[Kimchi-devel] [PATCH] [Wok 1/2] Generate dhparams in post-install and development mode
Lucio Correia
luciojhc at linux.vnet.ibm.com
Tue Jan 24 19:36:55 UTC 2017
The Diffie-Helmann key may be generated in post-install. To
make it faster, add a -dsaparam parameter to the command.
Also generate it on server initialization for development
mode.
Signed-off-by: Lucio Correia <luciojhc at linux.vnet.ibm.com>
---
Makefile.am | 2 --
contrib/DEBIAN/control.in | 1 -
contrib/DEBIAN/postinst | 3 +++
contrib/wok.spec.fedora.in | 4 +++-
contrib/wok.spec.suse.in | 4 +++-
src/Makefile.am | 8 +-------
src/wok/proxy.py | 13 +++++++++----
7 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 034c6a6..5a5edfc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -152,8 +152,6 @@ install-data-local:
mkdir -p $(DESTDIR)/$(localstatedir)/log/wok/
touch $(DESTDIR)/$(localstatedir)/log/wok/wok-access.log
touch $(DESTDIR)/$(localstatedir)/log/wok/wok-error.log
- mkdir -p $(DESTDIR)/etc/wok/
- $(INSTALL_DATA) src/dhparams.pem $(DESTDIR)/etc/wok/dhparams.pem
mkdir -p $(DESTDIR)/etc/logrotate.d/
$(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd
mkdir -p $(DESTDIR)/etc/nginx/conf.d
diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
index 16f8afc..ba083b3 100644
--- a/contrib/DEBIAN/control.in
+++ b/contrib/DEBIAN/control.in
@@ -19,7 +19,6 @@ Depends: python-cherrypy3 (>= 3.2.0),
texlive-fonts-extra
Build-Depends: xsltproc,
gettext,
- openssl,
python-lxml,
pkg-config
Maintainer: Aline Manera <alinefm at br.ibm.com>
diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
index 473e515..73e6935 100755
--- a/contrib/DEBIAN/postinst
+++ b/contrib/DEBIAN/postinst
@@ -20,6 +20,9 @@
systemd_exists=$(type /bin/systemctl > /dev/null 2>&1; echo $?)
if test $systemd_exists = "0"; then
+ if [ ! -e /etc/wok/dhparams.pem ]; then
+ openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || :
+ fi
openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || :
/bin/systemctl enable wokd > /dev/null 2>&1
/bin/systemctl daemon-reload > /dev/null 2>&1
diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in
index fcada13..fa2cd67 100644
--- a/contrib/wok.spec.fedora.in
+++ b/contrib/wok.spec.fedora.in
@@ -23,7 +23,6 @@ Requires: logrotate
Requires: openssl
BuildRequires: gettext-devel
BuildRequires: libxslt
-BuildRequires: openssl
BuildRequires: python-lxml
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
@@ -78,6 +77,9 @@ if [ $1 -eq 1 ] ; then
# Initial installation
/bin/systemctl enable wokd.service >/dev/null 2>&1 || :
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ if [ ! -e /etc/wok/dhparams.pem ]; then
+ openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || :
+ fi
openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || :
fi
diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in
index ea2e708..244d75f 100644
--- a/contrib/wok.spec.suse.in
+++ b/contrib/wok.spec.suse.in
@@ -24,7 +24,6 @@ Requires: logrotate
Requires: openssl
BuildRequires: gettext-tools
BuildRequires: libxslt-tools
-BuildRequires: openssl
BuildRequires: python-lxml
%if 0%{?suse_version} == 1100
@@ -58,6 +57,9 @@ if [ $1 -eq 1 ] ; then
%else
chkconfig wokd on
%endif
+ if [ ! -e /etc/wok/dhparams.pem ]; then
+ openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || :
+ fi
openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || :
fi
exit 0
diff --git a/src/Makefile.am b/src/Makefile.am
index abc53ec..5d169e7 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -48,10 +48,4 @@ wokd: wokd.in Makefile
wok.conf: wok.conf.in Makefile
$(do_substitution) < wok.conf.in > wok.conf
-# Generate unique Diffie-Hellman group with 2048-bit
-all-local: dhparams.pem
-
-dhparams.pem:
- openssl dhparam -out dhparams.pem 2048
-
-CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) dhparams.pem
+CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES)
diff --git a/src/wok/proxy.py b/src/wok/proxy.py
index 8ebb869..7376f09 100644
--- a/src/wok/proxy.py
+++ b/src/wok/proxy.py
@@ -30,6 +30,9 @@ from wok import sslcert
from wok.config import paths
+DH_COMMAND = "openssl dhparam -dsaparam -out %s 2048"
+
+
def check_proxy_config():
# When running from a installed system, there is nothing to do
if paths.installed:
@@ -48,16 +51,18 @@ def check_proxy_config():
# Create a symbolic link in system's dir to prevent errors while
# running from source code
symlinks = [{'target': os.path.join(paths.nginx_conf_dir, 'wok.conf'),
- 'link': os.path.join(paths.sys_nginx_conf_dir,
- 'wok.conf')},
- {'target': os.path.join(paths.conf_dir, 'dhparams.pem'),
- 'link': os.path.join(paths.sys_conf_dir, 'dhparams.pem')}]
+ 'link': os.path.join(paths.sys_nginx_conf_dir, 'wok.conf')}]
for item in symlinks:
link = item['link']
if os.path.isfile(link) or os.path.islink(link):
os.remove(link)
os.symlink(item['target'], link)
+ # Generate unique Diffie-Hellman group with 2048-bit
+ dh_file = os.path.join(paths.sys_conf_dir, 'dhparams.pem')
+ if not os.path.exists(dh_file):
+ os.system(DH_COMMAND % dh_file)
+
# Create cert files if they don't exist
cert = os.path.join(paths.sys_conf_dir, 'wok-cert.pem')
key = os.path.join(paths.sys_conf_dir, 'wok-key.pem')
--
2.7.4
More information about the Kimchi-devel
mailing list