Verified Commit 790c575f authored by Pierre-Louis Bonicoli's avatar Pierre-Louis Bonicoli 🏗
Browse files

Generate DH parameters when needed

DH parameters can still be generated by users.
parent 810e90d7
......@@ -45,6 +45,8 @@ configuration file will be created too).
m4v,avi,xv,jar,tgz,mp4,mkv,ogg,flv.
* `burp_timeoutstop`: value of `TimeoutStopSec` systemd option for Burp service.
If `None`, keep systemd default.
* `burp_dh_size`: size of DH parameters (default: `2048`). The path of the
generated DH parameters is: `/etc/burp/{{ burp.name }}/dh{{ burp_dh_size }}.pem`.
### Variables required by server and client:
......@@ -71,7 +73,6 @@ burp:
ratelimit:
ssl*: # All files will be copied on the server.
CA*: '{{ lookup("file", "path/to/ca.pem") }} # Certificate Authority
DH*: '{{ burp_dh }}' # DH parameters
cert*: '{{ burp_server_cert }}' # Burp server public certificate
key*: '{{ burp_server_key }}' # Burp server private key
burp_clients:
......
......@@ -34,3 +34,5 @@ burp_default_excludes:
- /run
- /dev
- /tmp
burp_dh_size: 2048
......@@ -9,7 +9,6 @@
CA: '{{ ca["content"] | b64decode }}'
cert: '{{ server_cert["content"] | b64decode }}'
key: '{{ server_key["content"] | b64decode }}'
DH: '{{ dh_param }}'
pre_tasks:
- name: Fetch CA
slurp:
......@@ -49,7 +48,6 @@
CA: '{{ hostvars["molecule-burp-server"]["ca"]["content"] | b64decode }}'
cert: '{{ hostvars["molecule-burp-server"]["server_cert"]["content"] | b64decode }}'
key: '{{ hostvars["molecule-burp-server"]["server_key"]["content"] | b64decode }}'
DH: '{{ dh_param }}'
burp_clients:
_server: *burp_server
testuser:
......
......@@ -78,6 +78,18 @@
organizationalUnitName: Test BURP CA
commonName: molecule-burp-client
- name: Create configuration directory
file: # noqa 208
# 'burp-test-backup' user doesn't exist yet, the role will fix that
path: /etc/burp/test-backup/
state: directory
- name: COPY DH param
copy: # noqa 208
# 'burp-test-backup' user doesn't exist yet, the role will fix that
content: '{{ dh_param }}'
dest: '/etc/burp/test-backup/dh2048.pem'
- name: Generate client certificate
openssl_certificate:
path: /tmp/client.pem
......
......@@ -85,10 +85,10 @@
diff: no
notify: 'reload burp service'
- name: COPY DH param
copy:
content: '{{ burp.ssl.DH }}'
dest: '/etc/burp/{{ burp.name }}/dh2048.pem'
- name: Create DH param
openssl_dhparam:
path: '/etc/burp/{{ burp.name }}/dh{{ burp_dh_size }}.pem'
size: '{{ burp_dh_size }}'
<<: *owner-file
notify: 'reload burp service'
......
......@@ -90,7 +90,7 @@ ssl_cert_ca = /etc/burp/{{ burp.name }}/ca.crt
ssl_cert = /etc/burp/{{ burp.name }}/burp.crt
ssl_key = /etc/burp/{{ burp.name }}/burp.key
# ssl_key_password =
ssl_dhfile = /etc/burp/{{ burp.name }}/dh2048.pem
ssl_dhfile = /etc/burp/{{ burp.name }}/dh{{ burp_dh_size }}.pem
timer_script = {{ timer_script }}
# Available units:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment