Révision 7c4c77ee
Ajouté par jim-p il y a plus de 9 ans
etc/inc/system.inc | ||
---|---|---|
830 | 830 |
return $retval; |
831 | 831 |
} |
832 | 832 |
|
833 |
function system_webgui_create_certificate() { |
|
834 |
global $config, $g; |
|
835 |
|
|
836 |
if (!is_array($config['ca'])) |
|
837 |
$config['ca'] = array(); |
|
838 |
$a_ca =& $config['ca']; |
|
839 |
if (!is_array($config['cert'])) |
|
840 |
$config['cert'] = array(); |
|
841 |
$a_cert =& $config['cert']; |
|
842 |
log_error("Creating SSL Certificate for this host"); |
|
843 |
|
|
844 |
$cert = array(); |
|
845 |
$cert['refid'] = uniqid(); |
|
846 |
$cert['descr'] = gettext("webConfigurator default"); |
|
847 |
|
|
848 |
$dn = array( |
|
849 |
'countryName' => "US", |
|
850 |
'stateOrProvinceName' => "State", |
|
851 |
'localityName' => "Locality", |
|
852 |
'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate", |
|
853 |
'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}", |
|
854 |
'commonName' => $config['system']['hostname'] . '-' . uniqid()); |
|
855 |
$old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warings directly to a page screwing menu tab */ |
|
856 |
if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")){ |
|
857 |
while($ssl_err = openssl_error_string()){ |
|
858 |
log_error("Error creating WebGUI Certificate: openssl library returns: " . $ssl_err); |
|
859 |
} |
|
860 |
error_reporting($old_err_level); |
|
861 |
return null; |
|
862 |
} |
|
863 |
error_reporting($old_err_level); |
|
864 |
|
|
865 |
$a_cert[] = $cert; |
|
866 |
$config['system']['webgui']['ssl-certref'] = $cert['refid']; |
|
867 |
write_config(gettext("Importing HTTPS certificate")); |
|
868 |
return $cert; |
|
869 |
} |
|
870 |
|
|
833 | 871 |
function system_webgui_start() { |
834 | 872 |
global $config, $g; |
835 | 873 |
|
... | ... | |
852 | 890 |
// Ensure that we have a webConfigurator CERT |
853 | 891 |
$cert =& lookup_cert($config['system']['webgui']['ssl-certref']); |
854 | 892 |
if(!is_array($cert) && !$cert['crt'] && !$cert['prv']) { |
855 |
if (!is_array($config['ca'])) |
|
856 |
$config['ca'] = array(); |
|
857 |
$a_ca =& $config['ca']; |
|
858 |
if (!is_array($config['cert'])) |
|
859 |
$config['cert'] = array(); |
|
860 |
$a_cert =& $config['cert']; |
|
861 |
log_error("Creating SSL Certificate for this host"); |
|
862 |
$cert = array(); |
|
863 |
$cert['refid'] = uniqid(); |
|
864 |
$cert['descr'] = gettext("webConfigurator default"); |
|
865 |
mwexec("/usr/bin/openssl genrsa 1024 > {$g['tmp_path']}/ssl.key"); |
|
866 |
mwexec("/usr/bin/openssl req -new -x509 -nodes -sha256 -days 2000 -key {$g['tmp_path']}/ssl.key > {$g['tmp_path']}/ssl.crt"); |
|
867 |
$crt = file_get_contents("{$g['tmp_path']}/ssl.crt"); |
|
868 |
$key = file_get_contents("{$g['tmp_path']}/ssl.key"); |
|
869 |
unlink("{$g['tmp_path']}/ssl.key"); |
|
870 |
unlink("{$g['tmp_path']}/ssl.crt"); |
|
871 |
cert_import($cert, $crt, $key); |
|
872 |
$a_cert[] = $cert; |
|
873 |
$config['system']['webgui']['ssl-certref'] = $cert['refid']; |
|
874 |
write_config(gettext("Importing HTTPS certificate")); |
|
875 |
if(!$config['system']['webgui']['port']) |
|
876 |
$portarg = "443"; |
|
877 |
$ca = ca_chain($cert); |
|
893 |
$cert = system_webgui_create_certificate(); |
|
894 |
$crt = $cert['crt']; |
|
895 |
$key = $cert['prv']; |
|
878 | 896 |
} else { |
879 | 897 |
$crt = base64_decode($cert['crt']); |
880 | 898 |
$key = base64_decode($cert['prv']); |
881 |
if(!$config['system']['webgui']['port']) |
|
882 |
$portarg = "443"; |
|
883 |
$ca = ca_chain($cert); |
|
884 | 899 |
} |
900 |
|
|
901 |
if(!$config['system']['webgui']['port']) |
|
902 |
$portarg = "443"; |
|
903 |
$ca = ca_chain($cert); |
|
885 | 904 |
} |
886 | 905 |
|
887 | 906 |
/* generate lighttpd configuration */ |
Formats disponibles : Unified diff
Teach the certificate generation code how to make a self-signed certificate, and change the GUI cert generation code to use it. Also, move the GUI cert generation code to its own function so we can add a GUI option to regenerate it later.
Also use some more sane defaults for the contents of the default self-signed certificate's fields so it will be more unique and less likely to trigger problems in browser certificate storage handling.