The Diffie-Helmann key may be generated in post-install. To make it faster, add a -dsaparam parameter to the command. Also generate it on server initialization for development mode. Signed-off-by: Lucio Correia <luciojhc@linux.vnet.ibm.com> --- Makefile.am | 2 -- contrib/DEBIAN/control.in | 1 - contrib/DEBIAN/postinst | 16 ++++++++++++++-- contrib/wok.spec.fedora.in | 8 ++++++-- contrib/wok.spec.suse.in | 8 ++++++-- src/Makefile.am | 10 ++-------- src/wok/proxy.py | 15 ++++++++++----- 7 files changed, 38 insertions(+), 22 deletions(-) diff --git a/Makefile.am b/Makefile.am index 034c6a6..5a5edfc 100644 --- a/Makefile.am +++ b/Makefile.am @@ -152,8 +152,6 @@ install-data-local: mkdir -p $(DESTDIR)/$(localstatedir)/log/wok/ touch $(DESTDIR)/$(localstatedir)/log/wok/wok-access.log touch $(DESTDIR)/$(localstatedir)/log/wok/wok-error.log - mkdir -p $(DESTDIR)/etc/wok/ - $(INSTALL_DATA) src/dhparams.pem $(DESTDIR)/etc/wok/dhparams.pem mkdir -p $(DESTDIR)/etc/logrotate.d/ $(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd mkdir -p $(DESTDIR)/etc/nginx/conf.d diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in index 16f8afc..ba083b3 100644 --- a/contrib/DEBIAN/control.in +++ b/contrib/DEBIAN/control.in @@ -19,7 +19,6 @@ Depends: python-cherrypy3 (>= 3.2.0), texlive-fonts-extra Build-Depends: xsltproc, gettext, - openssl, python-lxml, pkg-config Maintainer: Aline Manera <alinefm@br.ibm.com> diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index 473e515..9bfed32 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -2,7 +2,7 @@ # # Project Wok # -# Copyright IBM Corp, 2013-2016 +# Copyright IBM Corp, 2013-2017 # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -18,9 +18,21 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +DHPARAMS_PEM=/etc/wok/dhparams.pem +WOKCERT_PEM=/etc/wok/wok-cert.pem +WOKKEY_PEM=/etc/wok/wok-key.pem + +if [ ! -e "$DHPARAMS_PEM" ]; then + openssl dhparam -dsaparam -out "$DHPARAMS_PEM" 2048 >/dev/null 2>&1 || : +fi +if [ ! -e "$WOKCERT_PEM" ] || [ ! -e "$WOKKEY_PEM" ]; then + openssl req -x509 -newkey rsa:4096 -keyout "$WOKKEY_PEM" \ + -out "$WOKCERT_PEM" -days 365 -nodes \ + -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : +fi + systemd_exists=$(type /bin/systemctl > /dev/null 2>&1; echo $?) if test $systemd_exists = "0"; then - openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : /bin/systemctl enable wokd > /dev/null 2>&1 /bin/systemctl daemon-reload > /dev/null 2>&1 /bin/systemctl start wokd > /dev/null 2>&1 diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in index fcada13..6af8222 100644 --- a/contrib/wok.spec.fedora.in +++ b/contrib/wok.spec.fedora.in @@ -23,7 +23,6 @@ Requires: logrotate Requires: openssl BuildRequires: gettext-devel BuildRequires: libxslt -BuildRequires: openssl BuildRequires: python-lxml %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 @@ -75,10 +74,15 @@ install -Dm 0755 contrib/wokd.sysvinit %{buildroot}%{_initrddir}/wokd %post if [ $1 -eq 1 ] ; then + if [ ! -e /etc/wok/dhparams.pem ]; then + openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || : + fi + if [ ! -e /etc/wok/wok-key.pem ] || [ ! -e /etc/wok/wok-cert.pem ]; then + openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : + fi # Initial installation /bin/systemctl enable wokd.service >/dev/null 2>&1 || : /bin/systemctl daemon-reload >/dev/null 2>&1 || : - openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : fi %preun diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in index ea2e708..db31616 100644 --- a/contrib/wok.spec.suse.in +++ b/contrib/wok.spec.suse.in @@ -24,7 +24,6 @@ Requires: logrotate Requires: openssl BuildRequires: gettext-tools BuildRequires: libxslt-tools -BuildRequires: openssl BuildRequires: python-lxml %if 0%{?suse_version} == 1100 @@ -52,13 +51,18 @@ make DESTDIR=%{buildroot} install %post if [ $1 -eq 1 ] ; then + if [ ! -e /etc/wok/dhparams.pem ]; then + openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || : + fi + if [ ! -e /etc/wok/wok-key.pem ] || [ ! -e /etc/wok/wok-cert.pem ]; then + openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : + fi %if 0%{?with_systemd} /bin/systemctl enable wokd.service >/dev/null 2>&1 || : /bin/systemctl daemon-reload >/dev/null 2>&1 || : %else chkconfig wokd on %endif - openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : fi exit 0 diff --git a/src/Makefile.am b/src/Makefile.am index abc53ec..531c20b 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,7 +1,7 @@ # # Project Wok # -# Copyright IBM Corp, 2013-2016 +# Copyright IBM Corp, 2013-2017 # # Code derived from Project Kimchi # @@ -48,10 +48,4 @@ wokd: wokd.in Makefile wok.conf: wok.conf.in Makefile $(do_substitution) < wok.conf.in > wok.conf -# Generate unique Diffie-Hellman group with 2048-bit -all-local: dhparams.pem - -dhparams.pem: - openssl dhparam -out dhparams.pem 2048 - -CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) dhparams.pem +CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) diff --git a/src/wok/proxy.py b/src/wok/proxy.py index 8ebb869..c26925d 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -2,7 +2,7 @@ # # Project Wok # -# Copyright IBM Corp, 2015-2016 +# Copyright IBM Corp, 2015-2017 # # Code derived from Project Kimchi # @@ -30,6 +30,9 @@ from wok import sslcert from wok.config import paths +DH_COMMAND = "openssl dhparam -dsaparam -out %s 2048" + + def check_proxy_config(): # When running from a installed system, there is nothing to do if paths.installed: @@ -48,16 +51,18 @@ def check_proxy_config(): # Create a symbolic link in system's dir to prevent errors while # running from source code symlinks = [{'target': os.path.join(paths.nginx_conf_dir, 'wok.conf'), - 'link': os.path.join(paths.sys_nginx_conf_dir, - 'wok.conf')}, - {'target': os.path.join(paths.conf_dir, 'dhparams.pem'), - 'link': os.path.join(paths.sys_conf_dir, 'dhparams.pem')}] + 'link': os.path.join(paths.sys_nginx_conf_dir, 'wok.conf')}] for item in symlinks: link = item['link'] if os.path.isfile(link) or os.path.islink(link): os.remove(link) os.symlink(item['target'], link) + # Generate unique Diffie-Hellman group with 2048-bit + dh_file = os.path.join(paths.sys_conf_dir, 'dhparams.pem') + if not os.path.exists(dh_file): + os.system(DH_COMMAND % dh_file) + # Create cert files if they don't exist cert = os.path.join(paths.sys_conf_dir, 'wok-cert.pem') key = os.path.join(paths.sys_conf_dir, 'wok-key.pem') -- 2.7.4