improved ssl-check
replaced default cipher with "aes" (just for testing)
This commit is contained in:
parent
3da483ffec
commit
49a5f739a5
4 changed files with 22 additions and 11 deletions
|
@ -302,6 +302,7 @@ function get_available_disks()
|
|||
do [ "$scan" = "$avail" ] && echo "/dev/$avail"
|
||||
done
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
|
@ -365,6 +366,7 @@ function umount_crypto()
|
|||
function box_purge()
|
||||
# removing just the first bytes from the harddisk should be enough
|
||||
# every harddisk will be overriden!
|
||||
# this feature is only useful for validation
|
||||
{
|
||||
# TODO: not ALL harddisks, please!
|
||||
get_available_disks | while read a
|
||||
|
|
|
@ -138,9 +138,10 @@ case "$ACTION" in
|
|||
fi
|
||||
# just in case, that there is no ext2/3 filesystem:
|
||||
# set uid option (will fail silently for ext2/3)
|
||||
mount -o remount,uid="$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
|
||||
# TODO: there is no FILE_USER setting anymore - do we still need it?
|
||||
#mount -o remount,uid="$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
|
||||
# adapt top-level permission to current setup - again: may fail silently
|
||||
chown "$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
|
||||
#chown "$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
|
||||
true
|
||||
;;
|
||||
umount )
|
||||
|
|
|
@ -18,6 +18,7 @@ use CGI;
|
|||
use ClearSilver;
|
||||
use ConfigFile;
|
||||
use English;
|
||||
use CGI::Carp;
|
||||
|
||||
# drop privileges
|
||||
$UID = $EUID;
|
||||
|
@ -209,11 +210,14 @@ sub log_msg
|
|||
|
||||
sub check_ssl
|
||||
{
|
||||
# BEWARE: dirty trick - is there a better way?
|
||||
# stunnel is not in transparent mode -> that means, it replaces REMOTE_ADDR with
|
||||
# its own IP (localhost, of course)
|
||||
# TODO: this does not work with a native ssl webserver
|
||||
return ($ENV{'REMOTE_ADDR'} eq '127.0.0.1');
|
||||
# check, if we are behind a proxy with ssl (e.g. pound)
|
||||
return (0==0) if ($ENV{'HTTP_FRONT_END_HTTPS'} =~ m/^on$/i);
|
||||
# environment variable set (e.g. via apache directive "SetEnv HTTPS On")
|
||||
return (0==0) if ($ENV{'HTTPS'} =~ m/^on$/i);
|
||||
# port 80 -> not encrypted
|
||||
return (0==1) if ($ENV{'SERVER_PORT'} = 80);
|
||||
# other ports -> maybe ok - we accept it
|
||||
return (0==0);
|
||||
}
|
||||
|
||||
|
||||
|
@ -240,7 +244,7 @@ sub exec_cb_script {
|
|||
} else {
|
||||
# parent
|
||||
@result = <PROG_OUT>;
|
||||
close PROG_OUT or warn "error while running $CB_SCRIPT: $?";
|
||||
close PROG_OUT or warn "error while running $CB_SCRIPT (params:" . join(" ",@params) . "): $?";
|
||||
}
|
||||
if (wantarray) {
|
||||
return @result;
|
||||
|
@ -413,7 +417,10 @@ my $current_admin_pw;
|
|||
# first: check for ssl!
|
||||
if ( ! &check_ssl()) {
|
||||
$pagedata->setValue('Data.Error', 'NoSSL');
|
||||
$pagedata->setValue('Data.Redirect.URL', "https://" . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'});
|
||||
# remove port number from HTTP_HOST
|
||||
my $hostname = $ENV{'HTTP_HOST'};
|
||||
$hostname =~ s/:[0-9]*//;
|
||||
$pagedata->setValue('Data.Redirect.URL', "https://" . $hostname . $ENV{'SCRIPT_NAME'});
|
||||
$pagedata->setValue('Data.Redirect.Delay', "3");
|
||||
} elsif ($query->param('action')) {
|
||||
my $action = $query->param('action');
|
||||
|
|
|
@ -25,8 +25,9 @@ LOG_FILE=/var/log/cryptobox.log
|
|||
CONFIG_MARKER=cryptobox.marker
|
||||
|
||||
# crypto settings
|
||||
# there is no default hash, as this is ignored by luks
|
||||
DEFAULT_CIPHER=aes-cbc-essiv:sha256
|
||||
# TODO: for now, the usual default cipher does not work on ARM, so we enable it during development
|
||||
#DEFAULT_CIPHER=aes-cbc-essiv:sha256
|
||||
DEFAULT_CIPHER=aes
|
||||
DEV_MAPPER_DIR=/dev/mapper
|
||||
|
||||
# distribution specific configuration
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue