Reduce the calculation time for dhparams
Otherwise it just takes too long on the beaglebone
This commit is contained in:
Bob Mottram
parent
83d4d6a871
commit
caf1f53dd2
|
|
@ -1650,7 +1650,7 @@ openssl req \
|
||||||
-keyout /etc/ssl/private/$HOSTNAME.key \
|
-keyout /etc/ssl/private/$HOSTNAME.key \
|
||||||
-out /etc/ssl/certs/$HOSTNAME.crt
|
-out /etc/ssl/certs/$HOSTNAME.crt
|
||||||
|
|
||||||
openssl dhparam -check -text -5 2048 -out /etc/ssl/certs/$HOSTNAME.dhparam
|
openssl dhparam -check -text -dsaparam 2048 -out /etc/ssl/certs/$HOSTNAME.dhparam
|
||||||
|
|
||||||
chmod 400 /etc/ssl/private/$HOSTNAME.key
|
chmod 400 /etc/ssl/private/$HOSTNAME.key
|
||||||
chmod 640 /etc/ssl/certs/$HOSTNAME.crt
|
chmod 640 /etc/ssl/certs/$HOSTNAME.crt
|
||||||
|
|
|
||||||
|
|
@ -218,7 +218,7 @@ fi
|
||||||
# generate DH params
|
# generate DH params
|
||||||
if [ ! $NODH ]; then
|
if [ ! $NODH ]; then
|
||||||
if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
|
if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
|
||||||
openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
|
openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
|
||||||
chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
|
chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
|
|
@ -763,11 +763,6 @@ function interactive_configuration {
|
||||||
esac
|
esac
|
||||||
if [[ $INSTALLING_ON_BBB == "yes" ]]; then
|
if [[ $INSTALLING_ON_BBB == "yes" ]]; then
|
||||||
USB_DRIVE=/dev/sda1
|
USB_DRIVE=/dev/sda1
|
||||||
# here a short diffie-hellman key length is used, because otherwise creation of keys
|
|
||||||
# becomes impractically long on the beaglebone. It is known (as of 2015) that
|
|
||||||
# 1024bit DH may be breakable, so this is really a tradeoff between security and the
|
|
||||||
# available hardware
|
|
||||||
DH_KEYLENGTH=1024
|
|
||||||
fi
|
fi
|
||||||
save_configuration_file
|
save_configuration_file
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
|
|
@ -351,18 +351,18 @@ function regenerate_dh_keys {
|
||||||
dialog --backtitle "Freedombone Security Configuration" \
|
dialog --backtitle "Freedombone Security Configuration" \
|
||||||
--title "Diffie-Hellman key length" \
|
--title "Diffie-Hellman key length" \
|
||||||
--radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
|
--radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
|
||||||
1 "1024 bits (WARNING: this may be insecure)" off \
|
1 "2048 bits" off \
|
||||||
2 "2048 bits" on \
|
2 "3072 bits" on \
|
||||||
3 "3072 bits" off 2> $data
|
3 "4096 bits" off 2> $data
|
||||||
sel=$?
|
sel=$?
|
||||||
case $sel in
|
case $sel in
|
||||||
1) exit 1;;
|
1) exit 1;;
|
||||||
255) exit 1;;
|
255) exit 1;;
|
||||||
esac
|
esac
|
||||||
case $(cat $data) in
|
case $(cat $data) in
|
||||||
1) DH_KEYLENGTH=1024;;
|
1) DH_KEYLENGTH=2048;;
|
||||||
2) DH_KEYLENGTH=2048;;
|
2) DH_KEYLENGTH=3072;;
|
||||||
3) DH_KEYLENGTH=3072;;
|
3) DH_KEYLENGTH=4096;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
ctr=0
|
ctr=0
|
||||||
|
|
@ -371,7 +371,7 @@ function regenerate_dh_keys {
|
||||||
if [[ -f $file ]]; then
|
if [[ -f $file ]]; then
|
||||||
filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
|
filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
|
||||||
if [ -f $filename ]; then
|
if [ -f $filename ]; then
|
||||||
openssl dhparam -check -text -5 $DH_KEYLENGTH -out $filename
|
openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename
|
||||||
ctr=$((ctr + 1))
|
ctr=$((ctr + 1))
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue