diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-05-26 00:55:19 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:53:52 +0200 |
| commit | 64e8603cf9790aa4419d0f2746671bd242e6344d (patch) | |
| tree | a54c623bbe44f52c583bacf80848d3b9d4467abe /roles/common | |
| parent | 6b424a8f4155dea449b1dde746eae77bded63f7c (diff) | |
logjam mitigation.
Diffstat (limited to 'roles/common')
| -rwxr-xr-x | roles/common/files/usr/local/bin/gendhparam.sh | 13 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 4 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 12 |
3 files changed, 24 insertions, 5 deletions
diff --git a/roles/common/files/usr/local/bin/gendhparam.sh b/roles/common/files/usr/local/bin/gendhparam.sh new file mode 100755 index 0000000..074986b --- /dev/null +++ b/roles/common/files/usr/local/bin/gendhparam.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +set -ue +PATH=/usr/bin:/bin + +privkey="$1" +bits="${2:-2048}" +rand= + +mv -f "$(mktemp)" "$privkey" +chmod og-rwx "$privkey" + +openssl dhparam -rand "${rand:-/dev/urandom}" "$bits" >"$privkey" diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index d6539e2..982c1d9 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -37,6 +37,7 @@ cn= usage= chmod= chown= +rand= usage() { cat >&2 <<- EOF @@ -123,7 +124,6 @@ while [ $# -gt 0 ]; do shift; done -rand=/dev/urandom case "$type" in # XXX: genrsa and dsaparam have been deprecated in favor of genpkey. # genpkey can also create explicit EC parameters, but not named. @@ -184,7 +184,7 @@ elif [ ! -s "$privkey" -o $force -ge 2 ]; then mv -f "$(mktemp)" "$privkey" || exit 2 chmod "${chmod:-og-rwx}" "$privkey" || exit 2 [ -z "$chown" ] || chown "$chown" "$privkey" || exit 2 - openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2 + openssl $genkey -rand "${rand:-/dev/urandom}" $genkeyargs >"$privkey" || exit 2 [ "$cmd" = dkim ] && { dkiminfo; exit; } fi diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 3b3c0a5..4e85d0a 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -15,12 +15,18 @@ - include: smart.yml tags=smartmontools,smart when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" - include: haveged.yml tags=haveged,entropy -- name: Copy genkeypair.sh - copy: src=usr/local/bin/genkeypair.sh - dest=/usr/local/bin/genkeypair.sh +- name: Copy genkeypair.sh and gendhparam.sh + copy: src=usr/local/bin/{{ item }} + dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 tags: genkey + with_items: + - genkeypair.sh + - gendhparam.sh +- name: Generate DH parameters + command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem + tags: genkey - include: logging.yml tags=logging - include: ntp.yml tags=ntp - include: mail.yml tags=mail,postfix |