Otherwise it just takes too long on the beaglebone

преди 9 години · caf1f53dd2
--- a/doc/EN/beaglebone.txt
+++ b/doc/EN/beaglebone.txt
@@ -1650,7 +1650,7 @@ openssl req \
 
				   -keyout /etc/ssl/private/$HOSTNAME.key \
			
 
				   -out /etc/ssl/certs/$HOSTNAME.crt
			
 
				 
			
 
				-openssl dhparam -check -text -5 2048 -out /etc/ssl/certs/$HOSTNAME.dhparam
			
 
				+openssl dhparam -check -text -dsaparam 2048 -out /etc/ssl/certs/$HOSTNAME.dhparam
			
 
				 
			
 
				 chmod 400 /etc/ssl/private/$HOSTNAME.key
			
 
				 chmod 640 /etc/ssl/certs/$HOSTNAME.crt
			
--- a/src/freedombone-addcert
+++ b/src/freedombone-addcert
@@ -218,7 +218,7 @@ fi
 
				 # generate DH params
			
 
				 if [ ! $NODH ]; then
			
 
				 	if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
			
 
				-		openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
			
 
				+		openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
			
 
				 		chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
			
 
				 	fi
			
 
				 fi
			
--- a/src/freedombone-config
+++ b/src/freedombone-config
@@ -763,11 +763,6 @@ function interactive_configuration {
 
				         esac
			
 
				         if [[ $INSTALLING_ON_BBB == "yes" ]]; then
			
 
				             USB_DRIVE=/dev/sda1
			
 
				-            # here a short diffie-hellman key length is used, because otherwise creation of keys
			
 
				-            # becomes impractically long on the beaglebone. It is known (as of 2015) that
			
 
				-            # 1024bit DH may be breakable, so this is really a tradeoff between security and the
			
 
				-            # available hardware
			
 
				-            DH_KEYLENGTH=1024
			
 
				         fi
			
 
				         save_configuration_file
			
 
				     fi
			
--- a/src/freedombone-sec
+++ b/src/freedombone-sec
@@ -351,18 +351,18 @@ function regenerate_dh_keys {
 
				       dialog --backtitle "Freedombone Security Configuration" \
			
 
				              --title "Diffie-Hellman key length" \
			
 
				              --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
			
 
				-             1 "1024 bits (WARNING: this may be insecure)" off \
			
 
				-             2 "2048 bits" on \
			
 
				-             3 "3072 bits" off 2> $data
			
 
				+             1 "2048 bits" off \
			
 
				+             2 "3072 bits" on \
			
 
				+             3 "4096 bits" off 2> $data
			
 
				       sel=$?
			
 
				       case $sel in
			
 
				           1) exit 1;;
			
 
				           255) exit 1;;
			
 
				       esac
			
 
				       case $(cat $data) in
			
 
				-          1) DH_KEYLENGTH=1024;;
			
 
				-          2) DH_KEYLENGTH=2048;;
			
 
				-          3) DH_KEYLENGTH=3072;;
			
 
				+          1) DH_KEYLENGTH=2048;;
			
 
				+          2) DH_KEYLENGTH=3072;;
			
 
				+          3) DH_KEYLENGTH=4096;;
			
 
				       esac
			
 
				 
			
 
				       ctr=0
			
@@ -371,7 +371,7 @@ function regenerate_dh_keys {
 
				           if [[ -f $file ]]; then
			
 
				               filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
			
 
				               if [ -f $filename ]; then
			
 
				-                  openssl dhparam -check -text -5 $DH_KEYLENGTH -out $filename
			
 
				+                  openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename
			
 
				                   ctr=$((ctr + 1))
			
 
				               fi
			
 
				           fi