Browse Source

ocserv: store permanent config files in /etc/config

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
lilik-openwrt-22.03
Nikos Mavrogiannopoulos 10 years ago
parent
commit
1c40fc1022
3 changed files with 39 additions and 33 deletions
  1. +1
    -1
      net/ocserv/Makefile
  2. +8
    -8
      net/ocserv/files/ocserv.conf.template
  3. +30
    -24
      net/ocserv/files/ocserv.init

+ 1
- 1
net/ocserv/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=ocserv PKG_NAME:=ocserv
PKG_VERSION:=0.8.9 PKG_VERSION:=0.8.9
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz


+ 8
- 8
net/ocserv/files/ocserv.conf.template View File

@ -65,8 +65,8 @@ try-mtu-discovery = false
# #
# There may be multiple certificate and key pairs and each key # There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate. # should correspond to the preceding certificate.
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
server-cert = /etc/config/ocserv-dir/server-cert.pem
server-key = /etc/config/ocserv-dir/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support # Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE). # for the DHE ciphersuites (by default this server supports ECDHE).
@ -92,7 +92,7 @@ server-key = /etc/ocserv/server-key.pem
# The Certificate Authority that will be used to verify # The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication # client certificates (public keys) if certificate authentication
# is set. # is set.
#ca-cert = /etc/ocserv/ca.pem
#ca-cert = /etc/config/ocserv-dir/ca.pem
# The object identifier that will be used to read the user ID in the client # The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN # certificate. The object identifier should be part of the certificate's DN
@ -107,7 +107,7 @@ server-key = /etc/ocserv/server-key.pem
#cert-group-oid = 2.5.4.11 #cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above. # The revocation list of the certificates issued by the 'ca-cert' above.
#crl = /etc/ocserv/crl.pem
#crl = /etc/config/ocserv-dir/crl.pem
# GnuTLS priority string # GnuTLS priority string
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
@ -277,14 +277,14 @@ ping-leases = false
# based on a user or group. The syntax depends on the input accepted # based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below). # by the commands route-add-cmd and route-del-cmd (see below).
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
#config-per-user = /etc/config/ocserv-dir/config-per-user/
#config-per-group = /etc/config/ocserv-dir/config-per-group/
# When config-per-xxx is specified and there is no group or user that # When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration. # matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf
#default-user-config = /etc/config/ocserv-dir/defaults/user.conf
#default-group-config = /etc/config/ocserv-dir/defaults/group.conf
# Groups that a client is allowed to select from. # Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases # A client may belong in multiple groups, and in certain use-cases


+ 30
- 24
net/ocserv/files/ocserv.init View File

@ -94,35 +94,41 @@ start() {
hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 2` hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 2`
[ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname` [ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname`
[ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
[ -d /etc/config/ocserv-dir ] || mkdir -p /etc/config/ocserv-dir
[ -f /etc/ocserv/ca-key.pem ] && mv /etc/ocserv/ca-key.pem /etc/config/ocserv-dir/ca-key.pem
[ -f /etc/ocserv/ca.pem ] && mv /etc/ocserv/ca.pem /etc/config/ocserv-dir/ca.pem
[ -f /etc/ocserv/server-key.pem ] && mv /etc/ocserv/server-key.pem /etc/config/ocserv-dir/server-key.pem
[ -f /etc/ocserv/server-cert.pem ] && mv /etc/ocserv/server-cert.pem /etc/config/ocserv-dir/server-cert.pem
[ ! -f /etc/config/ocserv-dir/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
logger -t ocserv "Generating CA certificate..." logger -t ocserv "Generating CA certificate..."
mkdir -p /etc/ocserv/pki/
certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1
echo "cn=$hostname CA" >/etc/ocserv/pki/ca.tmpl
echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl
echo "serial=1" >>/etc/ocserv/pki/ca.tmpl
echo "ca" >>/etc/ocserv/pki/ca.tmpl
echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl
certtool --template /etc/ocserv/pki/ca.tmpl \
--generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \
--outfile /etc/ocserv/ca.pem >/dev/null 2>&1
mkdir -p /tmp/ocserv-pki/
certtool --bits 2048 --generate-privkey --outfile /etc/config/ocserv-dir/ca-key.pem >/dev/null 2>&1
echo "cn=$hostname CA" >/tmp/ocserv-pki/ca.tmpl
echo "expiration_days=-1" >>/tmp/ocserv-pki/ca.tmpl
echo "serial=1" >>/tmp/ocserv-pki/ca.tmpl
echo "ca" >>/tmp/ocserv-pki/ca.tmpl
echo "cert_signing_key" >>/tmp/ocserv-pki/ca.tmpl
certtool --template /tmp/ocserv-pki/ca.tmpl \
--generate-self-signed --load-privkey /etc/config/ocserv-dir/ca-key.pem \
--outfile /etc/config/ocserv-dir/ca.pem >/dev/null 2>&1
} }
#generate server certificate/key #generate server certificate/key
[ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
[ ! -f /etc/config/ocserv-dir/server-key.pem ] && [ -x /usr/bin/certtool ] && {
logger -t ocserv "Generating server certificate..." logger -t ocserv "Generating server certificate..."
mkdir -p /etc/ocserv/pki/
certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl
echo "serial=2" >>/etc/ocserv/pki/server.tmpl
echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl
echo "signing_key" >>/etc/ocserv/pki/server.tmpl
echo "encryption_key" >>/etc/ocserv/pki/server.tmpl
certtool --template /etc/ocserv/pki/server.tmpl \
--generate-certificate --load-privkey /etc/ocserv/server-key.pem \
--load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \
/etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1
mkdir -p /tmp/ocserv-pki/
certtool --bits 2048 --generate-privkey --outfile /etc/config/ocserv-dir/server-key.pem >/dev/null 2>&1
echo "cn=$hostname" >/tmp/ocserv-pki/server.tmpl
echo "serial=2" >>/tmp/ocserv-pki/server.tmpl
echo "expiration_days=-1" >>/tmp/ocserv-pki/server.tmpl
echo "signing_key" >>/tmp/ocserv-pki/server.tmpl
echo "encryption_key" >>/tmp/ocserv-pki/server.tmpl
certtool --template /tmp/ocserv-pki/server.tmpl \
--generate-certificate --load-privkey /etc/config/ocserv-dir/server-key.pem \
--load-ca-certificate /etc/config/ocserv-dir/ca.pem --load-ca-privkey \
/etc/config/ocserv-dir/ca-key.pem --outfile /etc/config/ocserv-dir/server-cert.pem >/dev/null 2>&1
} }
[ -f /var/run/ocserv.pid ] || { [ -f /var/run/ocserv.pid ] || {


Loading…
Cancel
Save