Preston_PLB/freeswitch
1
0
Fork 0
forked from Mirrors/freeswitch
Code Pull Requests Activity
3c4a8d33f5
freeswitch/scripts/gentls_cert.in
Sebastian Kemper 70d1cbafe4 [gentls_cert] Update message digest 
Debian Buster updated /etc/ssl/openssl.cnf to default to

MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

gentls_cert currently uses SHA1 as message digest. According to OpenSSL
documentation this only offers 80 bit of security. 80 bits is enough for
security level 1, but not 2.

The OpenSSL default MD nowadays is SHA256. This commit updates
gentls_cert to use it.

Issue was reported on the FS mailing list. The certificates created by
gentls_cert caused "md too weak" errors and clients were unable to
connect.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2019-11-13 20:40:42 +01:00

244 lines
4.8 KiB
Bash
Raw Blame History

#!/bin/sh
CONFDIR=@certsdir@
DAYS=2190
KEY_SIZE=2048
export KEY_SIZE=${KEY_SIZE}
TMPFILE="/tmp/fs-ca-$$-$(date +%Y%m%d%H%M%S)"
COMMON_NAME="FreeSWITCH CA"
ALT_NAME="DNS:test.freeswitch.org"
ORG_NAME="FreeSWITCH"
OUTFILE="agent.pem"
umask 037
check_ca() {
for x in cacert.pem cakey.pem config.tpl; do
if [ ! -e "${CONFDIR}/CA/${x}" ]; then
return 1
fi
done
return 0
}
setup_ca() {
if check_ca; then
echo "Existing CA found in \"${CONFDIR}/CA\""
echo "(Use \"gentls_cert remove\" to delete)"
exit 1
fi
echo "Creating new CA..."
if [ ! -d "${CONFDIR}/CA" ]; then
mkdir -p -m 750 "${CONFDIR}/CA" || exit 1
fi
if [ -e "${CONFDIR}/CA/config.tpl" ]; then
if [ $0 -nt "${CONFDIR}/CA/config.tpl" ]; then
echo "WARNING! genttls_cert has a modified time more recent than ${CONFDIR}/CA/config.tpl remove config.tpl to re-generate it"
fi
else
cat > "${CONFDIR}/CA/config.tpl" <<-EOF
[ req ]
default_bits = \$ENV::KEY_SIZE
prompt = no
distinguished_name = req_dn
x509_extensions = v3_ca
[ req_dn ]
commonName = %CN%
organizationName = %ORG%
[ server ]
nsComment="FS Server Cert"
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName=%ALTNAME%
nsCertType=server
extendedKeyUsage=serverAuth
[ client ]
nsComment="FS Client Cert"
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName=%ALTNAME%
nsCertType=client
extendedKeyUsage=clientAuth
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints=CA:TRUE
EOF
fi
sed \
-e "s|%CN%|$COMMON_NAME|" \
-e "s|%ORG%|$ORG_NAME|" \
-e "/%ALTNAME%/d" \
-e "s|CA:FALSE|CA:TRUE|" \
"${CONFDIR}/CA/config.tpl" \
> "${TMPFILE}.cfg" || exit 1
openssl req -out "${CONFDIR}/CA/cacert.pem" \
-new -x509 -keyout "${CONFDIR}/CA/cakey.pem" \
-config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha256 >/dev/null || exit 1
cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem"
cp $TMPFILE.cfg /tmp/ssl.cfg
rm "${TMPFILE}.cfg"
echo "DONE"
}
generate_cert() {
local val=""
if ! check_ca; then
echo "No existing CA found, please create one with \"gentls_cert setup\" first"
exit 1
fi
echo "Generating new certificate..."
echo
echo "--------------------------------------------------------"
echo "CN: \"${COMMON_NAME}\""
echo "ORG_NAME: \"${ORG_NAME}\""
echo "ALT_NAME: \"${ALT_NAME}\""
echo
echo "Certificate filename \"${OUTFILE}\""
echo
echo "[Is this OK? (y/N)]"
read val
if [ "${val}" != "y" ] && [ "${val}" != "Y" ]; then
echo "Aborted"
return 2
fi
sed \
-e "s|%CN%|$COMMON_NAME|" \
-e "s|%ALTNAME%|$ALT_NAME|" \
-e "s|%ORG%|$ORG_NAME|" \
"${CONFDIR}/CA/config.tpl" \
> "${TMPFILE}.cfg" || exit 1
openssl req -new -out "${TMPFILE}.req" \
-newkey rsa:${KEY_SIZE} -keyout "${TMPFILE}.key" \
-config "${TMPFILE}.cfg" -nodes -sha256 >/dev/null || exit 1
openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA "${CONFDIR}/CA/cacert.pem" -CAcreateserial \
-in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \
-extensions "${EXTENSIONS}" -days ${DAYS} -sha256 >/dev/null || exit 1
cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}"
rm "${TMPFILE}.cfg" "${TMPFILE}.crt" "${TMPFILE}.key" "${TMPFILE}.req"
echo "DONE"
}
remove_ca() {
echo "Removing CA"
if [ -d "${CONFDIR}/CA" ]; then
rm "${CONFDIR}/CA/"*
rmdir "${CONFDIR}/CA"
fi
echo "DONE"
}
OUTFILESET="0"
command="$1"
shift
while [ $# -gt 0 ]; do
case $1 in
-cn)
shift
COMMON_NAME="$1"
;;
-alt)
shift
ALT_NAME="$1"
;;
-org)
shift
ORG_NAME="$1"
;;
-out)
shift
OUTFILE="$1"
OUTFILESET="1"
;;
-days)
shift
DAYS="$1"
;;
esac
shift
done
case ${command} in
setup)
setup_ca
;;
create)
EXTENSIONS="server"
generate_cert
;;
create_server)
EXTENSIONS="server"
generate_cert
;;
create_client)
EXTENSIONS="client"
if [ "${OUTFILESET}" = "0" ]; then
OUTFILE="client.pem"
fi
generate_cert
;;
remove)
echo "Are you sure you want to delete the CA? [YES to delete]"
read val
if [ "${val}" = "YES" ]; then
remove_ca
else
echo "Not deleting CA"
fi
;;
*)
cat <<-EOF
$0 <setup|create_server|create_client|clean> [options]
* commands:
setup - Setup new CA
remove - Remove CA
create_server - Create new certificate (overwriting existing!)
create_client - Create a new client certificate (overwrites existing!)
* options:
-cn Set common name
-alt Set alternative name (use prefix 'DNS:' or 'URI:')
-org Set organization name
-out Filename for new certificate (create only)
-days Certificate expires in X days (default: 365)
EOF
exit 1
;;
esac
View Git Blame Copy Permalink