From f3cd02e668f94c294d685edb24a051e2451589f1 Mon Sep 17 00:00:00 2001 From: Tomas Jelinek Date: Fri, 23 Oct 2020 16:37:56 +0200 Subject: [PATCH 2/2] add support for loading a DH key from a file --- pcsd/pcsd.conf | 6 +++++- pcsd/rfc7919-ffdhe2048.pem | 8 ++++++++ pcsd/settings.rb | 1 + pcsd/ssl.rb | 20 ++++++++++++++++++-- 4 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 pcsd/rfc7919-ffdhe2048.pem diff --git a/pcsd/pcsd.conf b/pcsd/pcsd.conf index 73d8b0ce..9f522353 100644 --- a/pcsd/pcsd.conf +++ b/pcsd/pcsd.conf @@ -31,7 +31,11 @@ PCSD_SESSION_LIFETIME=3600 # set SSL ciphers #PCSD_SSL_CIPHERS='DEFAULT:!RC4:!3DES:@STRENGTH' -# set length (in bits) of DH key for key exchange +# set a DH key for key exchange, this overrides PCSD_SSL_DH_KEX_BITS +# set to an empty string to disable this option and generate a random DH key +#PCSD_SSL_DH_KEX_FILE=/usr/lib/pcsd/rfc7919-ffdhe2048.pem + +# set length (in bits) of a DH key for key exchange #PCSD_SSL_DH_KEX_BITS=1024 # Reject client initiated SSL/TLS renegotiation. Set this to true to make pcsd diff --git a/pcsd/rfc7919-ffdhe2048.pem b/pcsd/rfc7919-ffdhe2048.pem new file mode 100644 index 00000000..9b182b72 --- /dev/null +++ b/pcsd/rfc7919-ffdhe2048.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/pcsd/settings.rb b/pcsd/settings.rb index 3edc02b7..e7ff410d 100644 --- a/pcsd/settings.rb +++ b/pcsd/settings.rb @@ -6,6 +6,7 @@ PCSD_DEFAULT_PORT = 2224 CRT_FILE = PCSD_VAR_LOCATION + 'pcsd.crt' KEY_FILE = PCSD_VAR_LOCATION + 'pcsd.key' COOKIE_FILE = PCSD_VAR_LOCATION + 'pcsd.cookiesecret' +DH_KEY_FILE = PCSD_EXEC_LOCATION + 'rfc7919-ffdhe2048.pem' PENGINE = "/usr/libexec/pacemaker/pengine" CIB_BINARY = '/usr/libexec/pacemaker/cib' diff --git a/pcsd/ssl.rb b/pcsd/ssl.rb index de356e46..5acbac37 100644 --- a/pcsd/ssl.rb +++ b/pcsd/ssl.rb @@ -157,7 +157,23 @@ dh_key_bits = 0 if ENV['PCSD_SSL_DH_KEX_BITS'] dh_key_bits = Integer(ENV['PCSD_SSL_DH_KEX_BITS']) rescue 0 end -if dh_key_bits > 0 +dh_key_file = DH_KEY_FILE +if ENV['PCSD_SSL_DH_KEX_FILE'] + dh_key_file = ENV['PCSD_SSL_DH_KEX_FILE'] +end + +dh_key = nil +if not dh_key_file.empty?() + $logger.info "Using '#{dh_key_file}' as a DH key..." + begin + dh_key = OpenSSL::PKey::DH.new(File.read(dh_key_file)) + dh_key.generate_key! + $logger.info "DH key loaded" + rescue => e + $logger.error "Unable to read DH key file: #{e}" + exit 1 + end +elsif dh_key_bits > 0 $logger.info "Generating #{dh_key_bits}bits long DH key..." dh_key = OpenSSL::PKey::DH.generate(dh_key_bits) $logger.info "DH key created" @@ -187,7 +203,7 @@ webrick_options = { :SSLCertName => [[ "CN", server_name ]], :SSLOptions => get_ssl_options(), } -if dh_key_bits > 0 +if not dh_key.nil?() webrick_options[:SSLTmpDhCallback] = lambda {|ctx, is_export, keylen| dh_key } end -- 2.21.0