93 lines
3.5 KiB
Text
93 lines
3.5 KiB
Text
--- aox/servers.cpp.orig Mon Mar 10 14:44:59 2014
|
|
+++ aox/servers.cpp Thu May 1 10:57:40 2014
|
|
@@ -27,6 +27,7 @@
|
|
#include <pwd.h>
|
|
#include <grp.h>
|
|
|
|
+#include <err.h>
|
|
|
|
static const char * buildinfo[] = {
|
|
#include "buildinfo.inc"
|
|
@@ -316,8 +317,7 @@ static void checkFilePermissions()
|
|
if ( Configuration::toggle( Configuration::UseTls ) ) {
|
|
EString c = Configuration::text( Configuration::TlsCertFile );
|
|
if ( c.isEmpty() ) {
|
|
- c = Configuration::compiledIn( Configuration::LibDir );
|
|
- c.append( "/automatic-key.pem" );
|
|
+ c = "/etc/ssl/archiveopteryx.pem";
|
|
}
|
|
addPath( Path::ReadableFile, Configuration::TlsCertFile );
|
|
}
|
|
@@ -1072,65 +1072,19 @@ static void selfSignCertificate()
|
|
{
|
|
EString keyFile( Configuration::text( Configuration::TlsCertFile ) );
|
|
|
|
+ // no need to bother if use-tls is set to no
|
|
+ if ( !Configuration::toggle( Configuration::UseTls ) )
|
|
+ return;
|
|
+
|
|
if ( keyFile.isEmpty() ) {
|
|
- keyFile = Configuration::compiledIn( Configuration::LibDir );
|
|
- keyFile.append( "/automatic-key.pem" );
|
|
+ keyFile = "/etc/ssl/archiveopteryx.pem";
|
|
}
|
|
|
|
File key( keyFile );
|
|
if ( !key.contents().isEmpty() )
|
|
return; // could verify here, for the expiry date
|
|
-
|
|
- File osslcf( "/tmp/aox-ossl.conf", File::Write );
|
|
- osslcf.write( "[ req ]\n"
|
|
- " default_bits = 1024\n"
|
|
- " default_keyfile = privkey.pem\n"
|
|
- " distinguished_name = req_distinguished_name\n"
|
|
- " attributes = req_attributes\n"
|
|
- " x509_extensions = v3_ca\n"
|
|
- " prompt = no\n"
|
|
- "\n"
|
|
- " dirstring_type = nobmp\n"
|
|
- "\n"
|
|
- "[ req_distinguished_name ]\n"
|
|
- " CN=" + Configuration::hostname() + "\n"
|
|
- "\n"
|
|
- "[ req_attributes ]\n"
|
|
- " challengePassword = \"\"\n"
|
|
- "\n"
|
|
- " [ v3_ca ]\n"
|
|
- "\n"
|
|
- " nsCertType = server\n"
|
|
- " nsComment = \"Automatically generated self-signed certificate\"\n"
|
|
- " subjectKeyIdentifier=hash\n"
|
|
- " authorityKeyIdentifier=keyid:always,issuer:always\n"
|
|
- " basicConstraints = CA:true\n" );
|
|
-
|
|
-
|
|
-
|
|
- int r = system( "openssl req -config /tmp/aox-ossl.conf -x509 -days 1764 -newkey rsa:1024 -nodes -keyout /tmp/aox-ossl.pem -out /tmp/aox-ossl.pem" );
|
|
- if ( r == -1 )
|
|
- error( "Needed to execute openssl req, but failed" );
|
|
-
|
|
- // one one hand, File::write() does no checking. On the other,
|
|
- // this does at least not pass user-supplied data to the shell.
|
|
- File ossl( "/tmp/aox-ossl.pem" );
|
|
- File result( keyFile, File::Write );
|
|
- result.write( ossl.contents() );
|
|
- result.write( "\n"
|
|
- " This certificate was autogenerated by Archiveopteryx,\n"
|
|
- " since Archiveopteryx was configured to use TLS, but\n"
|
|
- " no certificate was specified. You may want to replace\n"
|
|
- " it with a CA-supplied certificate.\n"
|
|
- "\n" );
|
|
-
|
|
- File::unlink( "/tmp/aox-ossl.pem" );
|
|
-
|
|
- printf( "Created self-signed certificate for\n %s\n"
|
|
- "and stored it in\n %s\n"
|
|
- "Please verify that file's permissions.\n",
|
|
- Configuration::hostname().cstr(),
|
|
- keyFile.cstr() );
|
|
+ else
|
|
+ errx(1, "Didn't found certificate in %s, exiting\n", keyFile.cstr());
|
|
}
|
|
|
|
|