Applied patches for not using md5. Additionally, the root CA is no 4096 bits, host...

author Wolfgang Apolinarski <wolfgang.apolinarski@uni-due.de>

Sat, 14 Mar 2015 14:33:35 +0000 (15:33 +0100)

committer Michael Tremer <michael.tremer@ipfire.org>

Tue, 17 Mar 2015 19:42:41 +0000 (20:42 +0100)
author Wolfgang Apolinarski <wolfgang.apolinarski@uni-due.de>
Sat, 14 Mar 2015 14:33:35 +0000 (15:33 +0100)
committer Michael Tremer <michael.tremer@ipfire.org>
Tue, 17 Mar 2015 19:42:41 +0000 (20:42 +0100)
diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf

index f0906e5470dadb88bf4acec9acc45c5d5183f2b6..9d1e6e1ff5e5510483af261cb00eced32bb5893a 100644 (file)
--- a/config/ssl/openssl.cnf
+++ b/config/ssl/openssl.cnf
@@ -21,7 +21,7 @@ RANDFILE      = $dir/tmp/.rand
  x509_extensions        = usr_cert
  default_days   = 999999
  default_crl_days= 30
-default_md     = md5
+default_md     = sha256
  preserve       = no
  policy         = policy_match
  email_in_dn    = no
@@ -35,7 +35,7 @@ commonName            = supplied
  emailAddress           = optional
  
  [ req ]
-default_bits           = 1024
+default_bits           = 2048
  default_keyfile        = privkey.pem
  distinguished_name     = req_distinguished_name
  attributes             = req_attributes
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi

index 26f6f5311dbf96346f454e7f873c0c9e9cbc4d49..b0041ef42255eb90cd5e3cb005762067050b8790 100644 (file)
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -961,9 +961,9 @@ END
         if (!$errormessage) {
             &General::log("ipsec", "Creating cacert...");
             if (open(STDIN, "-|")) {
-               my $opt  = " req -x509 -nodes -rand /proc/interrupts:/proc/net/rt_cache";
+               my $opt  = " req -x509 -sha256 -nodes";
                    $opt .= " -days 999999";
-                  $opt .= " -newkey rsa:2048";
+                  $opt .= " -newkey rsa:4096";
                    $opt .= " -keyout ${General::swroot}/private/cakey.pem";
                    $opt .= " -out ${General::swroot}/ca/cacert.pem";
  
@@ -984,8 +984,8 @@ END
         if (!$errormessage) {
             &General::log("ipsec", "Creating host cert...");
             if (open(STDIN, "-|")) {
-               my $opt  = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
-                  $opt .= " -newkey rsa:1024";
+               my $opt  = " req -sha256 -nodes";
+                  $opt .= " -newkey rsa:2048";
                    $opt .= " -keyout ${General::swroot}/certs/hostkey.pem";
                    $opt .= " -out ${General::swroot}/certs/hostreq.pem";
                 $errormessage = &callssl ($opt);
@@ -1020,7 +1020,7 @@ END
             print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
             close ($fh);
             
-           my  $opt  = " ca -days 999999";
+           my  $opt  = " ca -md sha256 -days 999999";
                 $opt .= " -batch -notext";
                 $opt .= " -in ${General::swroot}/certs/hostreq.pem";
                 $opt .= " -out ${General::swroot}/certs/hostcert.pem";
@@ -1443,7 +1443,7 @@ END
  
             # Sign the certificate request
             &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
-           my  $opt  = " ca -days 999999";
+           my  $opt  = " ca -md sha256 -days 999999";
                 $opt .= " -batch -notext";
                 $opt .= " -in $filename";
                 $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
@@ -1678,7 +1678,7 @@ END
  
             if (open(STDIN, "-|")) {
                 my $opt  = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
-                  $opt .= " -newkey rsa:1024";
+                  $opt .= " -newkey rsa:2048";
                    $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
                    $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
  
@@ -1715,7 +1715,7 @@ END
             print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
             close ($fh);
  
-           my $opt  = " ca -days 999999 -batch -notext";
+           my $opt  = " ca -md sha256 -days 999999 -batch -notext";
                $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
                $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
                $opt .= " -extfile $v3extname";
@@ -2148,7 +2148,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
             goto ADVANCED_ERROR;
         }
         foreach my $val (@temp) {
-           if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha|md5|aesxcbc)$/) {
+           if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) {
                 $errormessage = $Lang::tr{'invalid input'};
                 goto ADVANCED_ERROR;
             }
@@ -2189,7 +2189,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
             goto ADVANCED_ERROR;
         }
         foreach my $val (@temp) {
-           if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha1|md5|aesxcbc)$/) {
+           if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) {
                 $errormessage = $Lang::tr{'invalid input'};
                 goto ADVANCED_ERROR;
             }
author	Wolfgang Apolinarski <wolfgang.apolinarski@uni-due.de>
	Sat, 14 Mar 2015 14:33:35 +0000 (15:33 +0100)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 17 Mar 2015 19:42:41 +0000 (20:42 +0100)
config/ssl/openssl.cnf		patch \| blob \| blame \| history
html/cgi-bin/vpnmain.cgi		patch \| blob \| blame \| history