out ${SSLKEYDIR}/apache2-ca.key 2048)
     KEYS="${KEYS}
- - ${sslkey}/apache2-ca.key"
+ - ${SSLKEYDIR}/apache2-ca.key"
 fi
 
-if [ ! -f ${sslkey}/apache2-ca.csr ] || [ -n "$KEYS" ]; then
+if [ ! -f ${SSLKEYDIR}/apache2-ca.csr ] || [ -n "$KEYS" ]; then
 
     cat <<EOF > $TMPFILE
 [ req ]
-default_bits           = 1024
+default_bits           = 2048
 default_keyfile        = apache2-ca.pem
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
@@ -70,10 +71,10 @@ emailAddress           = $WEBMASTER
 
 EOF
 
-    openssl req -config $TMPFILE -new -key ${sslkey}/apache2-ca.key -out ${sslkey}/apache2-ca.csr
+    openssl req -config $TMPFILE -new -key ${SSLKEYDIR}/apache2-ca.key -out ${SSLKEYDIR}/apache2-ca.csr
 fi
 
-if [ ! -f ${sslcrt}/apache2-ca.pem ] || [ -n "$KEYS" ]; then
+if [ ! -f ${SSLCRTDIR}/apache2-ca.pem ] || [ -n "$KEYS" ]; then
 
     cat >$TMPFILE <<EOT
 extensions = x509v3
@@ -84,41 +85,41 @@ nsComment        = "CARNet apache2-cn package generated custom CA certificate"
 nsCertType       = sslCA
 EOT
 
-    openssl x509 -extfile $TMPFILE -days 3651 -signkey ${sslkey}/apache2-ca.key \
-           -in ${sslkey}/apache2-ca.csr -req -out ${sslcrt}/apache2-ca.pem
+    openssl x509 -extfile $TMPFILE -days 3651 -signkey ${SSLKEYDIR}/apache2-ca.key \
+           -in ${SSLKEYDIR}/apache2-ca.csr -req -out ${SSLCRTDIR}/apache2-ca.pem
 
     KEYS="${KEYS}
- - ${sslcrt}/apache2-ca.pem"
+ - ${SSLCRTDIR}/apache2-ca.pem"
 fi
 
-mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2-ca.pem`
-mod2=`openssl rsa -noout -modulus -in ${sslkey}/apache2-ca.key`
+mod1=`openssl x509 -noout -modulus -in ${SSLCRTDIR}/apache2-ca.pem`
+mod2=`openssl rsa -noout -modulus -in ${SSLKEYDIR}/apache2-ca.key`
 
 if [ "$mod1" != "$mod2" ]; then
     echo "Moduli for CA keys don't match."
     exit 1
 fi
 
-cd ${sslcrt}
+cd ${SSLCRTDIR}
 ln -sf apache2-ca.pem $(openssl x509 -hash -noout -in apache2-ca.pem)
 
 
 # Generate server certificate
 #
-(umask 077; openssl genrsa -out ${sslkey}/apache2.key 1024)
+(umask 077; openssl genrsa -out ${SSLKEYDIR}/apache2.key 2048)
 
 echo 01 > "$TMPFILE2"
 sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \
   <  $A2CNDIR/templates/openssl.cnf > "$TMPFILE"
 
 openssl req -config "$TMPFILE" -new -nodes \
-       -key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr
+       -key ${SSLKEYDIR}/apache2.key -out ${SSLKEYDIR}/apache2.csr
 openssl x509 -extfile "$TMPFILE" -days 3650 \
-       -CAserial "$TMPFILE2" -CA ${sslcrt}/apache2-ca.pem -CAkey ${sslkey}/apache2-ca.key \
-       -in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem
+       -CAserial "$TMPFILE2" -CA ${SSLCRTDIR}/apache2-ca.pem -CAkey ${SSLKEYDIR}/apache2-ca.key \
+       -in ${SSLKEYDIR}/apache2.csr -req -out ${SSLCRTDIR}/apache2.pem
 
-mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem`
-mod2=`openssl rsa -noout -modulus -in ${sslkey}/apache2.key`
+mod1=`openssl x509 -noout -modulus -in ${SSLCRTDIR}/apache2.pem`
+mod2=`openssl rsa -noout -modulus -in ${SSLKEYDIR}/apache2.key`
 
 if [ "$mod1" != "$mod2" ]; then
     echo "Moduli for server keys don't match."
@@ -126,17 +127,17 @@ if [ "$mod1" != "$mod2" ]; then
 fi
 
 KEYS="${KEYS}
- - ${sslcrt}/apache2.pem"
+ - ${SSLCRTDIR}/apache2.pem"
 KEYS="${KEYS}
- - ${sslkey}/apache2.key"
+ - ${SSLKEYDIR}/apache2.key"
 
-cd ${sslcrt}
+cd ${SSLCRTDIR}
 ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem)
 
 
 # Fix file access permissions.
 #
-chmod 600 ${sslkey}/apache2-ca.key ${sslkey}/apache2.key
+chmod 600 ${SSLKEYDIR}/apache2-ca.key ${SSLKEYDIR}/apache2.key
 
 
 # Cleanup

diff --git a/carnet.conf b/carnet.conf
index eab9aeb..fa3482f 100644 (file)
--- a/carnet.conf
+++ b/carnet.conf
@@ -17,4 +17,3 @@
 <IfModule mod_dir.c>
     DirectoryIndex index.php index.html index.htm index.cgi index.pl index.xhtml
 </IfModule>
-

diff --git a/debian/changelog b/debian/changelog
index e62a5ff..b6a42e1 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,8 @@ apache2-cn (2.2.22+1) stable; urgency=low
   * Uklonjena datoteka debian/source.lintian-overrides.
   * debian/postrm - dodan debhelper token, dodatne izmjene.
   * Dodana datoteka debian/source/format.
+  * Datoteke carnet-generate-ssl, templates/openssl.cnf - povecana
+    velicina generiranog kljuca na 2048 bit, manje izmjene.
 
  -- Dragan Dosen <Dragan.Dosen@CARNet.hr>  Tue, 13 Aug 2013 10:30:49 +0200
 

diff --git a/debian/postinst b/debian/postinst
index 907be26..9832c94 100755 (executable)
--- a/debian/postinst
+++ b/debian/postinst
@@ -27,7 +27,7 @@ esac
 . /usr/share/carnet-tools/functions.sh
 
 PKG="apache2-cn"
-VERSION="2.2+1"
+VERSION="2.2.22+1"
 CONFDIR="/etc/apache2"
 CONF="$CONFDIR/apache2.conf"
 A2MODEDIR="$CONFDIR/mods-enabled"

diff --git a/templates/openssl.cnf b/templates/openssl.cnf
index 1b49eb2..fe44656 100644 (file)
--- a/templates/openssl.cnf
+++ b/templates/openssl.cnf
@@ -1,10 +1,9 @@
 #
-# custom openssl configuration file
-# based on csr.sh from http://wiki.cacert.org/wiki/VhostTaskForce
+# apache2-cn openssl configuration file
 #
 
 [ req ]
-default_bits            = 1024
+default_bits            = 2048
 default_keyfile         = /var/lib/misc/HOST_privatekey.pem
 distinguished_name      = req_distinguished_name
 prompt                  = no
@@ -13,13 +12,10 @@ string_mask             = nombstr
 req_extensions          = v3_req
 
 [ req_distinguished_name ]
-countryName                     = HR
-#stateOrProvinceName             = 
-#localityName                    = 
-organizationName                = DOMAIN
-#organizationalUnitName          = 
-commonName                      = HOST
-emailAddress                    = WEBMASTER
+countryName             = HR
+organizationName        = DOMAIN
+commonName              = HOST
+emailAddress            = WEBMASTER
 
 [ v3_req ]
 subjectAltName=DNS:HOST,DNS:www.DOMAIN,DNS:mail.DOMAIN,DNS:ldap.DOMAIN,DNS:webmail.DOMAIN