rpms/dnssec-trigger
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:f43
rpms:main
rpms:f42
rpms:f40
rpms:f41
rpms:epel9
rpms:f38
rpms:f39
rpms:f37
rpms:f36
rpms:f35
rpms:f33
rpms:f34
rpms:f31
rpms:f32
rpms:f30
rpms:f29
rpms:f26
rpms:f27
rpms:f28
rpms:f25
rpms:f24
rpms:f22
rpms:f23
rpms:f21
rpms:f20
rpms:f19
rpms:f18
rpms:f16
rpms:f17
rpms:el6
..
compare: rpms:f39
Branches Tags
rpms:f43
rpms:main
rpms:rawhide
rpms:f42
rpms:f40
rpms:f41
rpms:epel9
rpms:f38
rpms:f39
rpms:f37
rpms:f36
rpms:f35
rpms:f33
rpms:f34
rpms:f31
rpms:f32
rpms:f30
rpms:f29
rpms:f26
rpms:f27
rpms:f28
rpms:f25
rpms:f24
rpms:f22
rpms:f23
rpms:f21
rpms:f20
rpms:f19
rpms:f18
rpms:f16
rpms:f17
rpms:el6

No commits in common. "rawhide" and "f39" have entirely different histories.
rawhide ... f39

3 changed files with 0 additions and 96 deletions
Download patch file Download diff file Expand all files Collapse all files

34
dnssec-trigger-0.17-openssl-3.2.patch
View file

@ -1,34 +0,0 @@
From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 10 Sep 2024 16:22:07 +0200
Subject: [PATCH] Mark explicitly server cert with CA flag
Since OpenSSL 3.2 it did not connect from control to server cert. Create
server with indication is it CA.
Also use clientAuth trust for CA cert. That allows control cert to be
used for client authentication.
---
dnssec-trigger-control-setup.sh.in | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in
index 7cc305a..eede665 100644
--- a/dnssec-trigger-control-setup.sh.in
+++ b/dnssec-trigger-control-setup.sh.in
@@ -200,9 +200,9 @@ EOF
test -f request.cfg || error "could not create request.cfg"
echo "create $SVR_BASE.pem (self signed certificate)"
-openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
-# create trusted usage pem
-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
+openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+# create trusted usage pem for CA, what are signed certs allowed to do?
+openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem"
# create client request and sign it, piped
cat >request.cfg <<EOF
--
2.46.0

59
dnssec-trigger-0.17-server-recipe.patch
View file

@ -1,59 +0,0 @@
From f6b4cd17294d8faa8fd4d70110ac9da9916e7d61 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 20 Nov 2024 16:58:48 +0100
Subject: [PATCH] Add recipe for adding own server
Until someone adds nice support for using just CA bundle and server
name, allow specification by fingerprint obtained manually. Do not rely
only on server provided by upstream.
---
dnssec.conf | 4 ++--
example.conf.in | 6 +++++-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/dnssec.conf b/dnssec.conf
index bf896d3..4726ca1 100644
--- a/dnssec.conf
+++ b/dnssec.conf
@@ -38,7 +38,7 @@
#
# - See also security notes on the `add_wifi_provided_zones` option.
#
-# validate_connection_provided_zones=yes
+# validate_connection_provided_zones=no
#
# - Connection provided zones will be configured in Unbound as secure forward
# zones, validated using DNSSEC.
@@ -63,7 +63,7 @@
# Turning this option off has security implications, See the security
# notice above.
#
-validate_connection_provided_zones=yes
+validate_connection_provided_zones=no
# add_wifi_provided_zones:
# ------------------------
diff --git a/example.conf.in b/example.conf.in
index dafd35d..f7e8a54 100644
--- a/example.conf.in
+++ b/example.conf.in
@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67
ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+# How to add your own record:
+# openssl s_client -connect example.com:443 -showcerts </dev/null > /tmp/dns.crt
+# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256
+# Append returned sha256 Fingerprint after ssl443: IP-address section.
+
# Use VPN servers for all traffic
# use-vpn-forwarders: no
@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:
# Add domains provided by VPN connections into Unbound forward zones
# add-wifi-provided-zones: no
-
--
2.47.0

3
dnssec-trigger.spec
View file

@ -33,9 +33,6 @@ Patch4: 0004-Add-options-edns0-and-trust-ad.patch
Patch5: dnssec-trigger-configure-c99.patch
# https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
Patch6: dnssec-trigger-0.17-allowed-characters.patch
Patch7: dnssec-trigger-0.17-openssl-3.2.patch
# https://github.com/NLnetLabs/dnssec-trigger/pull/15
Patch8: dnssec-trigger-0.17-server-recipe.patch
# to obsolete the version in which the panel was in main package
Obsoletes: %{name} < 0.12-22