Commit f7d04fc4 authored by Julien Muchembled's avatar Julien Muchembled

By default, get DH parameters from the registry instead of requiring each node to generate them

Generating them takes a lot of time and there's no reason to do this by default.
We keep --dh option in 're6stnet' to not break existing configuration.
parent 8ebdd500
...@@ -10,9 +10,6 @@ ...@@ -10,9 +10,6 @@
public IPv6. If there's only one interface like this, a workaround is to public IPv6. If there's only one interface like this, a workaround is to
use --main-interface option on it. use --main-interface option on it.
- Nodes should not have to generate their own DH parameters. Add a `getDh(cn)`
registry RPC that is called at re6stnet startup if they're missing.
- Filter non-routable IPs. Add an option not to do it. - Filter non-routable IPs. Add an option not to do it.
- Abort in case of import child process failure (babel, openvpn server, - Abort in case of import child process failure (babel, openvpn server,
......
...@@ -2,7 +2,6 @@ log m1/ ...@@ -2,7 +2,6 @@ log m1/
run m1/run run m1/run
state m1/ state m1/
pp 1194 tcp pp 1194 tcp
dh dh2048.pem
ca ca.crt ca ca.crt
cert m1/cert.crt cert m1/cert.crt
key m1/cert.key key m1/cert.key
......
...@@ -2,7 +2,6 @@ log m2/ ...@@ -2,7 +2,6 @@ log m2/
run m2/run run m2/run
state m2/ state m2/
pp 1194 tcp pp 1194 tcp
dh dh2048.pem
ca ca.crt ca ca.crt
cert m2/cert.crt cert m2/cert.crt
key m2/cert.key key m2/cert.key
......
...@@ -2,7 +2,6 @@ log m3/ ...@@ -2,7 +2,6 @@ log m3/
run m3/run run m3/run
state m3/ state m3/
pp 1194 tcp pp 1194 tcp
dh dh2048.pem
ca ca.crt ca ca.crt
cert m3/cert.crt cert m3/cert.crt
key m3/cert.key key m3/cert.key
......
...@@ -2,7 +2,6 @@ log m4/ ...@@ -2,7 +2,6 @@ log m4/
run m4/run run m4/run
state m4/ state m4/
pp 1194 tcp pp 1194 tcp
dh dh2048.pem
ca ca.crt ca ca.crt
cert m4/cert.crt cert m4/cert.crt
key m4/cert.key key m4/cert.key
......
...@@ -2,7 +2,6 @@ log m6/ ...@@ -2,7 +2,6 @@ log m6/
run m6/run run m6/run
state m6/ state m6/
pp 1194 tcp pp 1194 tcp
dh dh2048.pem
ca ca.crt ca ca.crt
cert m6/cert.crt cert m6/cert.crt
key m6/cert.key key m6/cert.key
......
...@@ -2,7 +2,6 @@ log m7/ ...@@ -2,7 +2,6 @@ log m7/
run m7/run run m7/run
state m7/ state m7/
pp 1194 tcp pp 1194 tcp
dh dh2048.pem
ca ca.crt ca ca.crt
cert m7/cert.crt cert m7/cert.crt
key m7/cert.key key m7/cert.key
......
ca ca.crt ca ca.crt
key registry/ca.key key registry/ca.key
dh dh2048.pem
logfile registry/registry.log logfile registry/registry.log
run registry/run run registry/run
hello 4 hello 4
......
...@@ -50,7 +50,6 @@ def main(): ...@@ -50,7 +50,6 @@ def main():
ca_path = 'ca.crt' ca_path = 'ca.crt'
cert_path = 'cert.crt' cert_path = 'cert.crt'
key_path = 'cert.key' key_path = 'cert.key'
dh_path = 'dh2048.pem'
# Establish connection with server # Establish connection with server
s = registry.RegistryClient(config.registry) s = registry.RegistryClient(config.registry)
...@@ -81,12 +80,6 @@ def main(): ...@@ -81,12 +80,6 @@ def main():
if config.ca_only: if config.ca_only:
sys.exit() sys.exit()
# Generating dh file
if not os.access(dh_path, os.F_OK):
r = subprocess.call(('openssl', 'dhparam', '-out', dh_path, '2048'))
if r:
sys.exit(r)
reserved = 'CN', 'serial' reserved = 'CN', 'serial'
req = crypto.X509Req() req = crypto.X509Req()
try: try:
...@@ -175,7 +168,6 @@ registry %s ...@@ -175,7 +168,6 @@ registry %s
ca %s ca %s
cert %s cert %s
key %s key %s
dh %s
# increase re6stnet verbosity: # increase re6stnet verbosity:
#verbose 3 #verbose 3
# enable OpenVPN logging: # enable OpenVPN logging:
...@@ -183,7 +175,7 @@ dh %s ...@@ -183,7 +175,7 @@ dh %s
# increase OpenVPN verbosity: # increase OpenVPN verbosity:
#O--verb #O--verb
#O3 #O3
""" % (config.registry, ca_path, cert_path, key_path, dh_path)) """ % (config.registry, ca_path, cert_path, key_path))
print "Sample configuration file created." print "Sample configuration file created."
cn = x509.subnetFromCert(cert) cn = x509.subnetFromCert(cert)
......
...@@ -69,6 +69,8 @@ def main(): ...@@ -69,6 +69,8 @@ def main():
_('--db', default='/var/lib/re6stnet/registry.db', _('--db', default='/var/lib/re6stnet/registry.db',
help="Path to SQLite database file. It is automatically initialized" help="Path to SQLite database file. It is automatically initialized"
" if the file does not exist.") " if the file does not exist.")
_('--dh',
help='File containing Diffie-Hellman parameters in .pem format')
_('--ca', required=True, help=parser._ca_help) _('--ca', required=True, help=parser._ca_help)
_('--key', required=True, _('--key', required=True,
help="CA private key in .pem format.") help="CA private key in .pem format.")
......
...@@ -120,6 +120,22 @@ class Cache(object): ...@@ -120,6 +120,22 @@ class Cache(object):
logging.warning("There's a new version of re6stnet:" logging.warning("There's a new version of re6stnet:"
" you should update.") " you should update.")
def getDh(self, path):
if not os.path.exists(path):
retry = 1
while True:
try:
dh = self._registry.getDh(self._prefix)
break
except socket.error, e:
logging.warning(
"Failed to get DH parameters from the registry."
" Will retry in %s seconds", retry, exc_info=1)
time.sleep(retry)
retry = min(60, retry * 2)
with open(path, "wb") as f:
f.write(dh)
def log(self): def log(self):
if logging.getLogger().isEnabledFor(5): if logging.getLogger().isEnabledFor(5):
logging.trace("Cache:") logging.trace("Cache:")
......
...@@ -427,6 +427,11 @@ class RegistryServer(object): ...@@ -427,6 +427,11 @@ class RegistryServer(object):
def getCa(self): def getCa(self):
return crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert.ca) return crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert.ca)
@rpc
def getDh(self, cn):
with open(self.config.dh) as f:
return f.read()
@rpc @rpc
def getNetworkConfig(self, cn): def getNetworkConfig(self, cn):
return self.network_config return self.network_config
......
...@@ -79,7 +79,8 @@ def getConfig(): ...@@ -79,7 +79,8 @@ def getConfig():
" openvpn server on the first given port." " openvpn server on the first given port."
" (default: --pp 1194 udp --pp 1194 tcp)") " (default: --pp 1194 udp --pp 1194 tcp)")
_('--dh', _('--dh',
help='File containing Diffie-Hellman parameters in .pem format') help="File containing Diffie-Hellman parameters in .pem format"
" (default: DH from registry)")
_('--ca', required=True, help=parser._ca_help) _('--ca', required=True, help=parser._ca_help)
_('--cert', required=True, _('--cert', required=True,
help="Local peer's signed certificate in .pem format." help="Local peer's signed certificate in .pem format."
...@@ -220,9 +221,6 @@ def main(): ...@@ -220,9 +221,6 @@ def main():
raise EnvironmentError("%r failed with error %u\n%s" raise EnvironmentError("%r failed with error %u\n%s"
% (' '.join(cmd), p.returncode, stderr)) % (' '.join(cmd), p.returncode, stderr))
return stdout return stdout
def required(arg):
if not getattr(config, arg):
sys.exit("error: argument --%s is required" % arg)
def ip(object, *args): def ip(object, *args):
args = ['ip', '-6', object, 'add'] + list(args) args = ['ip', '-6', object, 'add'] + list(args)
call(args) call(args)
...@@ -285,11 +283,14 @@ def main(): ...@@ -285,11 +283,14 @@ def main():
address_list, cache.encrypt, '--ping-restart', address_list, cache.encrypt, '--ping-restart',
str(timeout), *config.openvpn_args).stop) str(timeout), *config.openvpn_args).stop)
elif server_tunnels: elif server_tunnels:
required('dh') dh = config.dh
if not dh:
dh = os.path.join(config.state, "dh.pem")
cache.getDh(dh)
for iface, (port, proto) in server_tunnels.iteritems(): for iface, (port, proto) in server_tunnels.iteritems():
r, x = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM) r, x = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM)
cleanup.append(plib.server(iface, config.max_clients, cleanup.append(plib.server(iface, config.max_clients,
config.dh, x.fileno(), port, proto, cache.encrypt, dh, x.fileno(), port, proto, cache.encrypt,
'--ping-exit', str(timeout), *config.openvpn_args, '--ping-exit', str(timeout), *config.openvpn_args,
preexec_fn=r.close).stop) preexec_fn=r.close).stop)
R[r] = partial(tunnel_manager.handleServerEvent, r) R[r] = partial(tunnel_manager.handleServerEvent, r)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment