Commit b1f888f0 authored by telyn's avatar telyn
Browse files

Store dhparams mainly in /etc/ssl/private, except for services that have...

Store dhparams mainly in /etc/ssl/private, except for services that have hardcoded paths to dhparams.
parent 42723225
symbiosis-common (2017:0328) stable; urgency=medium
* Add symbiosis-generate-dhparams, which is used by other packages.
-- Telyn Roat <telyn@bytemark.co.uk> Tue, 28 Mar 2017 13:25:34 +0100
symbiosis-common (2015:1220) stable; urgency=medium
* Allow underscores in hostnames.
......
......@@ -9,37 +9,52 @@ do_cleanup() {
trap - EXIT
if [ -n "$tmpfile" -a -f "$tmpfile" ] ; then
rm $tmpfile
rm "$tmpfile"
fi
}
trap do_cleanup EXIT
if [ -z "$1" ]; then
echo "usage: symbiosis-generate-dhparams <path to config dir> [user]"
if [ $# -eq 0 ]; then
echo "usage: symbiosis-generate-dhparams [-v] <path to config dir> [user]"
exit 127
fi
verbose=""
while getopts ":v" opt; do
case $opt in
v)
verbose="yes"
;;
esac
done
# shift away the option if it was there
shift $((OPTIND-1))
#
# This script regenerates Diffie-Helman parameters and chowns to the specified
# This script regenerates Diffie-Helman parameters and chowns to the specified user
#
dir=$1
fileName="$1"
dir=$(dirname "$fileName")
mkdir -m 750 -p $dir
[ ! -z "$2" ] && chown $2.$2 $dir
mkdir -m 750 -p "$dir"
[ $# -ge 2 ] && chown $2.$2 "$dir"
length=2048
tmpfile=$(tempfile -m 0600 -d $dir -p .dh)
tmpfile=$(tempfile -m 0600 -d "$dir" -p .dh)
if [ ! -f "$tmpfile" ] ; then
exit 1
fi
[ -n "$verbose" ] && echo "Generating $fileName..."
if [ "$*" != "--verbose" ] && [ "$*" != "-v" ]; then
openssl dhparam -out $tmpfile 2048 > /dev/null 2>&1
if [ -z "$verbose" ] ; then
openssl dhparam -out "$tmpfile" 2048 > /dev/null 2>&1
else
openssl dhparam -out $tmpfile 2048
openssl dhparam -out "$tmpfile" 2048
fi
mv $tmpfile $dir/dhparams
mv "$tmpfile" "$fileName"
......@@ -10,7 +10,7 @@ XS-Ruby-Versions: all
Package: symbiosis-email
Architecture: all
Pre-Depends: dpkg (>= 1.15.7.2)
Depends: symbiosis-common (>= 2015:1209), exim4-daemon-heavy (>= 4.84), dovecot-core (>= 1:2.2.0), dovecot-sieve, dovecot-managesieved, dovecot-imapd, dovecot-pop3d, adduser, make, clamav-daemon, clamav-freshclam, spamassassin, ruby, ruby-eventmachine (>= 1.0), ruby-cracklib, gnutls-bin, ssl-cert, ${misc:Depends}
Depends: symbiosis-common (>= 2017:0328), exim4-daemon-heavy (>= 4.84), dovecot-core (>= 1:2.2.0), dovecot-sieve, dovecot-managesieved, dovecot-imapd, dovecot-pop3d, adduser, make, clamav-daemon, clamav-freshclam, spamassassin, ruby, ruby-eventmachine (>= 1.0), ruby-cracklib, gnutls-bin, ssl-cert, ${misc:Depends}
Recommends: symbiosis-webmail, symbiosis-email-activesync
Replaces: bytemark-vhost-email, symbiosis-monit (<< 2011:1206), symbiosis-test
Breaks: symbiosis-monit (<< 2011:1206)
......
......@@ -14,6 +14,14 @@ if [ "$1" != "configure" ]; then
exit 0
fi
if [ ! -f /etc/ssl/private/dovecot-dhparams.pem ] ; then
#
# generate dhparams if they don't exist already
#
/etc/cron.weekly/symbiosis-email --verbose
fi
#
# Configure supplementary groups for clamav and freshclam
#
......
#!/bin/bash -eu
symbiosis-generate-dhparams /var/spool/exim4
verbose=""
if [ "$*" = "--verbose" ] || [ "$*" = "-v" ]; then
verbose="-v "
fi
symbiosis-generate-dhparams $verbose/etc/ssl/private/dovecot-dhparams.pem
for i in /var/spool/exim4/gnutls-params-[0-9]* ; do
rm -f "$i"
done
mv /var/spool/exim4/dhparams /var/spool/exim4/gnutls-params-2048
cp /etc/ssl/private/dovecot-dhparams.pem /var/spool/exim4/gnutls-params-2048 Debian-exim
......@@ -3,4 +3,4 @@
# root.
ssl_cert =< /etc/ssl/ssl.combined
ssl_key =< /etc/ssl/ssl.combined
ssl_dh =< /etc/ssl/private/dovecot-dhparams.pem
......@@ -12,8 +12,3 @@ ssl_protocols = !SSLv3
# Prefer our ciphers
#
ssl_prefer_server_ciphers = yes
#
# Regenerates every week
#
ssl_dh_parameters_length = 2048
......@@ -9,7 +9,7 @@ XS-Ruby-Versions: all
Package: symbiosis-ftpd
Architecture: all
Depends: pure-ftpd, ${misc:Depends}, symbiosis-common (>= 2015:1103), procps, ruby, symbiosis-common
Depends: pure-ftpd, ${misc:Depends}, symbiosis-common (>= 2017:0328), procps, ruby, symbiosis-common
Replaces: bytemark-vhost-ftpd, symbiosis-monit (<< 2011:1206), symbiosis-test
Breaks: symbiosis-monit (<< 2011:1206)
Conflicts: bytemark-vhost-ftpd, symbiosis-test
......
......@@ -10,6 +10,13 @@ if [ "$1" != "configure" ]; then
exit 0
fi
if [ ! -f /etc/ssl/private/pure-ftpd-dhparams.pem ] ; then
#
# generate dhparams if they don't exist already
#
/etc/cron.weekly/symbiosis-ftpd --verbose
fi
#
# Remove existing PAMAuthentication setup,
#
......@@ -67,7 +74,6 @@ if [ -e /etc/ssl/private/pure-ftpd.pem ] ; then
fi
fi
symbiosis-generate-dhparams /var/lib/symbiosis/ftpd
#DEBHELPER#
......
#!/bin/bash
#!/bin/bash -eu
symbiosis-generate-dhparams /var/lib/symbiosis/ftpd
verbose=""
if [ "$*" = "--verbose" ] || [ "$*" = "-v" ]; then
verbose="-v "
fi
symbiosis-generate-dhparams $verbose/etc/ssl/private/pure-ftpd-dhparams.pem
......@@ -14,7 +14,7 @@ TraceEnable Off
#
# Use our dhparams
#
SSLOpenSSLConfCmd DHParameters /var/lib/symbiosis/httpd/dhparams.pem
SSLOpenSSLConfCmd DHParameters /etc/ssl/private/apache2-dhparams.pem
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
......@@ -9,7 +9,7 @@ XS-Ruby-Versions: all
Package: symbiosis-httpd
Architecture: all
Depends: apache2, libapache2-mod-php7.0, webalizer, libapache2-mod-vhost-bytemark (>= 2015:0101), ${misc:Depends}, symbiosis-common (>= 2015:0101), ruby | ruby-interpreter, ruby-eventmachine
Depends: apache2, libapache2-mod-php7.0, webalizer, libapache2-mod-vhost-bytemark (>= 2015:0101), ${misc:Depends}, symbiosis-common (>= 2017:0328), ruby | ruby-interpreter, ruby-eventmachine
Recommends: php7.0-mysql | php7.0-mysqli | php7.0-mysqlnd, php7.0-curl, php7.0-imagick, php7.0-mcrypt, php7.0-mhash, php7.0-xmlrpc, php7.0-gd, geoip-database
Description: Tools to manage Apache virtual hosting in Symbiosis
This package contains tools to manage the virtual hosting of websites
......
#!/bin/bash
#!/bin/bash -eu
# regenerate dhparams for httpd
symbiosis-generate-dhparams /var/lib/symbiosis/httpd
verbose=""
if [ "$*" = "--verbose" ] || [ "$*" = "-v" ]; then
verbose="-v "
fi
symbiosis-generate-dhparams $verbose/etc/ssl/private/apache2-dhparams.pem
......@@ -17,6 +17,12 @@ if [ "$1" != "configure" ]; then
exit 0
fi
if [ ! -f /etc/ssl/private/apache2-dhparams.pem ] ; then
#
# generate dhparams if they don't exist already
#
/etc/cron.weekly/symbiosis-httpd --verbose
fi
#
# OK icky bit for wheezy->jessie upgrade
#
......@@ -61,7 +67,6 @@ if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then
done
fi
symbiosis-generate-dhparams /var/lib/symbiosis/httpd
#
# Reconfigure apache.
......
......@@ -9,7 +9,7 @@ XS-Ruby-Versions: all
Package: symbiosis-xmpp
Architecture: all
Depends: symbiosis-common (>= 2014:0113), symbiosis-email, prosody, prosody-mod-auth-dovecot, lua-sec, ruby | ruby-interpreter, ${misc:Depends}
Depends: symbiosis-common (>= 2017:0328), symbiosis-email, prosody, prosody-mod-auth-dovecot, lua-sec, ruby | ruby-interpreter, ${misc:Depends}
Recommends: symbiosis-monit
Description: Add XMPP (Jabber) support to Symbiosis
This package installs prosody and configures users based on existing
......
#!/bin/bash -eu
symbiosis-generate-dhparams /var/spool/prosody prosody
verbose=""
if [ "$*" = "--verbose" ] || [ "$*" = "-v" ]; then
verbose="-v "
fi
symbiosis-generate-dhparams $verbose/var/spool/prosody/dhparams prosody
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment