10:46 p.m.
The Diffie-Helmann key may be generated in post-install. To
make it faster, add a -dsaparam parameter to the command.
Also generate it on server initialization for development
mode.
Signed-off-by: Lucio Correia <luciojhc(a)linux.vnet.ibm.com>
---
Makefile.am | 2 --
contrib/DEBIAN/control.in | 1 -
contrib/DEBIAN/postinst | 16 ++++++++++++++--
contrib/wok.spec.fedora.in | 8 ++++++--
contrib/wok.spec.suse.in | 8 ++++++--
src/Makefile.am | 10 ++--------
src/wok/proxy.py | 15 ++++++++++-----
7 files changed, 38 insertions(+), 22 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 034c6a6..5a5edfc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -152,8 +152,6 @@ install-data-local:
mkdir -p $(DESTDIR)/$(localstatedir)/log/wok/
touch $(DESTDIR)/$(localstatedir)/log/wok/wok-access.log
touch $(DESTDIR)/$(localstatedir)/log/wok/wok-error.log
- mkdir -p $(DESTDIR)/etc/wok/
- $(INSTALL_DATA) src/dhparams.pem $(DESTDIR)/etc/wok/dhparams.pem
mkdir -p $(DESTDIR)/etc/logrotate.d/
$(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd
mkdir -p $(DESTDIR)/etc/nginx/conf.d
diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
index 16f8afc..ba083b3 100644
--- a/contrib/DEBIAN/control.in
+++ b/contrib/DEBIAN/control.in
@@ -19,7 +19,6 @@ Depends: python-cherrypy3 (>= 3.2.0),
texlive-fonts-extra
Build-Depends: xsltproc,
gettext,
- openssl,
python-lxml,
pkg-config
Maintainer: Aline Manera <alinefm(a)br.ibm.com>
diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
index 473e515..9bfed32 100755
--- a/contrib/DEBIAN/postinst
+++ b/contrib/DEBIAN/postinst
@@ -2,7 +2,7 @@
#
# Project Wok
#
-# Copyright IBM Corp, 2013-2016
+# Copyright IBM Corp, 2013-2017
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@@ -18,9 +18,21 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+DHPARAMS_PEM=/etc/wok/dhparams.pem
+WOKCERT_PEM=/etc/wok/wok-cert.pem
+WOKKEY_PEM=/etc/wok/wok-key.pem
+
+if [ ! -e "$DHPARAMS_PEM" ]; then
+ openssl dhparam -dsaparam -out "$DHPARAMS_PEM" 2048 >/dev/null
2>&1 || :
+fi
+if [ ! -e "$WOKCERT_PEM" ] || [ ! -e "$WOKKEY_PEM" ]; then
+ openssl req -x509 -newkey rsa:4096 -keyout "$WOKKEY_PEM" \
+ -out "$WOKCERT_PEM" -days 365 -nodes \
+ -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 ||
:
+fi
+
systemd_exists=$(type /bin/systemctl > /dev/null 2>&1; echo $?)
if test $systemd_exists = "0"; then
- openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out
/etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org"
>/dev/null 2>&1 || :
/bin/systemctl enable wokd > /dev/null 2>&1
/bin/systemctl daemon-reload > /dev/null 2>&1
/bin/systemctl start wokd > /dev/null 2>&1
diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in
index fcada13..6af8222 100644
--- a/contrib/wok.spec.fedora.in
+++ b/contrib/wok.spec.fedora.in
@@ -23,7 +23,6 @@ Requires: logrotate
Requires: openssl
BuildRequires: gettext-devel
BuildRequires: libxslt
-BuildRequires: openssl
BuildRequires: python-lxml
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
@@ -75,10 +74,15 @@ install -Dm 0755 contrib/wokd.sysvinit %{buildroot}%{_initrddir}/wokd
%post
if [ $1 -eq 1 ] ; then
+ if [ ! -e /etc/wok/dhparams.pem ]; then
+ openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null
2>&1 || :
+ fi
+ if [ ! -e /etc/wok/wok-key.pem ] || [ ! -e /etc/wok/wok-cert.pem ]; then
+ openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out
/etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org"
>/dev/null 2>&1 || :
+ fi
# Initial installation
/bin/systemctl enable wokd.service >/dev/null 2>&1 || :
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
- openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out
/etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org"
>/dev/null 2>&1 || :
fi
%preun
diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in
index ea2e708..db31616 100644
--- a/contrib/wok.spec.suse.in
+++ b/contrib/wok.spec.suse.in
@@ -24,7 +24,6 @@ Requires: logrotate
Requires: openssl
BuildRequires: gettext-tools
BuildRequires: libxslt-tools
-BuildRequires: openssl
BuildRequires: python-lxml
%if 0%{?suse_version} == 1100
@@ -52,13 +51,18 @@ make DESTDIR=%{buildroot} install
%post
if [ $1 -eq 1 ] ; then
+ if [ ! -e /etc/wok/dhparams.pem ]; then
+ openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null
2>&1 || :
+ fi
+ if [ ! -e /etc/wok/wok-key.pem ] || [ ! -e /etc/wok/wok-cert.pem ]; then
+ openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out
/etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org"
>/dev/null 2>&1 || :
+ fi
%if 0%{?with_systemd}
/bin/systemctl enable wokd.service >/dev/null 2>&1 || :
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
%else
chkconfig wokd on
%endif
- openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out
/etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org"
>/dev/null 2>&1 || :
fi
exit 0
diff --git a/src/Makefile.am b/src/Makefile.am
index abc53ec..531c20b 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,7 +1,7 @@
#
# Project Wok
#
-# Copyright IBM Corp, 2013-2016
+# Copyright IBM Corp, 2013-2017
#
# Code derived from Project Kimchi
#
@@ -48,10 +48,4 @@ wokd: wokd.in Makefile
wok.conf: wok.conf.in Makefile
$(do_substitution) < wok.conf.in > wok.conf
-# Generate unique Diffie-Hellman group with 2048-bit
-all-local: dhparams.pem
-
-dhparams.pem:
- openssl dhparam -out dhparams.pem 2048
-
-CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) dhparams.pem
+CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES)
diff --git a/src/wok/proxy.py b/src/wok/proxy.py
index 8ebb869..c26925d 100644
--- a/src/wok/proxy.py
+++ b/src/wok/proxy.py
@@ -2,7 +2,7 @@
#
# Project Wok
#
-# Copyright IBM Corp, 2015-2016
+# Copyright IBM Corp, 2015-2017
#
# Code derived from Project Kimchi
#
@@ -30,6 +30,9 @@ from wok import sslcert
from wok.config import paths
+DH_COMMAND = "openssl dhparam -dsaparam -out %s 2048"
+
+
def check_proxy_config():
# When running from a installed system, there is nothing to do
if paths.installed:
@@ -48,16 +51,18 @@ def check_proxy_config():
# Create a symbolic link in system's dir to prevent errors while
# running from source code
symlinks = [{'target': os.path.join(paths.nginx_conf_dir,
'wok.conf'),
- 'link': os.path.join(paths.sys_nginx_conf_dir,
- 'wok.conf')},
- {'target': os.path.join(paths.conf_dir, 'dhparams.pem'),
- 'link': os.path.join(paths.sys_conf_dir,
'dhparams.pem')}]
+ 'link': os.path.join(paths.sys_nginx_conf_dir,
'wok.conf')}]
for item in symlinks:
link = item['link']
if os.path.isfile(link) or os.path.islink(link):
os.remove(link)
os.symlink(item['target'], link)
+ # Generate unique Diffie-Hellman group with 2048-bit
+ dh_file = os.path.join(paths.sys_conf_dir, 'dhparams.pem')
+ if not os.path.exists(dh_file):
+ os.system(DH_COMMAND % dh_file)
+
# Create cert files if they don't exist
cert = os.path.join(paths.sys_conf_dir, 'wok-cert.pem')
key = os.path.join(paths.sys_conf_dir, 'wok-key.pem')
--
2.7.4