From 3694d61aab8c7c47318997be2c9046854c56291a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Wed, 20 Apr 2022 03:54:21 +0200 Subject: [PATCH] Added support for elliptic curve keys --- REFERENCE.md | 67 +++++++++- manifests/ca.pp | 63 ++++++---- manifests/server.pp | 13 +- spec/acceptance/openvpn_spec.rb | 188 +++++++++++++++++++++++++++- spec/defines/openvpn_ca_spec.rb | 2 + spec/defines/openvpn_server_spec.rb | 19 +++ templates/server.erb | 5 +- templates/vars-30.epp | 21 +++- 8 files changed, 348 insertions(+), 30 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 734c9eb7..0caa49f0 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -244,9 +244,12 @@ The following parameters are available in the `openvpn::ca` defined type: * [`email`](#email) * [`common_name`](#common_name) * [`group`](#group) +* [`ssl_key_algo`](#ssl_key_algo) * [`ssl_key_size`](#ssl_key_size) +* [`ssl_key_curve`](#ssl_key_curve) * [`key_expire`](#key_expire) * [`ca_expire`](#ca_expire) +* [`digest`](#digest) * [`key_name`](#key_name) * [`key_ou`](#key_ou) * [`key_cn`](#key_cn) @@ -310,14 +313,30 @@ User to drop privileges to after startup Default value: ``undef`` +##### `ssl_key_algo` + +Data type: `Enum['rsa', 'ec', 'ed']` + +SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys + +Default value: `'rsa'` + ##### `ssl_key_size` Data type: `Integer` -Length of SSL keys (in bits) generated by this module. +Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa Default value: `2048` +##### `ssl_key_curve` + +Data type: `String` + +Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed + +Default value: `'secp384r1'` + ##### `key_expire` Data type: `Integer` @@ -334,6 +353,14 @@ The number of days to certify the CA certificate for Default value: `3650` +##### `digest` + +Data type: `Enum['md5','sha1','sha256','sha224','sha384','sha512']` + +Cryptographic digest to use + +Default value: `'sha512'` + ##### `key_name` Data type: `Optional[String]` @@ -938,7 +965,10 @@ The following parameters are available in the `openvpn::server` defined type: * [`route`](#route) * [`route_ipv6`](#route_ipv6) * [`keepalive`](#keepalive) +* [`ssl_key_algo`](#ssl_key_algo) * [`ssl_key_size`](#ssl_key_size) +* [`ssl_key_curve`](#ssl_key_curve) +* [`ecdh_curve`](#ecdh_curve) * [`topology`](#topology) * [`c2c`](#c2c) * [`tcp_nodelay`](#tcp_nodelay) @@ -976,6 +1006,7 @@ The following parameters are available in the `openvpn::server` defined type: * [`persist_tun`](#persist_tun) * [`key_expire`](#key_expire) * [`crl_days`](#crl_days) +* [`digest`](#digest) * [`ca_expire`](#ca_expire) * [`key_name`](#key_name) * [`key_ou`](#key_ou) @@ -1264,14 +1295,38 @@ Add keepalive directive (ping and ping-restart) to server. Should match the form Default value: ``undef`` +##### `ssl_key_algo` + +Data type: `Enum['rsa', 'ec', 'ed']` + +SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys + +Default value: `'rsa'` + ##### `ssl_key_size` Data type: `Integer` -Length of SSL keys (in bits) generated by this module. +Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa Default value: `2048` +##### `ssl_key_curve` + +Data type: `String` + +Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed + +Default value: `'secp384r1'` + +##### `ecdh_curve` + +Data type: `String` + +Define the named curve for ECDH key exchange, used if ssl_key_algo is ec, ed + +Default value: `'secp384r1'` + ##### `topology` Data type: `String` @@ -1568,6 +1623,14 @@ The number of days the client revocation list will be valid for after generating Default value: `30` +##### `digest` + +Data type: `Enum['md5','sha1','sha256','sha224','sha384','sha512']` + +Cryptographic digest to use + +Default value: `'sha512'` + ##### `ca_expire` Data type: `Integer` diff --git a/manifests/ca.pp b/manifests/ca.pp index 48a21334..2f2e52bf 100644 --- a/manifests/ca.pp +++ b/manifests/ca.pp @@ -7,9 +7,12 @@ # @param email Email address to be used for the SSL certificate # @param common_name Common name to be used for the SSL certificate # @param group User to drop privileges to after startup -# @param ssl_key_size Length of SSL keys (in bits) generated by this module. +# @param ssl_key_algo SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys +# @param ssl_key_size Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa +# @param ssl_key_curve Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed # @param key_expire The number of days to certify the server certificate for # @param ca_expire The number of days to certify the CA certificate for +# @param digest Cryptographic digest to use # @param key_name Value for name_default variable in openssl.cnf and KEY_NAME in vars # @param key_ou Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars # @param key_cn Value for commonName_default variable in openssl.cnf and KEY_CN in vars @@ -23,22 +26,25 @@ # } # define openvpn::ca ( - Optional[String] $country = undef, - Optional[String] $province = undef, - Optional[String] $city = undef, - Optional[String] $organization = undef, - Optional[String] $email = undef, - String $common_name = 'server', - Optional[String] $group = undef, - Integer $ssl_key_size = 2048, - Integer $ca_expire = 3650, - Integer $key_expire = 3650, - Integer $crl_days = 30, - Optional[String] $key_cn = undef, - Optional[String] $key_name = undef, - Optional[String] $key_ou = undef, - Boolean $tls_auth = false, - Boolean $tls_static_key = false, + Optional[String] $country = undef, + Optional[String] $province = undef, + Optional[String] $city = undef, + Optional[String] $organization = undef, + Optional[String] $email = undef, + String $common_name = 'server', + Optional[String] $group = undef, + Enum['rsa', 'ec', 'ed'] $ssl_key_algo = 'rsa', + Integer $ssl_key_size = 2048, + String $ssl_key_curve = 'secp384r1', + Integer $ca_expire = 3650, + Integer $key_expire = 3650, + Integer $crl_days = 30, + Enum['md5','sha1','sha256','sha224','sha384','sha512'] $digest = 'sha512', + Optional[String] $key_cn = undef, + Optional[String] $key_name = undef, + Optional[String] $key_ou = undef, + Boolean $tls_auth = false, + Boolean $tls_static_key = false, ) { if $tls_auth { warning('Parameter $tls_auth is deprecated. Use $tls_static_key instead.') @@ -80,6 +86,10 @@ case $openvpn::easyrsa_version { '2.0': { + if $ssl_key_algo != 'rsa' { + fail('easy-rsa 2.0 supports only rsa keys.') + } + file { "${server_directory}/${name}/easy-rsa/vars": ensure => file, mode => '0550', @@ -136,10 +146,13 @@ { 'server_directory' => $server_directory, 'openvpn_server' => $name, + 'ssl_key_algo' => $ssl_key_algo, + 'ssl_key_curve' => $ssl_key_curve, 'ssl_key_size' => $ssl_key_size, 'ca_expire' => $ca_expire, 'key_expire' => $key_expire, 'crl_days' => $crl_days, + 'digest' => $digest, 'country' => $country, 'province' => $province, 'city' => $city, @@ -168,13 +181,15 @@ require => File["${server_directory}/${name}/easy-rsa/vars"], } - exec { "generate dh param ${name}": - command => './easyrsa --batch gen-dh', - timeout => 20000, - cwd => "${server_directory}/${name}/easy-rsa", - creates => "${server_directory}/${name}/easy-rsa/keys/dh.pem", - provider => 'shell', - require => Exec["generate server cert ${name}"], + if ($ssl_key_algo == 'rsa') { + exec { "generate dh param ${name}": + command => './easyrsa --batch gen-dh', + timeout => 20000, + cwd => "${server_directory}/${name}/easy-rsa", + creates => "${server_directory}/${name}/easy-rsa/keys/dh.pem", + provider => 'shell', + require => Exec["generate server cert ${name}"], + } } exec { "generate server cert ${name}": diff --git a/manifests/server.pp b/manifests/server.pp index 23fb5851..feac492d 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -33,7 +33,10 @@ # @param route Add route to routing table after connection is established. Multiple routes can be specified. # @param route_ipv6 Add IPv6 route to routing table after connection is established. Multiple routes can be specified. # @param keepalive Add keepalive directive (ping and ping-restart) to server. Should match the form "n m". -# @param ssl_key_size Length of SSL keys (in bits) generated by this module. +# @param ssl_key_algo SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys +# @param ssl_key_size Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa +# @param ssl_key_curve Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed +# @param ecdh_curve Define the named curve for ECDH key exchange, used if ssl_key_algo is ec, ed # @param topology Define the network topology type # @param c2c Enable client to client visibility # @param tcp_nodelay Enable/Disable. @@ -71,6 +74,7 @@ # @param persist_tun Try to retain access to resources that may be unavailable because of privilege downgrades # @param key_expire The number of days to certify the server certificate for # @param crl_days The number of days the client revocation list will be valid for after generating +# @param digest Cryptographic digest to use # @param ca_expire The number of days to certify the CA certificate for # @param key_name Value for name_default variable in openssl.cnf and KEY_NAME in vars # @param key_ou Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars @@ -175,7 +179,10 @@ Array $route_ipv6 = [], Optional[String[1]] $keepalive = undef, Variant[Boolean, Integer] $fragment = false, + Enum['rsa', 'ec', 'ed'] $ssl_key_algo = 'rsa', Integer $ssl_key_size = 2048, + String $ssl_key_curve = 'secp384r1', + String $ecdh_curve = 'secp384r1', String $topology = 'net30', Boolean $c2c = false, Boolean $tcp_nodelay = false, @@ -209,6 +216,7 @@ Integer $ca_expire = 3650, Integer $key_expire = 3650, Integer[1] $crl_days = 30, + Enum['md5','sha1','sha256','sha224','sha384','sha512'] $digest = 'sha512', Optional[String] $key_cn = undef, Optional[String] $key_name = undef, Optional[String] $key_ou = undef, @@ -365,10 +373,13 @@ email => $email, common_name => $common_name, group => $group, + ssl_key_algo => $ssl_key_algo, ssl_key_size => $ssl_key_size, + ssl_key_curve => $ssl_key_curve, ca_expire => $ca_expire, key_expire => $key_expire, crl_days => $crl_days, + digest => $digest, key_cn => $key_cn, key_name => $key_name, key_ou => $key_ou, diff --git a/spec/acceptance/openvpn_spec.rb b/spec/acceptance/openvpn_spec.rb index 63e03226..5bf05c90 100644 --- a/spec/acceptance/openvpn_spec.rb +++ b/spec/acceptance/openvpn_spec.rb @@ -17,6 +17,7 @@ key_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys/private" crt_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys/issued" index_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys" + easy_rsa_version = '3.0' renew_crl_cmd = "cd #{server_directory}/test_openvpn_server/easy-rsa && . ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out #{server_directory}/test_openvpn_server/crl.pem -config #{server_directory}/test_openvpn_server/easy-rsa/openssl.cnf" when 'Debian' server_directory = '/etc/openvpn' @@ -26,14 +27,18 @@ server_crt = "#{server_directory}/test_openvpn_server/easy-rsa/keys/issued/server.crt" key_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys/private" crt_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys/issued" + easy_rsa_version = '3.0' renew_crl_cmd = "cd #{server_directory}/test_openvpn_server/easy-rsa && . ./vars && EASYRSA_REQ_CN='' EASYRSA_REQ_OU='' openssl ca -gencrl -out #{server_directory}/test_openvpn_server/crl.pem -config #{server_directory}/test_openvpn_server/easy-rsa/openssl.cnf" else server_crt = "#{server_directory}/test_openvpn_server/easy-rsa/keys/server.crt" key_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys" crt_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys" + easy_rsa_version = '2.0' renew_crl_cmd = "cd #{server_directory}/test_openvpn_server/easy-rsa && . ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out #{server_directory}/test_openvpn_server/crl.pem -config #{server_directory}/test_openvpn_server/easy-rsa/openssl.cnf" end index_path = "#{server_directory}/test_openvpn_server/easy-rsa/keys" +else + raise "Unknown OS family #{fact('osfamily')}" end # All-terrain tls ciphers are used to be able to work with all supported OSes. @@ -171,7 +176,7 @@ scp_from(hosts_as('vpnserver'), "#{server_directory}/test_openvpn_server/download-configs/vpnclienta.tar.gz", '.') scp_to(hosts_as('vpnclienta'), 'vpnclienta.tar.gz', '/tmp') on(hosts_as('vpnclienta'), "tar xvfz /tmp/vpnclienta.tar.gz -C #{client_directory}") - on(hosts_as('vpnclienta'), "mv #{client_directory}/vpnclienta/* #{client_directory}/") + on(hosts_as('vpnclienta'), "cp -a #{client_directory}/vpnclienta/* #{client_directory}/") on(hosts_as('vpnclienta'), "systemctl enable #{client_service}@vpnclienta") on(hosts_as('vpnclienta'), "systemctl restart #{client_service}@vpnclienta") end @@ -186,3 +191,184 @@ end end end + +if easy_rsa_version == '3.0' + describe 'server defined type w/ easy-rsa 3.0' do + dev = 'tun1' + server_name = 'test_openvpn_server_ec' + port = 1195 + management_port = 7506 + + context 'with basics parameters' do + it 'installs openvpn server idempotently' do + pp = %( + openvpn::server { '#{server_name}': + dev => '#{dev}', + country => 'CO', + province => 'ST', + city => 'A city', + organization => 'FOO', + email => 'bar@foo.org', + ssl_key_algo => 'ec', + ssl_key_curve => 'secp521r1', + ecdh_curve => 'secp521r1', + digest => 'sha256', + common_name => 'openvpn-server', + server => '10.1.0.0 255.255.255.0', + port => '#{port}', + management => true, + management_port => #{management_port}, + tls_cipher => 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384', + } + ) + apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true) + apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: true) + end + + it 'creates openvpn client certificate idempotently' do + pp = %( + openvpn::server { '#{server_name}': + dev => '#{dev}', + country => 'CO', + province => 'ST', + city => 'A city', + organization => 'FOO', + email => 'bar@foo.org', + ssl_key_algo => 'ec', + ssl_key_curve => 'secp521r1', + ecdh_curve => 'secp521r1', + digest => 'sha256', + common_name => 'openvpn-server', + server => '10.1.0.0 255.255.255.0', + port => '#{port}', + management => true, + management_port => #{management_port}, + tls_cipher => 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384', + } + + openvpn::client { '#{server_name}-vpnclienta' : + server => '#{server_name}', + port => '#{port}', + require => Openvpn::Server['#{server_name}'], + remote_host => $facts['networking']['ip'], + tls_cipher => 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384', + } + ) + apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true) + apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: true) + end + + it 'revokes openvpn client certificate' do + pp = %( + openvpn::server { '#{server_name}': + dev => '#{dev}', + country => 'CO', + province => 'ST', + city => 'A city', + organization => 'FOO', + email => 'bar@foo.org', + ssl_key_algo => 'ec', + ssl_key_curve => 'secp521r1', + ecdh_curve => 'secp521r1', + digest => 'sha256', + common_name => 'openvpn-server', + server => '10.1.0.0 255.255.255.0', + port => '#{port}', + management => true, + management_port => #{management_port}, + tls_cipher => 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384', + } + + openvpn::client { '#{server_name}-vpnclientb' : + server => '#{server_name}', + port => '#{port}', + require => Openvpn::Server['#{server_name}'], + remote_host => $facts['networking']['ip'], + tls_cipher => 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384', + } + + openvpn::revoke { '#{server_name}-vpnclientb': + server => '#{server_name}', + } + ) + apply_manifest_on(hosts_as('vpnserver'), pp, catch_failures: true) + apply_manifest_on(hosts_as('vpnserver'), pp, catch_changes: false) + end + + describe file("#{server_directory}/#{server_name}/easy-rsa/revoked/#{server_name}-vpnclientb"), :revokedFile do + it { is_expected.to be_file } + end + + describe file("#{server_directory}/#{server_name}/easy-rsa/keys") do + it { is_expected.to be_directory } + end + + describe file("#{server_directory}/#{server_name}/easy-rsa/vars") do + it { is_expected.to be_file } + it { is_expected.to contain 'export EASYRSA_ALGO=ec' } + it { is_expected.to contain 'export EASYRSA_CURVE=secp521r1' } + it { is_expected.to contain 'export EASYRSA_DIGEST=sha256' } + end + + describe file(server_crt.to_s), :crtFile do + it { is_expected.to be_file } + it { is_expected.to contain 'Issuer: C=CO, ST=ST, L=A city, O=FOO, ' } + end + + describe process('openvpn') do + it { is_expected.to be_running } + end + + describe port(port) do + it { is_expected.to be_listening.with('tcp') } + end + + describe command("ip link show #{dev}") do + its(:stdout) { is_expected.to match %r{.* #{dev}: .*} } + its(:exit_status) { is_expected.to eq 0 } + end + + describe file("#{server_directory}/#{server_name}/easy-rsa/keys/private/#{server_name}-vpnclienta.key") do + it { is_expected.to be_file } + end + + describe file("#{server_directory}/#{server_name}/easy-rsa/keys/issued/#{server_name}-vpnclienta.crt") do + it { is_expected.to be_file } + it { is_expected.to contain 'Issuer: C=CO, ST=ST, L=A city, O=FOO, ' } + end + + describe file("#{server_directory}/#{server_name}/easy-rsa/keys/index.txt") do + it { is_expected.to be_file } + it { is_expected.to contain "CN=#{server_name}-vpnclienta" } + end + + describe file("#{server_directory}/#{server_name}/download-configs/#{server_name}-vpnclienta.tar.gz") do + it { is_expected.to be_file } + its(:size) { is_expected.to be > 500 } + end + + it 'permits to setup a vpn client' do + scp_from(hosts_as('vpnserver'), "#{server_directory}/#{server_name}/download-configs/#{server_name}-vpnclienta.tar.gz", '.') + scp_to(hosts_as('vpnclienta'), "#{server_name}-vpnclienta.tar.gz", '/tmp') + on(hosts_as('vpnclienta'), "tar xvfz /tmp/#{server_name}-vpnclienta.tar.gz -C #{client_directory}") + on(hosts_as('vpnclienta'), "cp -a #{client_directory}/#{server_name}-vpnclienta/* #{client_directory}/") + on(hosts_as('vpnclienta'), "systemctl enable #{client_service}@#{server_name}-vpnclienta") + on(hosts_as('vpnclienta'), "systemctl restart #{client_service}@#{server_name}-vpnclienta") + end + + it 'logs (in case of an error)' do + on(hosts_as('vpnserver'), "journalctl -lu #{client_service}@#{server_name}") + on(hosts_as('vpnclienta'), "journalctl -lu #{client_service}@#{server_name}-vpnclienta") + end + + describe command("echo status |nc -w 1 localhost #{management_port}") do + its(:stdout) { is_expected.to match %r{.*#{server_name}-vpnclienta.*} } + its(:exit_status) { is_expected.to eq 0 } + end + + describe command(renew_crl_cmd.to_s) do + its(:exit_status) { is_expected.to eq 0 } + end + end + end +end diff --git a/spec/defines/openvpn_ca_spec.rb b/spec/defines/openvpn_ca_spec.rb index eaef19f5..301e0098 100644 --- a/spec/defines/openvpn_ca_spec.rb +++ b/spec/defines/openvpn_ca_spec.rb @@ -78,6 +78,7 @@ 'ssl_key_size' => 2048, 'common_name' => 'mylittlepony', 'ca_expire' => 365, + 'digest' => 'sha256', 'key_expire' => 365, 'key_cn' => 'yolo', 'key_name' => 'burp', @@ -89,6 +90,7 @@ it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_CERT_EXPIRE=365$}) } it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_REQ_CN="yolo"$}) } it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_REQ_OU="NSA"$}) } + it { is_expected.to contain_file("#{server_directory}/test_server/easy-rsa/vars").with_content(%r{^export EASYRSA_DIGEST=sha256$}) } it { is_expected.to contain_exec('generate dh param test_server').with_creates("#{server_directory}/test_server/easy-rsa/keys/dh.pem") } end diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb index f9c5aec5..f7309b54 100644 --- a/spec/defines/openvpn_server_spec.rb +++ b/spec/defines/openvpn_server_spec.rb @@ -402,6 +402,7 @@ 'crl_auto_renew' => true, 'key_expire' => 365, 'crl_days' => 20, + 'digest' => 'sha256', 'key_cn' => 'yolo', 'key_name' => 'burp', 'key_ou' => 'NSA', @@ -491,6 +492,7 @@ ca_expire: 365, key_expire: 365, crl_days: 20, + digest: 'sha256', key_cn: 'yolo', key_name: 'burp', key_ou: 'NSA', @@ -1033,6 +1035,23 @@ it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory_regex}/my_already_existing_ca/keys/dh.pem$}) } end + context 'creating a server with ec keys' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'ssl_key_algo' => 'ec', + } + end + + it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^cert\s+#{server_directory}/test_server/keys/issued/server.crt$}) } + it { is_expected.to contain_file("#{server_directory}/test_server.conf").with_content(%r{^key\s+#{server_directory}/test_server/keys/private/server.key$}) } + it { is_expected.not_to contain_file("#{server_directory}/test_server.conf").with_content(%r{^dh\s+#{server_directory}/test_server/keys/dh.pem$}) } + end + case facts[:os]['family'] when 'RedHat' context 'creating a server with the minimum parameters' do diff --git a/templates/server.erb b/templates/server.erb index a7080e38..dc8a0f6b 100644 --- a/templates/server.erb +++ b/templates/server.erb @@ -42,8 +42,11 @@ key <%= @server_directory %>/<%= @ca_name %>/keys/private/<%= @ca_common_name %> <% unless @remote -%> <%- if @_easyrsa_version == '2.0' -%> dh <%= @server_directory %>/<%= @ca_name %>/keys/dh<%= @ssl_key_size %>.pem -<%- else -%> +<%- elsif @ssl_key_algo == 'rsa' -%> dh <%= @server_directory %>/<%= @ca_name %>/keys/dh.pem +<%- else -%> +dh none +ecdh-curve <%= @ecdh_curve %> <%- end -%> <% end -%> <% unless @remote or !@crl_verify -%> diff --git a/templates/vars-30.epp b/templates/vars-30.epp index 042a9ad8..2e575b4f 100644 --- a/templates/vars-30.epp +++ b/templates/vars-30.epp @@ -52,6 +52,21 @@ export PKCS11_PIN="dummy" # generation process. export EASYRSA_KEY_SIZE=<%= $ssl_key_size %> +# The default crypto mode is rsa; ec can enable elliptic curve support. +# Note that not all software supports ECC, so use care when enabling it. +# Choices for crypto alg are: (each in lower-case) +# * rsa +# * ec + +<% if $ssl_key_algo { -%> +export EASYRSA_ALGO=<%= $ssl_key_algo %> +<% } -%> +# Define the named curve, used in ec mode only: + +<% if $ssl_key_curve { -%> +export EASYRSA_CURVE=<%= $ssl_key_curve %> +<% } -%> + # In how many days should the root CA key expire? export EASYRSA_CA_EXPIRE=<%= $ca_expire %> @@ -60,7 +75,11 @@ export EASYRSA_CERT_EXPIRE=<%= $key_expire %> export EASYRSA_CRL_DAYS=<%= $crl_days %> -export EASYRSA_DIGEST="sha512" +# Cryptographic digest to use. +# Do not change this default unless you understand the security implications. +# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 + +export EASYRSA_DIGEST=<%= $digest %> export EASYRSA_DN="org"