Closed mdPlusPlus closed 3 years ago
I am happy to accept a PR for your proposed solution.
This would require me having knowledge on how you build your packages.
All I could find relating that is https://github.com/key-networks/ztncui/blob/master/build/build.sh, but I'm not familiar with packaging via fpm
.
I can see the use of openssl here though: https://github.com/key-networks/ztncui/blob/537a567e29da8ccc83a473b327674b149b5a6419/build/build.sh#L74 https://github.com/key-networks/ztncui/blob/537a567e29da8ccc83a473b327674b149b5a6419/build/build.sh#L84
So I assume you'd need to delete these lines, add openssl
as a dependency, and add the generation to after-install.sh
(or maybe before-install.sh
, again, I'm not familiar to fpm
).
If you can confirm my understanding so far, I could test it locally and request a pull request.
It sounds like a reasonable approach.
@mdPlusPlus could you please test https://s3-us-west-1.amazonaws.com/key-networks/deb/ztncui/1/x86_64/ztncui_0.6.1_amd64.deb and let me know if this is the desired behaviour?
It will regenerate the private key and self-signed cert after installation and after upgrade.
If anyone would be kind enough to test the fix for this issue, please test https://s3-us-west-1.amazonaws.com/key-networks/deb/ztncui/1/x86_64/ztncui_0.6.3_amd64.deb for Debian/Ubuntu systems or for RedHat based systems:
sudo yum --enablerepo=ztncui-testing upgrade ztncui
It should not touch /opt/key-networks/ztncui/etc/passwd or the key/cert in /opt/key-networks/ztncui/etc/tls/ if they already exist. So, if you want to regenerate the self-signed cert and key, then delete them before upgrading.
@key-networks it seems this issue doesn't affect those of us using a proxy to ztnccui
, am I correct? I run ztnccui
without SSL, as my proxy handles that.
@Fastidious - correct, if you are not using SSL/TLS on the back-end, it won't affect you.
Does anyone out there use the self-signed certificate? Maybe it's a waste of time fixing this issue if nobody uses it.
Sorry, I haven't been able to test this yet, but the code in the issue#36 branch looks good so far.
Version 0.6.6 has been published which resolves this issue.
opt/key-networks/ztncui/etc/tls/fullchain.pem
opt/key-networks/ztncui/etc/tls/privkey.pem
Instead of generating self-signed cert on the machine, the
.deb
installs one you provided.If users are not made aware of this, a MITM could sniff their traffic, get their login credentials and use them to get access on the user's network.
I wasn't able to confirm whether the
.rpm
does the same.