Update OpenSSL certificates set up
Resolves: RHEL-113443
This commit is contained in:
parent
f9b03cbe85
commit
1094662e91
102
openwsman-2.7.2-ssl-certs-gen-changes.patch
Normal file
102
openwsman-2.7.2-ssl-certs-gen-changes.patch
Normal file
@ -0,0 +1,102 @@
|
||||
diff -up openwsman-2.7.2/etc/owsmangencert.sh.cmake.orig openwsman-2.7.2/etc/owsmangencert.sh.cmake
|
||||
--- openwsman-2.7.2/etc/owsmangencert.sh.cmake.orig 2022-12-28 16:43:03.000000000 +0100
|
||||
+++ openwsman-2.7.2/etc/owsmangencert.sh.cmake 2025-10-14 14:56:29.351109864 +0200
|
||||
@@ -1,10 +1,74 @@
|
||||
-#!/bin/sh
|
||||
-
|
||||
#!/bin/sh -e
|
||||
|
||||
CERTFILE=@WSMANCONF_DIR@/servercert.pem
|
||||
KEYFILE=@WSMANCONF_DIR@/serverkey.pem
|
||||
CNFFILE=@WSMANCONF_DIR@/ssleay.cnf
|
||||
+CAFILE=@WSMANCONF_DIR@/ca.crt
|
||||
+DAYS=365
|
||||
+
|
||||
+function create_ssl_cnf
|
||||
+{
|
||||
+ # Get minimum RSA key length at current security level
|
||||
+ # This workarounds openssl not enforcing min. key length enforced by current security level
|
||||
+ KEYSIZE=`grep min_rsa_size /etc/crypto-policies/state/CURRENT.pol | cut -d ' ' -f 3`
|
||||
+
|
||||
+ # Create OpenSSL configuration files for generating certificates
|
||||
+ echo "[ req ]" > $CNFFILE
|
||||
+ echo "default_bits = $KEYSIZE" >> $CNFFILE
|
||||
+ echo "default_keyfile = privkey.pem" >> $CNFFILE
|
||||
+ echo "distinguished_name = req_distinguished_name" >> $CNFFILE
|
||||
+
|
||||
+ echo "[ req_distinguished_name ]" >> $CNFFILE
|
||||
+ echo "countryName = Country Name (2 letter code)" >> $CNFFILE
|
||||
+ echo "countryName_default = GB" >> $CNFFILE
|
||||
+ echo "countryName_min = 2" >> $CNFFILE
|
||||
+ echo "countryName_max = 2" >> $CNFFILE
|
||||
+
|
||||
+ echo "stateOrProvinceName = State or Province Name (full name)" >> $CNFFILE
|
||||
+ echo "stateOrProvinceName_default = Some-State" >> $CNFFILE
|
||||
+
|
||||
+ echo "localityName = Locality Name (eg, city)" >> $CNFFILE
|
||||
+
|
||||
+ echo "organizationName = Organization Name (eg, company; recommended)" >> $CNFFILE
|
||||
+ echo "organizationName_max = 64" >> $CNFFILE
|
||||
+
|
||||
+ echo "organizationalUnitName = Organizational Unit Name (eg, section)" >> $CNFFILE
|
||||
+ echo "organizationalUnitName_max = 64" >> $CNFFILE
|
||||
+
|
||||
+ echo "commonName = server name (eg. ssl.domain.tld; required!!!)" >> $CNFFILE
|
||||
+ echo "commonName_max = 80" >> $CNFFILE
|
||||
+
|
||||
+ echo "emailAddress = Email Address" >> $CNFFILE
|
||||
+ echo "emailAddress_max = 85" >> $CNFFILE
|
||||
+}
|
||||
+
|
||||
+function selfsign_sscg()
|
||||
+{
|
||||
+ sscg --quiet \
|
||||
+ --lifetime "${DAYS}" \
|
||||
+ --cert-key-file "${KEYFILE}" \
|
||||
+ --cert-file "${CERTFILE}" \
|
||||
+ --ca-file "${CAFILE}"
|
||||
+}
|
||||
+
|
||||
+function selfsign_openssl()
|
||||
+{
|
||||
+
|
||||
+ echo
|
||||
+ echo creating selfsigned certificate
|
||||
+ echo "replace it with one signed by a certification authority (CA)"
|
||||
+ echo
|
||||
+ echo enter your ServerName at the Common Name prompt
|
||||
+ echo
|
||||
+
|
||||
+ # use special .cnf, because with normal one no valid selfsigned
|
||||
+ # certificate is created
|
||||
+
|
||||
+ openssl req -days $DAYS $@ -config $CNFFILE \
|
||||
+ -new -x509 -nodes -out $CERTFILE \
|
||||
+ -keyout $KEYFILE
|
||||
+ chmod 600 $KEYFILE
|
||||
+}
|
||||
|
||||
if [ "$1" != "--force" -a -f $KEYFILE ]; then
|
||||
echo "$KEYFILE exists! Use \"$0 --force.\""
|
||||
@@ -15,18 +79,7 @@ if [ "$1" = "--force" ]; then
|
||||
shift
|
||||
fi
|
||||
|
||||
-echo
|
||||
-echo creating selfsigned certificate
|
||||
-echo "replace it with one signed by a certification authority (CA)"
|
||||
-echo
|
||||
-echo enter your ServerName at the Common Name prompt
|
||||
-echo
|
||||
-
|
||||
-# use special .cnf, because with normal one no valid selfsigned
|
||||
-# certificate is created
|
||||
-
|
||||
-openssl req -days 365 $@ -config $CNFFILE \
|
||||
- -new -x509 -nodes -out $CERTFILE \
|
||||
- -keyout $KEYFILE
|
||||
-chmod 600 $KEYFILE
|
||||
+create_ssl_cnf
|
||||
|
||||
+# If sscg fails, try openssl
|
||||
+selfsign_sscg || selfsign_openssl
|
||||
@ -25,7 +25,7 @@
|
||||
|
||||
Name: openwsman
|
||||
Version: 2.7.2
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
Summary: Open source Implementation of WS-Management
|
||||
|
||||
License: BSD-3-Clause AND MIT
|
||||
@ -51,6 +51,7 @@ Patch4: openwsman-2.6.5-http-status-line.patch
|
||||
Patch5: openwsman-2.6.8-update-ssleay-conf.patch
|
||||
Patch6: openwsman-2.7.2-fix-ftbfs.patch
|
||||
Patch7: openwsman-2.7.2-post-quantum.patch
|
||||
Patch8: openwsman-2.7.2-ssl-certs-gen-changes.patch
|
||||
BuildRequires: make
|
||||
BuildRequires: swig
|
||||
BuildRequires: libcurl-devel libxml2-devel pam-devel sblim-sfcc-devel
|
||||
@ -409,6 +410,10 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Oct 14 2025 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.7.2-11
|
||||
- Update OpenSSL certificates set up
|
||||
Resolves: RHEL-113443
|
||||
|
||||
* Mon Jul 14 2025 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.7.2-10
|
||||
- Support added for post-quantum cryptography
|
||||
Resolves: RHEL-93091
|
||||
|
||||
Loading…
Reference in New Issue
Block a user