improved ssl-check

replaced default cipher with "aes" (just for testing)
This commit is contained in:
lars 2006-05-17 12:39:32 +00:00
parent 3da483ffec
commit 49a5f739a5
4 changed files with 22 additions and 11 deletions

View File

@ -302,6 +302,7 @@ function get_available_disks()
do [ "$scan" = "$avail" ] && echo "/dev/$avail"
done
done
return 0
}
@ -365,6 +366,7 @@ function umount_crypto()
function box_purge()
# removing just the first bytes from the harddisk should be enough
# every harddisk will be overriden!
# this feature is only useful for validation
{
# TODO: not ALL harddisks, please!
get_available_disks | while read a

View File

@ -138,9 +138,10 @@ case "$ACTION" in
fi
# just in case, that there is no ext2/3 filesystem:
# set uid option (will fail silently for ext2/3)
mount -o remount,uid="$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
# TODO: there is no FILE_USER setting anymore - do we still need it?
#mount -o remount,uid="$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
# adapt top-level permission to current setup - again: may fail silently
chown "$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
#chown "$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
true
;;
umount )

View File

@ -18,6 +18,7 @@ use CGI;
use ClearSilver;
use ConfigFile;
use English;
use CGI::Carp;
# drop privileges
$UID = $EUID;
@ -209,11 +210,14 @@ sub log_msg
sub check_ssl
{
# BEWARE: dirty trick - is there a better way?
# stunnel is not in transparent mode -> that means, it replaces REMOTE_ADDR with
# its own IP (localhost, of course)
# TODO: this does not work with a native ssl webserver
return ($ENV{'REMOTE_ADDR'} eq '127.0.0.1');
# check, if we are behind a proxy with ssl (e.g. pound)
return (0==0) if ($ENV{'HTTP_FRONT_END_HTTPS'} =~ m/^on$/i);
# environment variable set (e.g. via apache directive "SetEnv HTTPS On")
return (0==0) if ($ENV{'HTTPS'} =~ m/^on$/i);
# port 80 -> not encrypted
return (0==1) if ($ENV{'SERVER_PORT'} = 80);
# other ports -> maybe ok - we accept it
return (0==0);
}
@ -240,7 +244,7 @@ sub exec_cb_script {
} else {
# parent
@result = <PROG_OUT>;
close PROG_OUT or warn "error while running $CB_SCRIPT: $?";
close PROG_OUT or warn "error while running $CB_SCRIPT (params:" . join(" ",@params) . "): $?";
}
if (wantarray) {
return @result;
@ -413,7 +417,10 @@ my $current_admin_pw;
# first: check for ssl!
if ( ! &check_ssl()) {
$pagedata->setValue('Data.Error', 'NoSSL');
$pagedata->setValue('Data.Redirect.URL', "https://" . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'});
# remove port number from HTTP_HOST
my $hostname = $ENV{'HTTP_HOST'};
$hostname =~ s/:[0-9]*//;
$pagedata->setValue('Data.Redirect.URL', "https://" . $hostname . $ENV{'SCRIPT_NAME'});
$pagedata->setValue('Data.Redirect.Delay', "3");
} elsif ($query->param('action')) {
my $action = $query->param('action');

View File

@ -25,8 +25,9 @@ LOG_FILE=/var/log/cryptobox.log
CONFIG_MARKER=cryptobox.marker
# crypto settings
# there is no default hash, as this is ignored by luks
DEFAULT_CIPHER=aes-cbc-essiv:sha256
# TODO: for now, the usual default cipher does not work on ARM, so we enable it during development
#DEFAULT_CIPHER=aes-cbc-essiv:sha256
DEFAULT_CIPHER=aes
DEV_MAPPER_DIR=/dev/mapper
# distribution specific configuration