Skip to content
Snippets Groups Projects
Commit cc717b40 authored by Rob Swindell's avatar Rob Swindell :speech_balloon:
Browse files

Add/use option: SCFG->System->Security->Create Self-signed Certificate

Default to false / No. Maybe this should default to true / Yes until a
certificate (e.g. from Let's Encrypt) is successfully provisioned?

Anyway, this is just a quick-hack to address the issue where a sysop's
CA-sigend certificate may be overwritten with a self-signed certificate if
for some reason Synchronet can't find/read the ssl.cert file.

See issue #881.
parent db19ad6f
Branches
Tags
No related merge requests found
Pipeline #8670 passed
......@@ -633,7 +633,8 @@ void security_cfg(void)
snprintf(opt[i++], MAX_OPLN, "%-33.33s%s", "Open to New Users", str);
snprintf(opt[i++], MAX_OPLN, "%-33.33s%s", "User Expires When Out-of-time"
, cfg.sys_misc & SM_TIME_EXP ? "Yes" : "No");
snprintf(opt[i++], MAX_OPLN, "%-33.33s%s", "Create Self-signed Certificate"
, cfg.create_self_signed_cert ? "Yes" : "No");
strcpy(opt[i++], "Security Level Values...");
strcpy(opt[i++], "Expired Account Values...");
strcpy(opt[i++], "Quick-Validation Values...");
......@@ -896,6 +897,24 @@ void security_cfg(void)
cfg.sys_misc &= ~SM_TIME_EXP;
}
break;
case __COUNTER__:
i = cfg.create_self_signed_cert ? 0 : 1;
uifc.helpbuf =
"`Create Self-signed TLS Certificate:`\n"
"\n"
"If you want Synchronet to automatically create a self-signed certificate\n"
"(for TLS connections) when the certificate file (`ctrl/ssl.cert`) cannot\n"
"be found or read, set this option to `Yes`.\n"
;
i = uifc.list(WIN_MID | WIN_SAV, 0, 0, 0, &i, 0
, "Create Self-signed Certificate", uifcYesNoOpts);
if (!i && !cfg.create_self_signed_cert) {
cfg.create_self_signed_cert = true;
}
else if (i == 1 && cfg.create_self_signed_cert) {
cfg.create_self_signed_cert = false;
}
break;
case __COUNTER__: /* Security Levels */
k = 0;
while (1) {
......
......@@ -506,6 +506,8 @@ typedef struct
uint16_t filename_maxlen; /* Maximum filename length */
str_list_t supported_archive_formats; /* Full support in libachive */
bool create_self_signed_cert;
fevent_t node_daily; /* Node's daily event */
uint32_t node_misc; /* Misc bits for node setup */
bool spinning_pause_prompt;
......
......@@ -127,6 +127,7 @@ bool read_main_cfg(scfg_t* cfg, char* error, size_t maxerrlen)
cfg->max_getkey_inactivity = (uint)iniGetDuration(ini, ROOT_SECTION, "max_getkey_inactivity", 300);
cfg->inactivity_warn = (uchar)iniGetUInteger(ini, ROOT_SECTION, "inactivity_warn", 75);
cfg->spinning_pause_prompt = iniGetBool(ini, ROOT_SECTION, "spinning_pause_prompt", true);
cfg->create_self_signed_cert = iniGetBool(ini, ROOT_SECTION, "create_self_signed_cert", false);
cfg->user_backup_level = iniGetUInteger(ini, ROOT_SECTION, "user_backup_level", 5);
cfg->mail_backup_level = iniGetUInteger(ini, ROOT_SECTION, "mail_backup_level", 5);
......
......@@ -147,6 +147,7 @@ bool write_main_cfg(scfg_t* cfg)
iniSetDuration(&ini, ROOT_SECTION, "max_getkey_inactivity", cfg->max_getkey_inactivity, NULL);
iniSetUInteger(&ini, ROOT_SECTION, "inactivity_warn", cfg->inactivity_warn, NULL);
iniSetBool(&ini, ROOT_SECTION, "spinning_pause_prompt", cfg->spinning_pause_prompt, NULL);
iniSetBool(&ini, ROOT_SECTION, "create_self_signed_cert", cfg->create_self_signed_cert, NULL);
iniSetUInteger(&ini, ROOT_SECTION, "user_backup_level", cfg->user_backup_level, NULL);
iniSetUInteger(&ini, ROOT_SECTION, "mail_backup_level", cfg->mail_backup_level, NULL);
iniSetUInteger(&ini, ROOT_SECTION, "config_backup_level", cfg->config_backup_level, NULL);
......
......@@ -476,6 +476,12 @@ static struct cert_list * get_ssl_cert(scfg_t *cfg, int (*lprintf)(int level, co
}
}
else {
lprintf(LOG_WARNING, "Failed to open/read TLS certificate: %s", cert_path);
if (!cfg->create_self_signed_cert) {
assert_pthread_mutex_unlock(&get_ssl_cert_mutex);
free(cert_entry);
return NULL;
}
lprintf(LOG_NOTICE, "Creating self-signed TLS certificate");
/* Couldn't do that... create a new context and use the cert from there... */
if (!DO("creating TLS context", CRYPT_UNUSED, cryptCreateContext(&cert_entry->cert, CRYPT_UNUSED, CRYPT_ALGO_RSA))) {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment