[Ipcop-svn] SF.net SVN: ipcop:[7532] ipcop/trunk

owes Tue, 13 May 2014 13:21:57 -0700

Revision: 7532
          http://sourceforge.net/p/ipcop/svn/7532
Author:   owes
Date:     2014-05-13 20:21:17 +0000 (Tue, 13 May 2014)
Log Message:
-----------
Change the default md algorithm and host cert keysize. Make md algo and 
root/host keysizes configurable when creating CA.


Modified Paths:
--------------
    ipcop/trunk/config/ssl/openssl.cnf
    ipcop/trunk/html/cgi-bin/vpnca.cgi
    ipcop/trunk/updates/2.1.6/ROOTFILES.i486-2.1.6

Modified: ipcop/trunk/config/ssl/openssl.cnf
===================================================================
--- ipcop/trunk/config/ssl/openssl.cnf  2014-05-11 17:10:18 UTC (rev 7531)
+++ ipcop/trunk/config/ssl/openssl.cnf  2014-05-13 20:21:17 UTC (rev 7532)
@@ -21,7 +21,7 @@
 x509_extensions        = usr_cert
 default_days   = 999999
 default_crl_days= 30
-default_md     = md5
+default_md     = sha256
 preserve       = no
 policy         = policy_match
 email_in_dn    = no
@@ -35,7 +35,7 @@
 emailAddress           = optional
 
 [ req ]
-default_bits           = 1024
+default_bits           = 2048
 default_keyfile        = privkey.pem
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes

Modified: ipcop/trunk/html/cgi-bin/vpnca.cgi
===================================================================
--- ipcop/trunk/html/cgi-bin/vpnca.cgi  2014-05-11 17:10:18 UTC (rev 7531)
+++ ipcop/trunk/html/cgi-bin/vpnca.cgi  2014-05-13 20:21:17 UTC (rev 7532)
@@ -15,7 +15,7 @@
 # You should have received a copy of the GNU General Public License
 # along with IPCop.  If not, see <http://www.gnu.org/licenses/>.
 #
-# (c) 2001-2011 The IPCop Team
+# (c) 2001-2014 The IPCop Team
 #
 # $Id$
 #
@@ -63,6 +63,10 @@
 $cgiparams{'ROOTCERT_COUNTRY'} = '';
 $cgiparams{'SUBJECTALTNAME'} = '';
 $cgiparams{'P12_PASS'} = '';
+$cgiparams{'ROOTCERT_DIGEST'} = '';
+$cgiparams{'ROOTCERT_ROOTBITS'} = '';
+$cgiparams{'ROOTCERT_HOSTBITS'} = '';
+
 my @now  = localtime();
 $cgiparams{'DAY'}   = $now[3];
 $cgiparams{'MONTH'} = $now[4];
@@ -451,6 +455,13 @@
         $cgiparams{'ROOTCERT_CITY'} = $rootcertsettings{'ROOTCERT_CITY'} if 
(!$cgiparams{'ROOTCERT_CITY'});
         $cgiparams{'ROOTCERT_STATE'} = $rootcertsettings{'ROOTCERT_STATE'} if 
(!$cgiparams{'ROOTCERT_STATE'});
         $cgiparams{'ROOTCERT_COUNTRY'} = $rootcertsettings{'ROOTCERT_COUNTRY'} 
if (!$cgiparams{'ROOTCERT_COUNTRY'});
+        $cgiparams{'ROOTCERT_DIGEST'} = $rootcertsettings{'ROOTCERT_DIGEST'} 
if (!$cgiparams{'ROOTCERT_DIGEST'});
+        $cgiparams{'ROOTCERT_ROOTBITS'} = 
$rootcertsettings{'ROOTCERT_ROOTBITS'} if (!$cgiparams{'ROOTCERT_ROOTBITS'});
+        $cgiparams{'ROOTCERT_HOSTBITS'} = 
$rootcertsettings{'ROOTCERT_HOSTBITS'} if (!$cgiparams{'ROOTCERT_HOSTBITS'});
+        # set proper defaults
+        $cgiparams{'ROOTCERT_DIGEST'} = 'sha256' if 
(!$cgiparams{'ROOTCERT_DIGEST'});
+        $cgiparams{'ROOTCERT_ROOTBITS'} = '2048' if 
(!$cgiparams{'ROOTCERT_ROOTBITS'});
+        $cgiparams{'ROOTCERT_HOSTBITS'} = '2048' if 
(!$cgiparams{'ROOTCERT_HOSTBITS'});
     }
     elsif (($cgiparams{'GENERATE_ROOT'} eq 'second') && ($cgiparams{'ACTION'} 
eq $Lang::tr{'generate root/host certificates'})) {
 
@@ -532,6 +543,9 @@
         $rootcertsettings{'ROOTCERT_CITY'}          = 
$cgiparams{'ROOTCERT_CITY'};
         $rootcertsettings{'ROOTCERT_STATE'}         = 
$cgiparams{'ROOTCERT_STATE'};
         $rootcertsettings{'ROOTCERT_COUNTRY'}       = 
$cgiparams{'ROOTCERT_COUNTRY'};
+        $rootcertsettings{'ROOTCERT_DIGEST'}        = 
$cgiparams{'ROOTCERT_DIGEST'};
+        $rootcertsettings{'ROOTCERT_ROOTBITS'}      = 
$cgiparams{'ROOTCERT_ROOTBITS'};
+        $rootcertsettings{'ROOTCERT_HOSTBITS'}      = 
$cgiparams{'ROOTCERT_HOSTBITS'};
         &General::writehash("/var/ipcop/vpn/rootcertsettings", 
\%rootcertsettings);
 
         # Replace empty strings with a .
@@ -545,7 +559,7 @@
             if (open(STDIN, "-|")) {
                 my $opt  = " req -x509 -nodes -rand 
/proc/interrupts:/proc/net/rt_cache";
                 $opt .= " -days $certdays";
-                $opt .= " -newkey rsa:2048";
+                $opt .= " -newkey rsa:$rootcertsettings{'ROOTCERT_ROOTBITS'} 
-$rootcertsettings{'ROOTCERT_DIGEST'}";
                 $opt .= " -keyout /var/ipcop/private/cakey.pem";
                 $opt .= " -out /var/ipcop/ca/cacert.pem";
 
@@ -568,7 +582,7 @@
             &General::log("vpn", "Creating host cert...");
             if (open(STDIN, "-|")) {
                 my $opt  = " req -nodes -rand 
/proc/interrupts:/proc/net/rt_cache";
-                $opt .= " -newkey rsa:1024";
+                $opt .= " -newkey rsa:$rootcertsettings{'ROOTCERT_HOSTBITS'} 
-$rootcertsettings{'ROOTCERT_DIGEST'}";
                 $opt .= " -keyout /var/ipcop/certs/hostkeytmp.pem";
                 $opt .= " -out /var/ipcop/certs/hostreq.pem";
                 $opt .= " -extensions server";
@@ -606,7 +620,7 @@
             close ($fh);
 
             my  $opt  = " ca -days $certdays";
-            $opt .= " -batch -notext";
+            $opt .= " -md $rootcertsettings{'ROOTCERT_DIGEST'} -batch -notext";
             $opt .= " -in /var/ipcop/certs/hostreq.pem";
             $opt .= " -out /var/ipcop/certs/hostcert.pem";
             $opt .= " -extfile $v3extname";
@@ -752,6 +766,20 @@
     }
 
     ROOTCERT_ERROR:
+    my %selected = ();
+    # List digest options using: openssl dgst --help. Documentation is likely 
out of date.
+    $selected{'ROOTCERT_DIGEST'}{'md5'} = '';
+    $selected{'ROOTCERT_DIGEST'}{'sha256'} = '';
+    $selected{'ROOTCERT_DIGEST'}{'sha512'} = '';
+    $selected{'ROOTCERT_DIGEST'}{$cgiparams{'ROOTCERT_DIGEST'}} = 
"selected='selected'";
+    $selected{'ROOTCERT_ROOTBITS'}{'1024'} = '';
+    $selected{'ROOTCERT_ROOTBITS'}{'2048'} = '';
+    $selected{'ROOTCERT_ROOTBITS'}{'4096'} = '';
+    $selected{'ROOTCERT_ROOTBITS'}{$cgiparams{'ROOTCERT_ROOTBITS'}} = 
"selected='selected'";
+    $selected{'ROOTCERT_HOSTBITS'}{'1024'} = '';
+    $selected{'ROOTCERT_HOSTBITS'}{'2048'} = '';
+    $selected{'ROOTCERT_HOSTBITS'}{'4096'} = '';
+    $selected{'ROOTCERT_HOSTBITS'}{$cgiparams{'ROOTCERT_HOSTBITS'}} = 
"selected='selected'";
     &Header::showhttpheaders();
     &Header::openpage($Lang::tr{'certificate authorities'}, 1, '');
     &Header::openbigbox('100%', 'left', '', $errormessage);
@@ -827,6 +855,33 @@
     </select>
     </td>
 </tr><tr>
+    <td class='base'>Message digest algorithm:</td>
+    <td class='base' nowrap='nowrap'>
+    <select name='ROOTCERT_DIGEST'>
+        <option value='md5' $selected{'ROOTCERT_DIGEST'}{'md5'}>md5</option>
+        <option value='sha256' 
$selected{'ROOTCERT_DIGEST'}{'sha256'}>sha256</option>
+        <option value='sha512' 
$selected{'ROOTCERT_DIGEST'}{'sha512'}>sha512</option>
+    </select>
+    </td>
+</tr><tr>
+    <td class='base'>$Lang::tr{'root certificate'}:</td>
+    <td class='base' nowrap='nowrap'>
+    <select name='ROOTCERT_ROOTBITS'>
+        <option value='1024' $selected{'ROOTCERT_ROOTBITS'}{'1024'}>1024 
bits</option>
+        <option value='2048' $selected{'ROOTCERT_ROOTBITS'}{'2048'}>2048 
bits</option>
+        <option value='4096' $selected{'ROOTCERT_ROOTBITS'}{'4096'}>4096 
bits</option>
+    </select>
+    </td>
+</tr><tr>
+    <td class='base'>$Lang::tr{'host certificate'}:</td>
+    <td class='base' nowrap='nowrap'>
+    <select name='ROOTCERT_HOSTBITS'>
+        <option value='1024' $selected{'ROOTCERT_HOSTBITS'}{'1024'}>1024 
bits</option>
+        <option value='2048' $selected{'ROOTCERT_HOSTBITS'}{'2048'}>2048 
bits</option>
+        <option value='4096' $selected{'ROOTCERT_HOSTBITS'}{'4096'}>4096 
bits</option>
+    </select>
+    </td>
+</tr><tr>
     <td>&nbsp;</td>
     <td><br />
         <input type='submit' name='ACTION' value='$Lang::tr{'generate 
root/host certificates'}' />

Modified: ipcop/trunk/updates/2.1.6/ROOTFILES.i486-2.1.6
===================================================================
--- ipcop/trunk/updates/2.1.6/ROOTFILES.i486-2.1.6      2014-05-11 17:10:18 UTC 
(rev 7531)
+++ ipcop/trunk/updates/2.1.6/ROOTFILES.i486-2.1.6      2014-05-13 20:21:17 UTC 
(rev 7532)
@@ -2,8 +2,10 @@
 /etc/logrotate.d/squid
 /etc/logrotate.d/squidGuard
 /etc/rc.d/rc.sysinit
+/etc/ssl/openssl.cnf
 /home/httpd/cgi-bin/changepw.cgi
 /home/httpd/cgi-bin/proxy.cgi
+/home/httpd/cgi-bin/vpnca.cgi
 /usr/local/bin/restarthttpd
 /usr/local/bin/setreservedports.pl
 ##

This was sent by the SourceForge.net collaborative development platform, the 
world's largest Open Source development site.


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Ipcop-svn mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ipcop-svn

[Ipcop-svn] SF.net SVN: ipcop:[7532] ipcop/trunk

Reply via email to