webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 11:43:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'openssl-11' into next

Browse Source
This commit is contained in:
Michael Tremer
2018-02-21 12:21:10 +00:00
parent cb8a6bf5a4 a4fd232541
commit 9434bffaf2
32 changed files with 9613 additions and 472 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
config/ovpn/openvpn-crl-updater Normal file
View File

@@ -0,0 +1,90 @@
#!/bin/bash
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2018 IPFire Team <erik.kapfer@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# #
# Script Location/Name: /etc/fcron.daily/openvpn-crl-updater #
# #
# Description: This script checks the "Next Update:" field of the CRL #
# and renews it if needed, which prevents the expiration of OpenVPNs CRL. #
# With OpenVPN 2.4.x the CRL handling has been refactored, #
# whereby the verification logic has been removed #
# from ssl_verify_<backend>.c . #
# #
# Run Information: If OpenVPNs CRL is present, #
# this script provides a cronjob which checks daily if an update #
# of the CRL is needed. If the expiring date reaches the value #
# (defined in the 'UPDATE' variable in days) before the CRL expiration, #
# an openssl command will be executed to renew the CRL. #
# Script execution will be logged into /var/log/messages. #
# #
###############################################################################
## Paths
OVPN="/var/ipfire/ovpn"
CRL="${OVPN}/crls/cacrl.pem"
CAKEY="${OVPN}/ca/cakey.pem"
CACERT="${OVPN}/ca/cacert.pem"
OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
# Check if CRL is presant or if OpenVPN is active
if [ ! -e "${CAKEY}" ]; then
exit 0;
fi
## Values
# Actual time in epoch format
NOW="$(date +%s)"
# Investigate CRLs 'Next Update' date
EXPIRES_CRL="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')"
# Convert 'Next Update:' date from epoch to seconds
EXPIRES_AT="$(date -d "${EXPIRES_CRL}" "+%s")"
# Seconds left until CRL expires
EXPIRINGDATEINSEC="$(( EXPIRES_AT - NOW ))"
# Day in seconds to calculate
DAYINSEC="86400"
# Convert seconds to days
NEXTUPDATE="$(( EXPIRINGDATEINSEC / DAYINSEC ))"
# Update of the CRL in days before CRL expiring date
UPDATE="14"
## Mainpart
# Check if OpenVPNs CRL needs to be renewed
if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
logger -t openvpn "CRL has been updated"
else
logger -t openvpn "error: Could not update CRL"
fi
fi
exit 0
# EOF

6
config/rootfiles/common/cyrus-sasl
View File

@@ -1,3 +1,4 @@
etc/rc.d/init.d/cyrus-sasl
#usr/include/sasl
#usr/include/sasl/hmac-md5.h
#usr/include/sasl/md5.h
@@ -24,10 +25,6 @@ usr/lib/sasl2/libcrammd5.so.3.0.0
usr/lib/sasl2/libdigestmd5.so
usr/lib/sasl2/libdigestmd5.so.3
usr/lib/sasl2/libdigestmd5.so.3.0.0
#usr/lib/sasl2/libotp.la
usr/lib/sasl2/libotp.so
usr/lib/sasl2/libotp.so.3
usr/lib/sasl2/libotp.so.3.0.0
#usr/lib/sasl2/libplain.la
usr/lib/sasl2/libplain.so
usr/lib/sasl2/libplain.so.3
@@ -94,4 +91,3 @@ usr/sbin/testsaslauthd
#usr/share/man/man8/sasldblistusers2.8
#usr/share/man/man8/saslpasswd2.8
var/lib/sasl
etc/rc.d/init.d/cyrus-sasl

2
config/rootfiles/common/i586/openssl-sse2
View File

@@ -1 +1 @@
usr/lib/sse2/libcrypto.so.10
usr/lib/sse2/libcrypto.so.1.1

6534
config/rootfiles/common/openssl
View File

File diff suppressed because it is too large Load Diff

2
config/rootfiles/common/openssl-compat Normal file
View File

@@ -0,0 +1,2 @@
usr/lib/libcrypto.so.10
usr/lib/libssl.so.10

5
config/rootfiles/common/openvpn
View File

@@ -1,3 +1,5 @@
etc/fcron.daily/openvpn-crl-updater
#usr/include/openvpn-msg.h
#usr/include/openvpn-plugin.h
#usr/lib/openvpn
#usr/lib/openvpn/plugins
@@ -10,11 +12,12 @@ usr/sbin/openvpn
#usr/share/doc/openvpn
#usr/share/doc/openvpn/COPYING
#usr/share/doc/openvpn/COPYRIGHT.GPL
#usr/share/doc/openvpn/Changes.rst
#usr/share/doc/openvpn/README
#usr/share/doc/openvpn/README.IPv6
#usr/share/doc/openvpn/README.auth-pam
#usr/share/doc/openvpn/README.down-root
#usr/share/doc/openvpn/README.polarssl
#usr/share/doc/openvpn/README.mbedtls
#usr/share/doc/openvpn/management-notes.txt
#usr/share/man/man8/openvpn.8
var/ipfire/ovpn/ca

3
config/rootfiles/common/python-typing Normal file
View File

@@ -0,0 +1,3 @@
#usr/lib/python2.7/site-packages/typing-3.6.1-py2.7.egg-info
#usr/lib/python2.7/site-packages/typing.py
#usr/lib/python2.7/site-packages/typing.pyc

8
config/rootfiles/packages/krb5
View File

@@ -82,12 +82,12 @@ usr/lib/libk5crypto.so.3
usr/lib/libk5crypto.so.3.1
#usr/lib/libkadm5clnt.so
#usr/lib/libkadm5clnt_mit.so
usr/lib/libkadm5clnt_mit.so.10
usr/lib/libkadm5clnt_mit.so.10.0
usr/lib/libkadm5clnt_mit.so.11
usr/lib/libkadm5clnt_mit.so.11.0
#usr/lib/libkadm5srv.so
#usr/lib/libkadm5srv_mit.so
usr/lib/libkadm5srv_mit.so.10
usr/lib/libkadm5srv_mit.so.10.0
usr/lib/libkadm5srv_mit.so.11
usr/lib/libkadm5srv_mit.so.11.0
#usr/lib/libkdb5.so
usr/lib/libkdb5.so.8
usr/lib/libkdb5.so.8.0