6:01 p.m.
On 01/24/2017 05:36 PM, Lucio Correia wrote:
The Diffie-Helmann key may be generated in post-install. To
make it faster, add a -dsaparam parameter to the command.
Also generate it on server initialization for development
mode.
Signed-off-by: Lucio Correia <luciojhc(a)linux.vnet.ibm.com>
---
Makefile.am | 2 --
contrib/DEBIAN/control.in | 1 -
contrib/DEBIAN/postinst | 3 +++
contrib/wok.spec.fedora.in | 4 +++-
contrib/wok.spec.suse.in | 4 +++-
src/Makefile.am | 8 +-------
src/wok/proxy.py | 13 +++++++++----
7 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 034c6a6..5a5edfc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -152,8 +152,6 @@ install-data-local:
mkdir -p $(DESTDIR)/$(localstatedir)/log/wok/
touch $(DESTDIR)/$(localstatedir)/log/wok/wok-access.log
touch $(DESTDIR)/$(localstatedir)/log/wok/wok-error.log
- mkdir -p $(DESTDIR)/etc/wok/
- $(INSTALL_DATA) src/dhparams.pem $(DESTDIR)/etc/wok/dhparams.pem
mkdir -p $(DESTDIR)/etc/logrotate.d/
$(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd
mkdir -p $(DESTDIR)/etc/nginx/conf.d
diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
index 16f8afc..ba083b3 100644
--- a/contrib/DEBIAN/control.in
+++ b/contrib/DEBIAN/control.in
@@ -19,7 +19,6 @@ Depends: python-cherrypy3 (>= 3.2.0),
texlive-fonts-extra
Build-Depends: xsltproc,
gettext,
- openssl,
python-lxml,
pkg-config
Maintainer: Aline Manera <alinefm(a)br.ibm.com>
diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
index 473e515..73e6935 100755
--- a/contrib/DEBIAN/postinst
+++ b/contrib/DEBIAN/postinst
@@ -20,6 +20,9 @@
systemd_exists=$(type /bin/systemctl > /dev/null 2>&1; echo $?)
if test $systemd_exists = "0"; then
+ if [ ! -e /etc/wok/dhparams.pem ]; then
+ openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null
2>&1 || :
+ fi
openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out
/etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org"
>/dev/null 2>&1 || :
I don't think the openssl command should depend on systemd existence.
We just need to make sure to do not override the system config file. So
I'd suggest to add the same file existence check to wok-{key/cert}.pem
files.
/bin/systemctl enable wokd > /dev/null 2>&1
/bin/systemctl daemon-reload > /dev/null 2>&1
diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in
index fcada13..fa2cd67 100644
--- a/contrib/wok.spec.fedora.in
+++ b/contrib/wok.spec.fedora.in
@@ -23,7 +23,6 @@ Requires: logrotate
Requires: openssl
BuildRequires: gettext-devel
BuildRequires: libxslt
-BuildRequires: openssl
BuildRequires: python-lxml
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
@@ -78,6 +77,9 @@ if [ $1 -eq 1 ] ; then
# Initial installation
/bin/systemctl enable wokd.service >/dev/null 2>&1 || :
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ if [ ! -e /etc/wok/dhparams.pem ]; then
+ openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null
2>&1 || :
+ fi
openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out
/etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org"
>/dev/null 2>&1 || :
Same I comment above related to wok-{key/cert}.pem files (I don't it was
already there, but as you are working in the same piece of code, it
would be great to have it fixed as well.
> fi
>
> diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in
> index ea2e708..244d75f 100644
> --- a/contrib/wok.spec.suse.in
> +++ b/contrib/wok.spec.suse.in
> @@ -24,7 +24,6 @@ Requires: logrotate
> Requires: openssl
> BuildRequires: gettext-tools
> BuildRequires: libxslt-tools
> -BuildRequires: openssl
> BuildRequires: python-lxml
>
> %if 0%{?suse_version} == 1100
> @@ -58,6 +57,9 @@ if [ $1 -eq 1 ] ; then
> %else
> chkconfig wokd on
> %endif
+ if [ ! -e /etc/wok/dhparams.pem ]; then
+ openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null
2>&1 || :
+ fi
openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out
/etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org"
>/dev/null 2>&1 || :
Same here.
fi
exit 0
diff --git a/src/Makefile.am b/src/Makefile.am
index abc53ec..5d169e7 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -48,10 +48,4 @@ wokd: wokd.in Makefile
wok.conf: wok.conf.in Makefile
$(do_substitution) < wok.conf.in > wok.conf
-# Generate unique Diffie-Hellman group with 2048-bit
-all-local: dhparams.pem
-
-dhparams.pem:
- openssl dhparam -out dhparams.pem 2048
-
-CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) dhparams.pem
+CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES)
diff --git a/src/wok/proxy.py b/src/wok/proxy.py
index 8ebb869..7376f09 100644
--- a/src/wok/proxy.py
+++ b/src/wok/proxy.py
@@ -30,6 +30,9 @@ from wok import sslcert
from wok.config import paths
+DH_COMMAND = "openssl dhparam -dsaparam -out %s 2048"
+
+
def check_proxy_config():
# When running from a installed system, there is nothing to do
if paths.installed:
@@ -48,16 +51,18 @@ def check_proxy_config():
# Create a symbolic link in system's dir to prevent errors while
# running from source code
symlinks = [{'target': os.path.join(paths.nginx_conf_dir,
'wok.conf'),
- 'link': os.path.join(paths.sys_nginx_conf_dir,
- 'wok.conf')},
- {'target': os.path.join(paths.conf_dir,
'dhparams.pem'),
- 'link': os.path.join(paths.sys_conf_dir,
'dhparams.pem')}]
+ 'link': os.path.join(paths.sys_nginx_conf_dir,
'wok.conf')}]
for item in symlinks:
link = item['link']
if os.path.isfile(link) or os.path.islink(link):
os.remove(link)
os.symlink(item['target'], link)
+ # Generate unique Diffie-Hellman group with 2048-bit
+ dh_file = os.path.join(paths.sys_conf_dir, 'dhparams.pem')
+ if not os.path.exists(dh_file):
+ os.system(DH_COMMAND % dh_file)
+
# Create cert files if they don't exist
cert = os.path.join(paths.sys_conf_dir, 'wok-cert.pem')
key = os.path.join(paths.sys_conf_dir, 'wok-key.pem')