key-networks
commented
4 years ago I am happy to accept a PR for your proposed solution.
Closed mdPlusPlus closed 3 years ago
key-networks
commented
4 years ago I am happy to accept a PR for your proposed solution.
mdPlusPlus
commented
4 years ago This would require me having knowledge on how you build your packages.
All I could find relating that is https://github.com/key-networks/ztncui/blob/master/build/build.sh, but I'm not familiar with packaging via fpm.
I can see the use of openssl here though: https://github.com/key-networks/ztncui/blob/537a567e29da8ccc83a473b327674b149b5a6419/build/build.sh#L74 https://github.com/key-networks/ztncui/blob/537a567e29da8ccc83a473b327674b149b5a6419/build/build.sh#L84
So I assume you'd need to delete these lines, add openssl as a dependency, and add the generation to after-install.sh (or maybe before-install.sh, again, I'm not familiar to fpm).
If you can confirm my understanding so far, I could test it locally and request a pull request.
key-networks
commented
4 years ago It sounds like a reasonable approach.
key-networks
commented
4 years ago @mdPlusPlus could you please test https://s3-us-west-1.amazonaws.com/key-networks/deb/ztncui/1/x86_64/ztncui_0.6.1_amd64.deb and let me know if this is the desired behaviour?
key-networks
commented
4 years ago It will regenerate the private key and self-signed cert after installation and after upgrade.
key-networks
commented
4 years ago If anyone would be kind enough to test the fix for this issue, please test https://s3-us-west-1.amazonaws.com/key-networks/deb/ztncui/1/x86_64/ztncui_0.6.3_amd64.deb for Debian/Ubuntu systems or for RedHat based systems:
sudo yum --enablerepo=ztncui-testing upgrade ztncui
key-networks
commented
4 years ago It should not touch /opt/key-networks/ztncui/etc/passwd or the key/cert in /opt/key-networks/ztncui/etc/tls/ if they already exist. So, if you want to regenerate the self-signed cert and key, then delete them before upgrading.
Fastidious
commented
4 years ago @key-networks it seems this issue doesn't affect those of us using a proxy to ztnccui, am I correct? I run ztnccui without SSL, as my proxy handles that.
key-networks
commented
4 years ago @Fastidious - correct, if you are not using SSL/TLS on the back-end, it won't affect you.
key-networks
commented
4 years ago Does anyone out there use the self-signed certificate? Maybe it's a waste of time fixing this issue if nobody uses it.
mdPlusPlus
commented
3 years ago Sorry, I haven't been able to test this yet, but the code in the issue#36 branch looks good so far.
key-networks
commented
3 years ago Version 0.6.6 has been published which resolves this issue.
opt/key-networks/ztncui/etc/tls/fullchain.pemopt/key-networks/ztncui/etc/tls/privkey.pemInstead of generating self-signed cert on the machine, the
.debinstalls one you provided.If users are not made aware of this, a MITM could sniff their traffic, get their login credentials and use them to get access on the user's network.
I wasn't able to confirm whether the
.rpmdoes the same.