Skip to content

Commit 5c3c1ba

Browse files
tiredofittiredofit
committed
Release 2.6-7.7.5 - See CHANGELOG.md
1 parent 88bf04a commit 5c3c1ba

File tree

6 files changed

+56
-29
lines changed

6 files changed

+56
-29
lines changed

CHANGELOG.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,12 @@
1+
## 2.6-7.7.5 2025-08-13 <dave at tiredofit dot ca>
2+
3+
### Added
4+
- Add TLS_ENABLE_DH_PARAM environment variable
5+
6+
### Changed
7+
- Change TLS Cipher Suites to HIGH:!aNULL:!MD5:!3DES:!RC4:!DES:!eNULL
8+
9+
110
## 2.6-7.7.4 2025-08-12 <dave at tiredofit dot ca>
211

312
### Added

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -227,6 +227,7 @@ If you already have a check_password.conf or ppm.conf in /etc/openldap/ the foll
227227
| `TLS_CREATE_CA` | Automatically create CA when generating certificates | `TRUE` |
228228
| `TLS_CRT_FILENAME` | TLS cert filename | `cert.pem` |
229229
| `TLS_CRT_PATH` | TLS cert path | `/certs/` |
230+
| `TLS_ENABLE_DH_PARAM` | Enable DH Param Functionality | `TRUE` |
230231
| `TLS_DH_PARAM_FILENAME` | DH Param filename | `dhparam.pem` |
231232
| `TLS_DH_PARAM_KEYSIZE` | Keysize for DH Param | `2048` |
232233
| `TLS_DH_PARAM_PATH` | DH Param path | `/certs/` |

install/assets/defaults/10-openldap

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,13 +52,14 @@ TLS_CA_CRT_SUBJECT=${TLS_CA_CRT_SUBJECT:-"${TLS_CA_SUBJECT}${TLS_CA_NAME}"}
5252
TLS_CA_CRT_FILENAME=${TLS_CA_CRT_FILENAME:-"${TLS_CA_NAME}.crt"}
5353
TLS_CA_KEY_FILENAME=${TLS_CA_KEY_FILENAME:-"${TLS_CA_NAME}.key"}
5454
TLS_CA_CRT_PATH=${TLS_CA_CRT_PATH:-"/certs/${TLS_CA_NAME}/"}
55-
TLS_CIPHER_SUITE=${TLS_CIPHER_SUITE:-"ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA"}
55+
TLS_CIPHER_SUITE=${TLS_CIPHER_SUITE:-"HIGH:!aNULL:!MD5:!3DES:!RC4:!DES:!eNULL"}
5656
TLS_CREATE_CA=${TLS_CREATE_CA:-"TRUE"}
5757
TLS_CRT_FILENAME=${TLS_CRT_FILENAME:-"cert.pem"}
5858
TLS_CRT_PATH=${TLS_CRT_PATH:-"/certs/"}
5959
TLS_DH_PARAM_FILENAME=${TLS_DH_PARAM_FILENAME:-"dhparam.pem"}
6060
TLS_DH_PARAM_KEYSIZE=${TLS_DH_PARAM_KEYSIZE:-2048}
6161
TLS_DH_PARAM_PATH=${TLS_DH_PARAM_PATH:-"/certs/"}
62+
TLS_ENABLE_DH_PARAM=${TLS_ENABLE_DH_PARAM:-"TRUE"}
6263
TLS_ENFORCE=${TLS_ENFORCE:-"FALSE"}
6364
TLS_KEY_FILENAME=${TLS_KEY_FILENAME:-"key.pem"}
6465
TLS_KEY_PATH=${TLS_KEY_PATH:-"/certs/"}

install/assets/functions/10-openldap

Lines changed: 42 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -118,16 +118,24 @@ EOF
118118
}
119119

120120
certificates_check_dhparam() {
121-
print_debug "Certificates: DH Param - Checking existence of '${TLS_DH_PARAM_PATH}/${TLS_DH_PARAM_FILENAME}'"
122-
if [ ! -f "${TLS_DH_PARAM_PATH}"/"${TLS_DH_PARAM_FILENAME}" ]; then
123-
certificates_create_dhparam
121+
if var_true "${TLS_ENABLE_DH_PARAM}"; then
122+
print_debug "Certificates: DH Param - Checking existence of '${TLS_DH_PARAM_PATH}/${TLS_DH_PARAM_FILENAME}'"
123+
if [ ! -f "${TLS_DH_PARAM_PATH}"/"${TLS_DH_PARAM_FILENAME}" ]; then
124+
certificates_create_dhparam
125+
fi
126+
else
127+
print_debug "Certificates: DH Param - Skipping creation/check (TLS_ENABLE_DH_PARAM is not true)"
124128
fi
125129
}
126130

127131
certificates_create_dhparam() {
128-
print_notice "Certificates: DH Param - Creating '${TLS_DH_PARAM_PATH}/${TLS_DH_PARAM_FILENAME}'"
129-
mkdir -p "${TLS_DH_PARAM_PATH}"
130-
silent openssl dhparam -out "${TLS_DH_PARAM_PATH}"/"${TLS_DH_PARAM_FILENAME}" "${TLS_DH_PARAM_KEYSIZE}"
132+
if var_true "${TLS_ENABLE_DH_PARAM}"; then
133+
print_notice "Certificates: DH Param - Creating '${TLS_DH_PARAM_PATH}/${TLS_DH_PARAM_FILENAME}'"
134+
mkdir -p "${TLS_DH_PARAM_PATH}"
135+
silent openssl dhparam -out "${TLS_DH_PARAM_PATH}"/"${TLS_DH_PARAM_FILENAME}" "${TLS_DH_PARAM_KEYSIZE}"
136+
else
137+
print_debug "Certificates: DH Param - Skipping creation (TLS_ENABLE_DH_PARAM is not true)"
138+
fi
131139
}
132140

133141
certificates_trust_ca() {
@@ -144,14 +152,17 @@ EOF
144152

145153
case "$1" in
146154
"DHPARAM" | "dhparam")
147-
if var_true "${ENABLE_TLS}"; then
155+
if var_true "${ENABLE_TLS}" && var_true "${TLS_ENABLE_DH_PARAM}"; then
148156
certificates_check_dhparam
149157
fi
150158
;;
151159
*)
152160
if var_true "${ENABLE_TLS}"; then
153161
certificates_check_certificates "${1}"
154162
certificates_trust_ca
163+
if var_true "${TLS_ENABLE_DH_PARAM}"; then
164+
certificates_check_dhparam
165+
fi
155166
fi
156167
;;
157168
esac
@@ -366,7 +377,9 @@ EOF
366377
certificates "${TLS_CRT_PATH}"/"${TLS_CRT_FILENAME}"
367378

368379
# Create DHParamFile if not found
369-
certificates dhparam
380+
if var_true "${TLS_ENABLE_DH_PARAM}"; then
381+
certificates dhparam
382+
fi
370383

371384
if var_true "${TLS_RESET_PERMISSIONS}"; then
372385
chown ldap:ldap "${PREVIOUS_TLS_CRT_PATH}" "${PREVIOUS_TLS_KEY_PATH}" "${PREVIOUS_TLS_CA_CRT_PATH}" "${PREVIOUS_TLS_DH_PARAM_PATH}" || true
@@ -507,25 +520,34 @@ EOF
507520
chown -R ldap:ldap /assets/slapd || true
508521

509522
# Adapt TLS ldif
523+
if var_true "${TLS_ENABLE_DH_PARAM}"; then
524+
TLS_DH_PARAM_LDIF_ENABLE="-\nreplace: olcTLSDHParamFile\nolcTLSDHParamFile: ${TLS_DH_PARAM_PATH}/${TLS_DH_PARAM_FILENAME}\n-"
525+
else
526+
TLS_DH_PARAM_LDIF_ENABLE=""
527+
fi
528+
# Always attempt to delete olcTLSDHParamFile on disable
529+
TLS_DH_PARAM_LDIF_DISABLE="-\ndelete: olcTLSDHParamFile\n-"
510530
update_template /assets/slapd/config/tls/tls-enable.ldif \
511-
TLS_CA_CRT_PATH \
512-
TLS_CA_CRT_FILENAME \
513-
TLS_CRT_PATH \
514-
TLS_CRT_FILENAME \
515-
TLS_KEY_PATH \
516-
TLS_KEY_FILENAME \
517-
TLS_DH_PARAM_PATH \
518-
TLS_DH_PARAM_FILENAME \
519-
TLS_CIPHER_SUITE \
520-
TLS_VERIFY_CLIENT
521-
531+
TLS_CA_CRT_PATH \
532+
TLS_CA_CRT_FILENAME \
533+
TLS_CRT_PATH \
534+
TLS_CRT_FILENAME \
535+
TLS_KEY_PATH \
536+
TLS_KEY_FILENAME \
537+
TLS_DH_PARAM_PATH \
538+
TLS_DH_PARAM_FILENAME \
539+
TLS_CIPHER_SUITE \
540+
TLS_VERIFY_CLIENT \
541+
TLS_DH_PARAM_LDIF_ENABLE
522542
silent ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f /assets/slapd/config/tls/tls-enable.ldif
523543

524544
[[ -f "$was_started_with_tls" ]] && rm -f "$was_started_with_tls"
525545
echo "export PREVIOUS_TLS_CA_CRT_PATH=${TLS_CA_CRT_PATH}/${TLS_CA_CRT_FILENAME}" > "${was_started_with_tls}"
526546
echo "export PREVIOUS_TLS_CRT_PATH=${TLS_CRT_PATH}/${TLS_CRT_FILENAME}" >> "${was_started_with_tls}"
527547
echo "export PREVIOUS_TLS_KEY_PATH=${TLS_KEY_PATH}/${TLS_KEY_FILENAME}" >> "${was_started_with_tls}"
528-
echo "export PREVIOUS_TLS_DH_PARAM_PATH=${TLS_DH_PARAM_PATH}/${TLS_DH_PARAM_FILENAME}" >> "${was_started_with_tls}"
548+
if var_true "${TLS_ENABLE_DH_PARAM}"; then
549+
echo "export PREVIOUS_TLS_DH_PARAM_PATH=${TLS_DH_PARAM_PATH}/${TLS_DH_PARAM_FILENAME}" >> "${was_started_with_tls}"
550+
fi
529551

530552
# Enforce TLS
531553
if var_true "${TLS_ENFORCE}"; then

install/assets/slapd/config/tls/tls-disable.ldif

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,5 @@ delete: olcTLSCACertificateFile
77
delete: olcTLSCertificateFile
88
-
99
delete: olcTLSCertificateKeyFile
10-
-
11-
delete: olcTLSDHParamFile
12-
-
10+
{{TLS_DH_PARAM_LDIF_DISABLE}}
1311
delete: olcTLSVerifyClient

install/assets/slapd/config/tls/tls-enable.ldif

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,5 @@ olcTLSCertificateFile: {{TLS_CRT_PATH}}/{{TLS_CRT_FILENAME}}
1111
-
1212
replace: olcTLSCertificateKeyFile
1313
olcTLSCertificateKeyFile: {{TLS_KEY_PATH}}/{{TLS_KEY_FILENAME}}
14-
-
15-
replace: olcTLSDHParamFile
16-
olcTLSDHParamFile: {{TLS_DH_PARAM_PATH}}/{{TLS_DH_PARAM_FILENAME}}
17-
-
18-
replace: olcTLSVerifyClient
14+
{{TLS_DH_PARAM_LDIF_ENABLE}}replace: olcTLSVerifyClient
1915
olcTLSVerifyClient: {{TLS_VERIFY_CLIENT}}

0 commit comments

Comments
 (0)