diff --git a/Config b/Config index b0ab1887c..a8ba37d5e 100755 --- a/Config +++ b/Config @@ -188,7 +188,7 @@ if [ "$QUICK" != "1" ] ; then echo "*******************************************************************************" echo "Press ENTER to continue" read cc - $MAKE pem + ./unrealircd makecert echo "Certificate created successfully." sleep 1 else diff --git a/Makefile.in b/Makefile.in index 25083ef0b..5316f0b18 100644 --- a/Makefile.in +++ b/Makefile.in @@ -224,6 +224,7 @@ install: all fi $(INSTALL) -m 0700 -d $(DESTDIR)@CONFDIR@/tls $(INSTALL) -m 0600 doc/conf/tls/curl-ca-bundle.crt $(DESTDIR)@CONFDIR@/tls + $(INSTALL) -m 0600 doc/conf/tls/tls.cnf $(DESTDIR)@CONFDIR@/tls @# delete modules/cap directory, to avoid confusing with U4 to U5 upgrades: rm -rf $(DESTDIR)@MODULESDIR@/cap $(INSTALL) -m 0700 -d $(DESTDIR)@MODULESDIR@/third @@ -234,11 +235,6 @@ install: all $(INSTALL) -m 0700 -d $(DESTDIR)@CACHEDIR@ $(INSTALL) -m 0700 -d $(DESTDIR)@PERMDATADIR@ $(INSTALL) -m 0700 -d $(DESTDIR)@LOGDIR@ - -@if [ ! -f "$(DESTDIR)@CONFDIR@/tls/server.cert.pem" ] ; then \ - $(INSTALL) -m 0600 server.req.pem $(DESTDIR)@CONFDIR@/tls ; \ - $(INSTALL) -m 0600 server.key.pem $(DESTDIR)@CONFDIR@/tls ; \ - $(INSTALL) -m 0600 server.cert.pem $(DESTDIR)@CONFDIR@/tls ; \ - fi @rm -f $(DESTDIR)@SCRIPTDIR@/source ln -s @BUILDDIR@ $(DESTDIR)@SCRIPTDIR@/source @echo '' @@ -268,19 +264,9 @@ install: all echo 'Again, be sure to change to the @SCRIPTDIR@ directory!' ; \ fi -pem: extras/tls.cnf - @echo "Generating server key..." - $(OPENSSLPATH) ecparam -out server.key.pem -name secp384r1 -genkey - @echo "Generating certificate request..." - $(OPENSSLPATH) req -new \ - -config extras/tls.cnf -sha256 -out server.req.pem \ - -key server.key.pem -nodes - @echo "Generating self-signed certificate..." - $(OPENSSLPATH) req -x509 -days 3650 -sha256 -nodes -in server.req.pem \ - -key server.key.pem -out server.cert.pem - @echo "Setting permissions on server.*.pem files..." - chmod o-rwx server.req.pem server.key.pem server.cert.pem - chmod g-rwx server.req.pem server.key.pem server.cert.pem +pem: + @echo "The command 'make pem' is no longer used to generate the TLS certificate." + @echo "Please run './unrealircd makecert' instead." Makefile: config.status Makefile.in ./config.status diff --git a/extras/tls.cnf b/doc/conf/tls/tls.cnf similarity index 92% rename from extras/tls.cnf rename to doc/conf/tls/tls.cnf index 46a961159..d768febe8 100644 --- a/extras/tls.cnf +++ b/doc/conf/tls/tls.cnf @@ -4,7 +4,6 @@ # Note: RSA bits is ignored, as we use ECC now default_bits = 2048 distinguished_name = req_dn -x509_extensions = cert_type [ req_dn ] countryName = Country Name @@ -26,6 +25,3 @@ organizationalUnitName_default = IRCd 0.commonName = Common Name (Full domain of your server) 1.commonName_value = localhost -[ cert_type ] -nsCertType = server - diff --git a/src/tls.c b/src/tls.c index a6812900d..6d409c338 100644 --- a/src/tls.c +++ b/src/tls.c @@ -358,7 +358,7 @@ SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server) { unreal_log(ULOG_ERROR, "config", "TLS_LOAD_FAILED_DEFAULT_CERT", NULL, "It seems the default certificate is missing. " - "Run 'make pem && make install' in the UnrealIRCd source directory " + "Run './unrealircd makecert' " "to generate a self-signed cert."); } goto fail; @@ -457,8 +457,8 @@ SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server) { unreal_log(ULOG_ERROR, "config", "TLS_CERTIFICATE_CHECK_FAILED", NULL, "There is a problem with your TLS certificate: $quality_check_error\n" - "If you use the standard UnrealIRCd certificates then you can simply run 'make pem' and 'make install' " - "from your UnrealIRCd source directory (eg: ~/unrealircd-6.X.Y/) to create and install new certificates", + "If you use the standard UnrealIRCd certificates then you can simply run './unrealircd makecert' " + "to create and install new certificates", log_data_string("quality_check_error", errstr)); goto fail; } diff --git a/src/windows/makecert.bat b/src/windows/makecert.bat index 572626267..64ff6ca18 100755 --- a/src/windows/makecert.bat +++ b/src/windows/makecert.bat @@ -1,6 +1,5 @@ @title Certificate Generation SET OPENSSL_CONF=tls.cnf openssl ecparam -out ../conf/tls/server.key.pem -name secp384r1 -genkey -openssl req -new -config tls.cnf -out ../conf/tls/server.req.pem -key ../conf/tls/server.key.pem -nodes -openssl req -x509 -config tls.cnf -days 3650 -sha256 -in ../conf/tls/server.req.pem -key ../conf/tls/server.key.pem -out ../conf/tls/server.cert.pem +openssl req -new -x509 -config tls.cnf -key ../conf/tls/server.key.pem -days 3650 -sha256 -out ../conf/tls/server.cert.pem diff --git a/src/windows/unrealinst.iss b/src/windows/unrealinst.iss index 3b3e38ab2..a941220ee 100755 --- a/src/windows/unrealinst.iss +++ b/src/windows/unrealinst.iss @@ -50,7 +50,7 @@ Source: "unrealsvc.exe"; DestDir: "{app}\bin"; Flags: ignoreversion signonce ; TLS certificate generation helpers Source: "src\windows\makecert.bat"; DestDir: "{app}\bin"; Flags: ignoreversion -Source: "extras\tls.cnf"; DestDir: "{app}\bin"; Flags: ignoreversion +Source: "doc\conf\tls\tls.cnf"; DestDir: "{app}\bin"; Flags: ignoreversion ; UnrealIRCd modules Source: "src\modules\*.dll"; DestDir: "{app}\modules"; Flags: ignoreversion signonce diff --git a/unrealircd.in b/unrealircd.in index 76b1e54dd..32ec8cd6d 100644 --- a/unrealircd.in +++ b/unrealircd.in @@ -11,12 +11,13 @@ TMPDIR="@TMPDIR@" SCRIPTDIR="@SCRIPTDIR@" MODULESDIR="@MODULESDIR@" DOCDIR="@DOCDIR@" +OPENSSLPATH="@OPENSSLPATH@" # When built with --with-asan, ASan does not dump core by default because # older gcc/clang might dump a 16TB core file. We explicitly enable it here. export ASAN_OPTIONS="abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1:log_path=$TMPDIR/unrealircd_asan:detect_leaks=0" -if [ ! -f $IRCD ]; then +if [ "$1" != "makecert" ] && [ ! -f $IRCD ]; then echo "ERROR: Could not find the IRCd binary ($IRCD)" echo "This could mean two things:" echo "1) You forgot to run 'make install' after running 'make'" @@ -268,6 +269,78 @@ __EOF__ echo "Thanks!" elif [ "$1" = "spki" -o "$1" = "spkifp" ] ; then $UNREALIRCDCTL $* +elif [ "$1" = "makecert" ] ; then + TLSDIR="$CONFDIR/tls" + KEY="$TLSDIR/server.key.pem" + CERT="$TLSDIR/server.cert.pem" + + # Locate the OpenSSL configuration template. After 'make install' it + # lives in the TLS directory. During initial setup (./Config), before + # 'make install' has run, we use the copy in the source directory. + if [ -f "$TLSDIR/tls.cnf" ]; then + CNF="$TLSDIR/tls.cnf" + elif [ -f "$BUILDDIR/doc/conf/tls/tls.cnf" ]; then + CNF="$BUILDDIR/doc/conf/tls/tls.cnf" + else + echo "ERROR: Could not find the OpenSSL template tls.cnf" + echo "(Neither $TLSDIR/tls.cnf nor $BUILDDIR/doc/conf/tls/tls.cnf exists)" + exit 1 + fi + + if [ ! -d "$TLSDIR" ]; then + mkdir -p "$TLSDIR" || exit 1 + chmod 0700 "$TLSDIR" + fi + + REPLACED=0 + if [ -f "$CERT" ] || [ -f "$KEY" ]; then + echo "This command will replace your existing server certificate and key." + echo "(in $TLSDIR)" + echo -n "Do you wish to proceed? [Y|N] " + read answer + case "$answer" in + [Yy]*) + ;; + *) + echo "Aborted." + exit 1 + ;; + esac + REPLACED=1 + fi + + # Keep a backup of the previous certificate and key, so it can be + # restored if the newly generated one turns out to be unsuitable. + if [ "$REPLACED" = 1 ]; then + for f in "$KEY" "$CERT"; do + if [ -f "$f" ]; then + cp -p "$f" "$f.old" + fi + done + fi + + # Make sure the private key is not briefly world/group readable while + # it is being generated. + umask 077 + + echo "Generating server key..." + "$OPENSSLPATH" ecparam -out "$KEY" -name secp384r1 -genkey || exit 1 + echo "Generating self-signed certificate..." + "$OPENSSLPATH" req -new -x509 -key "$KEY" -config "$CNF" -days 3650 -sha256 -out "$CERT" || exit 1 + + echo "Setting permissions on server.*.pem files..." + chmod o-rwx "$KEY" "$CERT" + chmod g-rwx "$KEY" "$CERT" + + echo "" + echo "A new self-signed certificate and key have been generated in $TLSDIR" + if [ "$REPLACED" = 1 ]; then + echo "Your previous certificate and key were backed up with a .old suffix." + fi + echo "Note: the SPKI fingerprint has changed. If other servers link to you and" + echo " verify a fingerprint, you need to update the link { } block on their side." + echo "If UnrealIRCd is currently running, load the new certificate with:" + echo " $0 reloadtls" elif [ "$1" = "hot-patch" -o "$1" = "cold-patch" ] ; then if [ ! -d "$BUILDDIR" ]; then echo "UnrealIRCd source not found. Sorry, it is not possible to patch." @@ -434,6 +507,7 @@ else echo "unrealircd stop Stop (kill) the IRC Server" echo "unrealircd rehash Reload the configuration file" echo "unrealircd reloadtls Reload the SSL/TLS certificates" + echo "unrealircd makecert Create or replace the self-signed TLS certificate" echo "unrealircd restart Restart the IRC Server (stop+start)" echo "unrealircd status Show current status of the IRC Server" echo "unrealircd module-status Show all currently loaded modules"