free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Command for calculating DH params 

Avoid duplication
This commit is contained in:
Bob Mottram 2015-12-02 10:58:35 +00:00
parent 736ce5e2fb
commit 516519ba07
4 changed files with 178 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
man/freedombone-dhparam.1.gz Normal file
View File

Binary file not shown.

28
src/freedombone-addcert
View File

@ -154,18 +154,18 @@ if [ $LETSENCRYPT_HOSTNAME ]; then
cd $INSTALL_DIR cd $INSTALL_DIR
# obtain the repo # obtain the repo
if [ ! -d $INSTALL_DIR/letsencrypt ]; then if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
git clone https://github.com/letsencrypt/letsencrypt git clone https://github.com/letsencrypt/letsencrypt
if [ ! -d $INSTALL_DIR/letsencrypt ]; then if [ ! -d ${INSTALL_DIR}/letsencrypt ]; then
exit 76283 exit 76283
fi fi
else else
cd $INSTALL_DIR/letsencrypt cd ${INSTALL_DIR}/letsencrypt
git stash git stash
git pull git pull
fi fi
cd $INSTALL_DIR/letsencrypt cd ${INSTALL_DIR}/letsencrypt
# TODO this requires user interaction - is there a non-interactive mode? # TODO this requires user interaction - is there a non-interactive mode?
./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME ./letsencrypt-auto certonly --server $LETSENCRYPT_SERVER --standalone -d $LETSENCRYPT_HOSTNAME
if [ ! "$?" = "0" ]; then if [ ! "$?" = "0" ]; then
@ -206,23 +206,19 @@ else
CERTFILE="ca-$HOSTNAME" CERTFILE="ca-$HOSTNAME"
fi fi
openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 \ openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \
-subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \ -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \
-newkey rsa:4096 -keyout /etc/ssl/private/$CERTFILE.key \ -newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \
-out /etc/ssl/certs/$CERTFILE.crt -out /etc/ssl/certs/${CERTFILE}.crt
chmod 400 /etc/ssl/private/$CERTFILE.key chmod 400 /etc/ssl/private/${CERTFILE}.key
chmod 640 /etc/ssl/certs/$CERTFILE.crt chmod 640 /etc/ssl/certs/${CERTFILE}.crt
cp /etc/ssl/certs/$CERTFILE.crt /etc/ssl/mycerts cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts
fi fi
# generate DH params # generate DH params
if [ ! $NODH ]; then if [ ! $NODH ]; then
if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then if [ ! -f /etc/ssl/certs/${CERTFILE}.dhparam ]; then
openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam ${PROJECT_NAME}-dhparam -h ${CERTFILE}
if [ ! "$?" = "0" ]; then
exit 72428
fi
chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
fi fi
fi fi

117
src/freedombone-dhparam Executable file
View File

@ -0,0 +1,117 @@
#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# Creates or re-calculates Diffie-Hellman parameters
# License
# =======
#
# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
PROJECT_NAME='freedombone'
export TEXTDOMAIN=${PROJECT_NAME}-dhparam
export TEXTDOMAINDIR="/usr/share/locale"
HOSTNAME=
KEYLENGTH=2048
RECALCULATE="no"
function show_help {
echo ''
echo $"${PROJECT_NAME}-dhparam -h [hostname] -l [length in bits] --recalc [yes|no]"
echo ''
exit 0
}
function calc_dh {
openssl dhparam -check -text -dsaparam $KEYLENGTH -out ${1}
if [ ! "$?" = "0" ]; then
exit 3674
fi
chmod 640 ${1}
}
function regenerate_dh_keys {
for file in /etc/ssl/mycerts/*
do
if [[ -f $file ]]; then
filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
if [ -f $filename ]; then
calc_dh $filename
echo $"Recalculated DH params for $filename"
fi
fi
done
}
while [[ $# > 1 ]]
do
key="$1"
case $key in
--help)
show_help
;;
-h|--hostname)
shift
HOSTNAME="$1"
;;
-l|--dhkey)
shift
KEYLENGTH=${1}
;;
--recalc)
shift
RECALCULATE=${1}
;;
*)
# unknown option
;;
esac
shift
done
if [[ $RECALCULATE == "yes" || $RECALCULATE == "y" ]]; then
regenerate_dh_keys
exit 0
fi
if [ ! $HOSTNAME ]; then
echo $'No hostname specified'
exit 5728
fi
if ! which openssl > /dev/null ;then
echo $"$0: openssl is not installed, exiting" 1>&2
exit 5689
fi
if [ ! -d /etc/ssl/mycerts ]; then
mkdir -p /etc/ssl/mycerts
fi
calc_dh /etc/ssl/certs/$HOSTNAME.dhparam
systemctl reload nginx
exit 0

112
src/freedombone-sec
View File

@ -225,10 +225,10 @@ function interactive_setup {
if [ $SSL_CIPHERS ]; then if [ $SSL_CIPHERS ]; then
data=$(tempfile 2>/dev/null) data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15 trap "rm -f $data" 0 1 2 5 15
dialog --backtitle "Freedombone Security Configuration" \ dialog --backtitle $"Freedombone Security Configuration" \
--form "\nWeb/IMAP Ciphers:" 10 95 2 \ --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \ $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \ $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
2> $data 2> $data
sel=$? sel=$?
case $sel in case $sel in
@ -242,12 +242,12 @@ function interactive_setup {
data=$(tempfile 2>/dev/null) data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15 trap "rm -f $data" 0 1 2 5 15
if [ $SSH_HOST_KEY_ALGORITHMS ]; then if [ $SSH_HOST_KEY_ALGORITHMS ]; then
dialog --backtitle "Freedombone Security Configuration" \ dialog --backtitle $"Freedombone Security Configuration" \
--form "\nSecure Shell Ciphers:" 13 95 4 \ --form $"\nSecure Shell Ciphers:" 13 95 4 \
"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \ $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \ $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \ $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \ $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
2> $data 2> $data
sel=$? sel=$?
case $sel in case $sel in
@ -259,11 +259,11 @@ function interactive_setup {
255) exit 0;; 255) exit 0;;
esac esac
else else
dialog --backtitle "Freedombone Security Configuration" \ dialog --backtitle $"Freedombone Security Configuration" \
--form "\nSecure Shell Ciphers:" 11 95 3 \ --form $"\nSecure Shell Ciphers:" 11 95 3 \
"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \ $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \ $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \ $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
2> $data 2> $data
sel=$? sel=$?
case $sel in case $sel in
@ -276,14 +276,14 @@ function interactive_setup {
fi fi
if [[ $SSH_PASSWORDS == "yes" ]]; then if [[ $SSH_PASSWORDS == "yes" ]]; then
dialog --title "SSH Passwords" \ dialog --title $"SSH Passwords" \
--backtitle "Freedombone Security Configuration" \ --backtitle $"Freedombone Security Configuration" \
--yesno "\nAllow SSH login using passwords?" 7 60 --yesno $"\nAllow SSH login using passwords?" 7 60
else else
dialog --title "SSH Passwords" \ dialog --title $"SSH Passwords" \
--backtitle "Freedombone Security Configuration" \ --backtitle $"Freedombone Security Configuration" \
--defaultno \ --defaultno \
--yesno "\nAllow SSH login using passwords?" 7 60 --yesno $"\nAllow SSH login using passwords?" 7 60
fi fi
sel=$? sel=$?
case $sel in case $sel in
@ -295,10 +295,10 @@ function interactive_setup {
if [ $XMPP_CIPHERS ]; then if [ $XMPP_CIPHERS ]; then
data=$(tempfile 2>/dev/null) data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15 trap "rm -f $data" 0 1 2 5 15
dialog --backtitle "Freedombone Security Configuration" \ dialog --backtitle $"Freedombone Security Configuration" \
--form "\nXMPP Ciphers:" 10 95 2 \ --form $"\nXMPP Ciphers:" 10 95 2 \
"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \ $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \ $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
2> $data 2> $data
sel=$? sel=$?
case $sel in case $sel in
@ -309,10 +309,10 @@ function interactive_setup {
esac esac
fi fi
dialog --title "Final Confirmation" \ dialog --title $"Final Confirmation" \
--backtitle "Freedombone Security Configuration" \ --backtitle $"Freedombone Security Configuration" \
--defaultno \ --defaultno \
--yesno "\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60 --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
sel=$? sel=$?
case $sel in case $sel in
1) clear 1) clear
@ -365,21 +365,7 @@ function regenerate_dh_keys {
3) DH_KEYLENGTH=4096;; 3) DH_KEYLENGTH=4096;;
esac esac
ctr=0 ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
for file in /etc/ssl/mycerts/*
do
if [[ -f $file ]]; then
filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
if [ -f $filename ]; then
openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename
if [ ! "$?" = "0" ]; then
exit 3674
fi
ctr=$((ctr + 1))
fi
fi
done
echo $"$ctr dhparam certificates were regenerated"
fi fi
} }
@ -387,9 +373,9 @@ function renew_startssl {
renew_domain= renew_domain=
data=$(tempfile 2>/dev/null) data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15 trap "rm -f $data" 0 1 2 5 15
dialog --title "Renew a StartSSL certificate" \ dialog --title $"Renew a StartSSL certificate" \
--backtitle "Freedombone Security Settings" \ --backtitle $"Freedombone Security Settings" \
--inputbox "Enter the domain name" 8 60 2>$data --inputbox $"Enter the domain name" 8 60 2>$data
sel=$? sel=$?
case $sel in case $sel in
0) 0)
@ -402,24 +388,24 @@ function renew_startssl {
fi fi
if [[ $renew_domain == "http"* ]]; then if [[ $renew_domain == "http"* ]]; then
dialog --title "Renew a StartSSL certificate" \ dialog --title $"Renew a StartSSL certificate" \
--msgbox "Don't include the https://" 6 40 --msgbox $"Don't include the https://" 6 40
return return
fi fi
if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
dialog --title "Renew a StartSSL certificate" \ dialog --title $"Renew a StartSSL certificate" \
--msgbox "An existing certificate for $renew_domain was not found" 6 40 --msgbox $"An existing certificate for $renew_domain was not found" 6 40
return return
fi fi
if [[ $renew_domain != *"."* ]]; then if [[ $renew_domain != *"."* ]]; then
dialog --title "Renew a StartSSL certificate" \ dialog --title $"Renew a StartSSL certificate" \
--msgbox "Invalid domain name: $renew_domain" 6 40 --msgbox $"Invalid domain name: $renew_domain" 6 40
return return
fi fi
freedombone-renew-cert -h $renew_domain -p startssl ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
exit 0 exit 0
} }
@ -428,9 +414,9 @@ function renew_letsencrypt {
renew_domain= renew_domain=
data=$(tempfile 2>/dev/null) data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15 trap "rm -f $data" 0 1 2 5 15
dialog --title "Renew a Let's Encrypt certificate" \ dialog --title $"Renew a Let's Encrypt certificate" \
--backtitle "Freedombone Security Settings" \ --backtitle $"Freedombone Security Settings" \
--inputbox "Enter the domain name" 8 60 2>$data --inputbox $"Enter the domain name" 8 60 2>$data
sel=$? sel=$?
case $sel in case $sel in
0) 0)
@ -443,24 +429,24 @@ function renew_letsencrypt {
fi fi
if [[ $renew_domain == "http"* ]]; then if [[ $renew_domain == "http"* ]]; then
dialog --title "Renew a Let's Encrypt certificate" \ dialog --title $"Renew a Let's Encrypt certificate" \
--msgbox "Don't include the https://" 6 40 --msgbox $"Don't include the https://" 6 40
return return
fi fi
if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
dialog --title "Renew a Let's Encrypt certificate" \ dialog --title $"Renew a Let's Encrypt certificate" \
--msgbox "An existing certificate for $renew_domain was not found" 6 40 --msgbox $"An existing certificate for $renew_domain was not found" 6 40
return return
fi fi
if [[ $renew_domain != *"."* ]]; then if [[ $renew_domain != *"."* ]]; then
dialog --title "Renew a Let's Encrypt certificate" \ dialog --title $"Renew a Let's Encrypt certificate" \
--msgbox "Invalid domain name: $renew_domain" 6 40 --msgbox $"Invalid domain name: $renew_domain" 6 40
return return
fi fi
freedombone-renew-cert -h $renew_domain -p 'letsencrypt' ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
exit 0 exit 0
} }