|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
From f3cd02e668f94c294d685edb24a051e2451589f1 Mon Sep 17 00:00:00 2001
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
From: Tomas Jelinek <tojeline@redhat.com>
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
Date: Fri, 23 Oct 2020 16:37:56 +0200
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
Subject: [PATCH 2/2] add support for loading a DH key from a file
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
---
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
pcsd/pcsd.conf | 6 +++++-
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
pcsd/rfc7919-ffdhe2048.pem | 8 ++++++++
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
pcsd/settings.rb | 1 +
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
pcsd/ssl.rb | 20 ++++++++++++++++++--
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
4 files changed, 32 insertions(+), 3 deletions(-)
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
create mode 100644 pcsd/rfc7919-ffdhe2048.pem
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
diff --git a/pcsd/pcsd.conf b/pcsd/pcsd.conf
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
index 73d8b0ce..9f522353 100644
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
--- a/pcsd/pcsd.conf
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+++ b/pcsd/pcsd.conf
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
@@ -31,7 +31,11 @@ PCSD_SESSION_LIFETIME=3600
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
# set SSL ciphers
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
#PCSD_SSL_CIPHERS='DEFAULT:!RC4:!3DES:@STRENGTH'
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
-# set length (in bits) of DH key for key exchange
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+# set a DH key for key exchange, this overrides PCSD_SSL_DH_KEX_BITS
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+# set to an empty string to disable this option and generate a random DH key
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+#PCSD_SSL_DH_KEX_FILE=/usr/lib/pcsd/rfc7919-ffdhe2048.pem
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+# set length (in bits) of a DH key for key exchange
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
#PCSD_SSL_DH_KEX_BITS=1024
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
# Reject client initiated SSL/TLS renegotiation. Set this to true to make pcsd
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
diff --git a/pcsd/rfc7919-ffdhe2048.pem b/pcsd/rfc7919-ffdhe2048.pem
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
new file mode 100644
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
index 00000000..9b182b72
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
--- /dev/null
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+++ b/pcsd/rfc7919-ffdhe2048.pem
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
@@ -0,0 +1,8 @@
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+-----BEGIN DH PARAMETERS-----
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+-----END DH PARAMETERS-----
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
diff --git a/pcsd/settings.rb b/pcsd/settings.rb
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
index 3edc02b7..e7ff410d 100644
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
--- a/pcsd/settings.rb
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+++ b/pcsd/settings.rb
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
@@ -6,6 +6,7 @@ PCSD_DEFAULT_PORT = 2224
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
CRT_FILE = PCSD_VAR_LOCATION + 'pcsd.crt'
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
KEY_FILE = PCSD_VAR_LOCATION + 'pcsd.key'
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
COOKIE_FILE = PCSD_VAR_LOCATION + 'pcsd.cookiesecret'
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+DH_KEY_FILE = PCSD_EXEC_LOCATION + 'rfc7919-ffdhe2048.pem'
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
PENGINE = "/usr/libexec/pacemaker/pengine"
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
CIB_BINARY = '/usr/libexec/pacemaker/cib'
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
diff --git a/pcsd/ssl.rb b/pcsd/ssl.rb
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
index de356e46..5acbac37 100644
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
--- a/pcsd/ssl.rb
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+++ b/pcsd/ssl.rb
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
@@ -157,7 +157,23 @@ dh_key_bits = 0
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
if ENV['PCSD_SSL_DH_KEX_BITS']
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
dh_key_bits = Integer(ENV['PCSD_SSL_DH_KEX_BITS']) rescue 0
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
end
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
-if dh_key_bits > 0
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+dh_key_file = DH_KEY_FILE
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+if ENV['PCSD_SSL_DH_KEX_FILE']
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+ dh_key_file = ENV['PCSD_SSL_DH_KEX_FILE']
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+end
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+dh_key = nil
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+if not dh_key_file.empty?()
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+ $logger.info "Using '#{dh_key_file}' as a DH key..."
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+ begin
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+ dh_key = OpenSSL::PKey::DH.new(File.read(dh_key_file))
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+ dh_key.generate_key!
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+ $logger.info "DH key loaded"
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+ rescue => e
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+ $logger.error "Unable to read DH key file: #{e}"
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+ exit 1
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+ end
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+elsif dh_key_bits > 0
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
$logger.info "Generating #{dh_key_bits}bits long DH key..."
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
dh_key = OpenSSL::PKey::DH.generate(dh_key_bits)
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
$logger.info "DH key created"
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
@@ -187,7 +203,7 @@ webrick_options = {
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
:SSLCertName => [[ "CN", server_name ]],
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
:SSLOptions => get_ssl_options(),
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
}
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
-if dh_key_bits > 0
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
+if not dh_key.nil?()
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
webrick_options[:SSLTmpDhCallback] = lambda {|ctx, is_export, keylen| dh_key }
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
end
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
--
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
2.21.0
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
1c01d3 |
|