From c8e3c3944b2a9418f1af2fc90451cb0fe5e15bd2 Mon Sep 17 00:00:00 2001 From: Dragan Dosen Date: Thu, 15 Aug 2013 19:56:26 +0200 Subject: [PATCH] Povecana velicina generiranog kljuca na 2048 bit, manje izmjene. --- README.CARNet | 6 +++--- carnet-generate-ssl | 53 +++++++++++++++++++++++++------------------------ carnet.conf | 1 - debian/changelog | 2 ++ debian/postinst | 2 +- templates/openssl.cnf | 16 ++++++--------- 6 files changed, 39 insertions(+), 41 deletions(-) diff --git a/README.CARNet b/README.CARNet index d38f06b..1ad99a8 100644 --- a/README.CARNet +++ b/README.CARNet @@ -4,14 +4,14 @@ apache2-cn Ovaj paket donosi CARNetovu dodatnu konfiguraciju za apache2 paket iz Debian wheezy distribucije. -Paket dodaje VirtualHost zapise za slijedece webove: +Paket dodaje VirtualHost zapise za sljedece webove: http://stroj.domena.hr/ http://www.domena.hr/ https://www.domena.hr/ -Zadnji web koristi certifikat potpisan sa lokalno generiranim CA -parom kljuceva. Za sve navedene web stranice DocumentRoot je +Zadnji web koristi SSL certifikat potpisan s lokalno generiranim +CA parom kljuceva. Za sve navedene web stranice DocumentRoot je postavljen tako da se sadrzaj sprema i cita iz /var/www/www.domena.hr diff --git a/carnet-generate-ssl b/carnet-generate-ssl index 7f618ba..9a17f02 100755 --- a/carnet-generate-ssl +++ b/carnet-generate-ssl @@ -20,8 +20,9 @@ FQDN="$2" WEBMASTER="$3" DOMAIN="$4" -sslcrt=/etc/ssl/certs -sslkey=/etc/ssl/private +SSLDIR=/etc/ssl +SSLCRTDIR=${SSLDIR}/certs +SSLKEYDIR=${SSLDIR}/private A2CNDIR=$(dirname $0) KEYS= @@ -38,23 +39,23 @@ trap "rm -f $TMPFILE $TMPFILE2" 1 2 15; export RANDFILE=/dev/urandom -cd /etc/ssl +cd ${SSLDIR} # Generate CA # -if [ ! -f ${sslkey}/apache2-ca.key ]; then +if [ ! -f ${SSLKEYDIR}/apache2-ca.key ]; then - (umask 077; openssl genrsa -out ${sslkey}/apache2-ca.key 1024) + (umask 077; openssl genrsa -out ${SSLKEYDIR}/apache2-ca.key 2048) KEYS="${KEYS} - - ${sslkey}/apache2-ca.key" + - ${SSLKEYDIR}/apache2-ca.key" fi -if [ ! -f ${sslkey}/apache2-ca.csr ] || [ -n "$KEYS" ]; then +if [ ! -f ${SSLKEYDIR}/apache2-ca.csr ] || [ -n "$KEYS" ]; then cat < $TMPFILE [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = apache2-ca.pem distinguished_name = req_distinguished_name attributes = req_attributes @@ -70,10 +71,10 @@ emailAddress = $WEBMASTER EOF - openssl req -config $TMPFILE -new -key ${sslkey}/apache2-ca.key -out ${sslkey}/apache2-ca.csr + openssl req -config $TMPFILE -new -key ${SSLKEYDIR}/apache2-ca.key -out ${SSLKEYDIR}/apache2-ca.csr fi -if [ ! -f ${sslcrt}/apache2-ca.pem ] || [ -n "$KEYS" ]; then +if [ ! -f ${SSLCRTDIR}/apache2-ca.pem ] || [ -n "$KEYS" ]; then cat >$TMPFILE < "$TMPFILE2" sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \ < $A2CNDIR/templates/openssl.cnf > "$TMPFILE" openssl req -config "$TMPFILE" -new -nodes \ - -key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr + -key ${SSLKEYDIR}/apache2.key -out ${SSLKEYDIR}/apache2.csr openssl x509 -extfile "$TMPFILE" -days 3650 \ - -CAserial "$TMPFILE2" -CA ${sslcrt}/apache2-ca.pem -CAkey ${sslkey}/apache2-ca.key \ - -in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem + -CAserial "$TMPFILE2" -CA ${SSLCRTDIR}/apache2-ca.pem -CAkey ${SSLKEYDIR}/apache2-ca.key \ + -in ${SSLKEYDIR}/apache2.csr -req -out ${SSLCRTDIR}/apache2.pem -mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem` -mod2=`openssl rsa -noout -modulus -in ${sslkey}/apache2.key` +mod1=`openssl x509 -noout -modulus -in ${SSLCRTDIR}/apache2.pem` +mod2=`openssl rsa -noout -modulus -in ${SSLKEYDIR}/apache2.key` if [ "$mod1" != "$mod2" ]; then echo "Moduli for server keys don't match." @@ -126,17 +127,17 @@ if [ "$mod1" != "$mod2" ]; then fi KEYS="${KEYS} - - ${sslcrt}/apache2.pem" + - ${SSLCRTDIR}/apache2.pem" KEYS="${KEYS} - - ${sslkey}/apache2.key" + - ${SSLKEYDIR}/apache2.key" -cd ${sslcrt} +cd ${SSLCRTDIR} ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem) # Fix file access permissions. # -chmod 600 ${sslkey}/apache2-ca.key ${sslkey}/apache2.key +chmod 600 ${SSLKEYDIR}/apache2-ca.key ${SSLKEYDIR}/apache2.key # Cleanup diff --git a/carnet.conf b/carnet.conf index eab9aeb..fa3482f 100644 --- a/carnet.conf +++ b/carnet.conf @@ -17,4 +17,3 @@ DirectoryIndex index.php index.html index.htm index.cgi index.pl index.xhtml - diff --git a/debian/changelog b/debian/changelog index e62a5ff..b6a42e1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,8 @@ apache2-cn (2.2.22+1) stable; urgency=low * Uklonjena datoteka debian/source.lintian-overrides. * debian/postrm - dodan debhelper token, dodatne izmjene. * Dodana datoteka debian/source/format. + * Datoteke carnet-generate-ssl, templates/openssl.cnf - povecana + velicina generiranog kljuca na 2048 bit, manje izmjene. -- Dragan Dosen Tue, 13 Aug 2013 10:30:49 +0200 diff --git a/debian/postinst b/debian/postinst index 907be26..9832c94 100755 --- a/debian/postinst +++ b/debian/postinst @@ -27,7 +27,7 @@ esac . /usr/share/carnet-tools/functions.sh PKG="apache2-cn" -VERSION="2.2+1" +VERSION="2.2.22+1" CONFDIR="/etc/apache2" CONF="$CONFDIR/apache2.conf" A2MODEDIR="$CONFDIR/mods-enabled" diff --git a/templates/openssl.cnf b/templates/openssl.cnf index 1b49eb2..fe44656 100644 --- a/templates/openssl.cnf +++ b/templates/openssl.cnf @@ -1,10 +1,9 @@ # -# custom openssl configuration file -# based on csr.sh from http://wiki.cacert.org/wiki/VhostTaskForce +# apache2-cn openssl configuration file # [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = /var/lib/misc/HOST_privatekey.pem distinguished_name = req_distinguished_name prompt = no @@ -13,13 +12,10 @@ string_mask = nombstr req_extensions = v3_req [ req_distinguished_name ] -countryName = HR -#stateOrProvinceName = -#localityName = -organizationName = DOMAIN -#organizationalUnitName = -commonName = HOST -emailAddress = WEBMASTER +countryName = HR +organizationName = DOMAIN +commonName = HOST +emailAddress = WEBMASTER [ v3_req ] subjectAltName=DNS:HOST,DNS:www.DOMAIN,DNS:mail.DOMAIN,DNS:ldap.DOMAIN,DNS:webmail.DOMAIN -- 1.7.10.4