From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Thu, 18 Jan 2024 17:02:10 +0000 (+0100)
Subject: core183: replace https rsa key if it is too small
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=36c16c71ed854b5bc43b79be926dd1d00f9091ff;p=people%2Fms%2Fipfire-2.x.git

core183: replace https rsa key if it is too small

new openssl need at least 2048 bit rsa keys for apache.
So if the existing is smaller a new 4096 bit key is generated.

fixes #13527

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---

diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 75a0e4f60c..7992f21c58 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -229,6 +229,19 @@ restore_backup() {
 	# Set correct ownership
 	chown nobody:nobody /var/ipfire/ovpn/ovpnconfig
 
+	# Generate new HTTPS RSA key if the existing is too small
+	KEYSIZE=$(openssl rsa -in /etc/httpd/server.key -text -noout | sed -n 's/Private-Key:\ (\(.*\)\ bit.*/\1/p')
+	if [ $KEYSIZE \< 2048 ]; then
+		openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
+		chmod 600 /etc/httpd/server.key
+		sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \
+				openssl req -new -key /etc/httpd/server.key \
+				-out /etc/httpd/server.csr &>/dev/null
+		openssl x509 -req -days 999999 -sha256 \
+			-in /etc/httpd/server.csr \
+			-signkey /etc/httpd/server.key \
+			-out /etc/httpd/server.crt &>/dev/null
+	fi
 	return 0
 }
 
diff --git a/config/rootfiles/core/183/filelists/files b/config/rootfiles/core/183/filelists/files
index 8e58c6ec2a..42ddf682eb 100644
--- a/config/rootfiles/core/183/filelists/files
+++ b/config/rootfiles/core/183/filelists/files
@@ -4,3 +4,4 @@ srv/web/ipfire/cgi-bin/dhcp.cgi
 srv/web/ipfire/cgi-bin/proxy.cgi
 srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat
 usr/local/bin/backupiso
+var/ipfire/backup/bin/backup.pl
diff --git a/config/rootfiles/core/183/update.sh b/config/rootfiles/core/183/update.sh
index 3312608bc2..5930ad3242 100644
--- a/config/rootfiles/core/183/update.sh
+++ b/config/rootfiles/core/183/update.sh
@@ -128,6 +128,21 @@ if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
 	/etc/rc.d/init.d/ipsec start
 fi
 
+# Check apache rsa key and replace if it is too small
+KEYSIZE=$(openssl rsa -in /etc/httpd/server.key -text -noout | sed -n 's/Private-Key:\ (\(.*\)\ bit.*/\1/p')
+if [ $KEYSIZE \< 2048 ]; then
+	echo "Generating new HTTPS RSA server key (this will take a moment)..."
+	openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
+	chmod 600 /etc/httpd/server.key
+	sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \
+		openssl req -new -key /etc/httpd/server.key \
+			-out /etc/httpd/server.csr &>/dev/null
+	openssl x509 -req -days 999999 -sha256 \
+		-in /etc/httpd/server.csr \
+		-signkey /etc/httpd/server.key \
+		-out /etc/httpd/server.crt &>/dev/null
+fi
+
 # Rebuild initial ramdisks
 dracut --regenerate-all --force
 KVER="xxxKVERxxx"