Compare commits
7 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
559a9eaee1 | ||
|
|
6a978fe44e | ||
|
0c89edf730 | ||
|
|
b0889c46e9 | ||
|
|
52d732d58d | ||
|
|
848c0c938a | ||
|
|
752566b521 |
3 changed files with 96 additions and 0 deletions
34
dnssec-trigger-0.17-openssl-3.2.patch
Normal file
34
dnssec-trigger-0.17-openssl-3.2.patch
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 10 Sep 2024 16:22:07 +0200
|
||||
Subject: [PATCH] Mark explicitly server cert with CA flag
|
||||
|
||||
Since OpenSSL 3.2 it did not connect from control to server cert. Create
|
||||
server with indication is it CA.
|
||||
|
||||
Also use clientAuth trust for CA cert. That allows control cert to be
|
||||
used for client authentication.
|
||||
---
|
||||
dnssec-trigger-control-setup.sh.in | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in
|
||||
index 7cc305a..eede665 100644
|
||||
--- a/dnssec-trigger-control-setup.sh.in
|
||||
+++ b/dnssec-trigger-control-setup.sh.in
|
||||
@@ -200,9 +200,9 @@ EOF
|
||||
test -f request.cfg || error "could not create request.cfg"
|
||||
|
||||
echo "create $SVR_BASE.pem (self signed certificate)"
|
||||
-openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
|
||||
-# create trusted usage pem
|
||||
-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
|
||||
+openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
|
||||
+# create trusted usage pem for CA, what are signed certs allowed to do?
|
||||
+openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem"
|
||||
|
||||
# create client request and sign it, piped
|
||||
cat >request.cfg <<EOF
|
||||
--
|
||||
2.46.0
|
||||
|
||||
59
dnssec-trigger-0.17-server-recipe.patch
Normal file
59
dnssec-trigger-0.17-server-recipe.patch
Normal file
|
|
@ -0,0 +1,59 @@
|
|||
From f6b4cd17294d8faa8fd4d70110ac9da9916e7d61 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Wed, 20 Nov 2024 16:58:48 +0100
|
||||
Subject: [PATCH] Add recipe for adding own server
|
||||
|
||||
Until someone adds nice support for using just CA bundle and server
|
||||
name, allow specification by fingerprint obtained manually. Do not rely
|
||||
only on server provided by upstream.
|
||||
---
|
||||
dnssec.conf | 4 ++--
|
||||
example.conf.in | 6 +++++-
|
||||
2 files changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dnssec.conf b/dnssec.conf
|
||||
index bf896d3..4726ca1 100644
|
||||
--- a/dnssec.conf
|
||||
+++ b/dnssec.conf
|
||||
@@ -38,7 +38,7 @@
|
||||
#
|
||||
# - See also security notes on the `add_wifi_provided_zones` option.
|
||||
#
|
||||
-# validate_connection_provided_zones=yes
|
||||
+# validate_connection_provided_zones=no
|
||||
#
|
||||
# - Connection provided zones will be configured in Unbound as secure forward
|
||||
# zones, validated using DNSSEC.
|
||||
@@ -63,7 +63,7 @@
|
||||
# Turning this option off has security implications, See the security
|
||||
# notice above.
|
||||
#
|
||||
-validate_connection_provided_zones=yes
|
||||
+validate_connection_provided_zones=no
|
||||
|
||||
# add_wifi_provided_zones:
|
||||
# ------------------------
|
||||
diff --git a/example.conf.in b/example.conf.in
|
||||
index dafd35d..f7e8a54 100644
|
||||
--- a/example.conf.in
|
||||
+++ b/example.conf.in
|
||||
@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67
|
||||
ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
|
||||
ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
|
||||
|
||||
+# How to add your own record:
|
||||
+# openssl s_client -connect example.com:443 -showcerts </dev/null > /tmp/dns.crt
|
||||
+# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256
|
||||
+# Append returned sha256 Fingerprint after ssl443: IP-address section.
|
||||
+
|
||||
# Use VPN servers for all traffic
|
||||
# use-vpn-forwarders: no
|
||||
|
||||
@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:
|
||||
|
||||
# Add domains provided by VPN connections into Unbound forward zones
|
||||
# add-wifi-provided-zones: no
|
||||
-
|
||||
--
|
||||
2.47.0
|
||||
|
||||
|
|
@ -33,6 +33,9 @@ Patch4: 0004-Add-options-edns0-and-trust-ad.patch
|
|||
Patch5: dnssec-trigger-configure-c99.patch
|
||||
# https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
|
||||
Patch6: dnssec-trigger-0.17-allowed-characters.patch
|
||||
Patch7: dnssec-trigger-0.17-openssl-3.2.patch
|
||||
# https://github.com/NLnetLabs/dnssec-trigger/pull/15
|
||||
Patch8: dnssec-trigger-0.17-server-recipe.patch
|
||||
|
||||
# to obsolete the version in which the panel was in main package
|
||||
Obsoletes: %{name} < 0.12-22
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue