This would become a security risk if anyone gets
shell access as any user to copy out the HTTPS keys.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
etc/system-release
etc/issue
etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf
+etc/rc.d/init.d/apache
etc/ssl/certs/ca-bundle.crt
etc/ssl/certs/ca-bundle.trust.crt
opt/pakfire/lib/functions.pl
# update linker config
ldconfig
+# Make apache keys not readable for everyone
+chmod 600 \
+ /etc/httpd/server.key \
+ /etc/httpd/server-ecdsa.key
+
# Update Language cache
#/usr/local/bin/update-lang-cache
if [ ! -f "/etc/httpd/server.key" ]; then
boot_mesg "Generating HTTPS RSA server key (this will take a moment)..."
openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
+ chmod 600 /etc/httpd/server.key
evaluate_retval
fi
boot_mesg "Generating HTTPS ECDSA server key..."
openssl ecparam -genkey -name secp384r1 -noout \
-out /etc/httpd/server-ecdsa.key &>/dev/null
+ chmod 600 /etc/httpd/server-ecdsa.key
evaluate_retval
fi