improved ssl-check
replaced default cipher with "aes" (just for testing)
This commit is contained in:
parent
3da483ffec
commit
49a5f739a5
|
@ -302,6 +302,7 @@ function get_available_disks()
|
||||||
do [ "$scan" = "$avail" ] && echo "/dev/$avail"
|
do [ "$scan" = "$avail" ] && echo "/dev/$avail"
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -365,6 +366,7 @@ function umount_crypto()
|
||||||
function box_purge()
|
function box_purge()
|
||||||
# removing just the first bytes from the harddisk should be enough
|
# removing just the first bytes from the harddisk should be enough
|
||||||
# every harddisk will be overriden!
|
# every harddisk will be overriden!
|
||||||
|
# this feature is only useful for validation
|
||||||
{
|
{
|
||||||
# TODO: not ALL harddisks, please!
|
# TODO: not ALL harddisks, please!
|
||||||
get_available_disks | while read a
|
get_available_disks | while read a
|
||||||
|
|
|
@ -138,9 +138,10 @@ case "$ACTION" in
|
||||||
fi
|
fi
|
||||||
# just in case, that there is no ext2/3 filesystem:
|
# just in case, that there is no ext2/3 filesystem:
|
||||||
# set uid option (will fail silently for ext2/3)
|
# set uid option (will fail silently for ext2/3)
|
||||||
mount -o remount,uid="$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
|
# TODO: there is no FILE_USER setting anymore - do we still need it?
|
||||||
|
#mount -o remount,uid="$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
|
||||||
# adapt top-level permission to current setup - again: may fail silently
|
# adapt top-level permission to current setup - again: may fail silently
|
||||||
chown "$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
|
#chown "$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
|
||||||
true
|
true
|
||||||
;;
|
;;
|
||||||
umount )
|
umount )
|
||||||
|
|
|
@ -18,6 +18,7 @@ use CGI;
|
||||||
use ClearSilver;
|
use ClearSilver;
|
||||||
use ConfigFile;
|
use ConfigFile;
|
||||||
use English;
|
use English;
|
||||||
|
use CGI::Carp;
|
||||||
|
|
||||||
# drop privileges
|
# drop privileges
|
||||||
$UID = $EUID;
|
$UID = $EUID;
|
||||||
|
@ -209,11 +210,14 @@ sub log_msg
|
||||||
|
|
||||||
sub check_ssl
|
sub check_ssl
|
||||||
{
|
{
|
||||||
# BEWARE: dirty trick - is there a better way?
|
# check, if we are behind a proxy with ssl (e.g. pound)
|
||||||
# stunnel is not in transparent mode -> that means, it replaces REMOTE_ADDR with
|
return (0==0) if ($ENV{'HTTP_FRONT_END_HTTPS'} =~ m/^on$/i);
|
||||||
# its own IP (localhost, of course)
|
# environment variable set (e.g. via apache directive "SetEnv HTTPS On")
|
||||||
# TODO: this does not work with a native ssl webserver
|
return (0==0) if ($ENV{'HTTPS'} =~ m/^on$/i);
|
||||||
return ($ENV{'REMOTE_ADDR'} eq '127.0.0.1');
|
# port 80 -> not encrypted
|
||||||
|
return (0==1) if ($ENV{'SERVER_PORT'} = 80);
|
||||||
|
# other ports -> maybe ok - we accept it
|
||||||
|
return (0==0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -240,7 +244,7 @@ sub exec_cb_script {
|
||||||
} else {
|
} else {
|
||||||
# parent
|
# parent
|
||||||
@result = <PROG_OUT>;
|
@result = <PROG_OUT>;
|
||||||
close PROG_OUT or warn "error while running $CB_SCRIPT: $?";
|
close PROG_OUT or warn "error while running $CB_SCRIPT (params:" . join(" ",@params) . "): $?";
|
||||||
}
|
}
|
||||||
if (wantarray) {
|
if (wantarray) {
|
||||||
return @result;
|
return @result;
|
||||||
|
@ -413,7 +417,10 @@ my $current_admin_pw;
|
||||||
# first: check for ssl!
|
# first: check for ssl!
|
||||||
if ( ! &check_ssl()) {
|
if ( ! &check_ssl()) {
|
||||||
$pagedata->setValue('Data.Error', 'NoSSL');
|
$pagedata->setValue('Data.Error', 'NoSSL');
|
||||||
$pagedata->setValue('Data.Redirect.URL', "https://" . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'});
|
# remove port number from HTTP_HOST
|
||||||
|
my $hostname = $ENV{'HTTP_HOST'};
|
||||||
|
$hostname =~ s/:[0-9]*//;
|
||||||
|
$pagedata->setValue('Data.Redirect.URL', "https://" . $hostname . $ENV{'SCRIPT_NAME'});
|
||||||
$pagedata->setValue('Data.Redirect.Delay', "3");
|
$pagedata->setValue('Data.Redirect.Delay', "3");
|
||||||
} elsif ($query->param('action')) {
|
} elsif ($query->param('action')) {
|
||||||
my $action = $query->param('action');
|
my $action = $query->param('action');
|
||||||
|
|
|
@ -25,8 +25,9 @@ LOG_FILE=/var/log/cryptobox.log
|
||||||
CONFIG_MARKER=cryptobox.marker
|
CONFIG_MARKER=cryptobox.marker
|
||||||
|
|
||||||
# crypto settings
|
# crypto settings
|
||||||
# there is no default hash, as this is ignored by luks
|
# TODO: for now, the usual default cipher does not work on ARM, so we enable it during development
|
||||||
DEFAULT_CIPHER=aes-cbc-essiv:sha256
|
#DEFAULT_CIPHER=aes-cbc-essiv:sha256
|
||||||
|
DEFAULT_CIPHER=aes
|
||||||
DEV_MAPPER_DIR=/dev/mapper
|
DEV_MAPPER_DIR=/dev/mapper
|
||||||
|
|
||||||
# distribution specific configuration
|
# distribution specific configuration
|
||||||
|
|
Loading…
Reference in a new issue