scottk/Mailu-OIDC
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/Mailu-OIDC.git synced 2025-10-31 01:57:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Need newer cryptography

Browse Source
This commit is contained in:
Florent Daigniere
2024-03-10 16:03:13 +01:00
parent 8c842ff3aa
commit 494147eedf
3 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/base/requirements-prod.txt
View File

@@ -12,7 +12,7 @@ cffi==1.16.0
charset-normalizer==3.3.2 charset-normalizer==3.3.2
click==8.1.7 click==8.1.7
colorclass==2.2.2 colorclass==2.2.2
cryptography==41.0.7 cryptography==42.0.5
defusedxml==0.7.1 defusedxml==0.7.1
Deprecated==1.2.14 Deprecated==1.2.14
dnspython==2.5.0 dnspython==2.5.0

8
core/nginx/config.py
View File

@@ -92,7 +92,11 @@ def format_for_nginx(fullchain, output, strip_CA=args.get('LETSENCRYPT_SHORTCHAI
chain = x509.load_pem_x509_certificates(f.read()) chain = x509.load_pem_x509_certificates(f.read())
builder = PolicyBuilder().store(Store([ISRG_ROOT_X1, ISRG_ROOT_X2])) builder = PolicyBuilder().store(Store([ISRG_ROOT_X1, ISRG_ROOT_X2]))
verifier = builder.build_server_verifier(DNSName(chain[0].subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value)) verifier = builder.build_server_verifier(DNSName(chain[0].subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value))
try:
valid_chain = verifier.verify(chain[0], chain[1:]) valid_chain = verifier.verify(chain[0], chain[1:])
except Exception as e:
log.error(e)
valid_chain = chain
log.info(f'The certificate chain looks as follows for {fullchain}:') log.info(f'The certificate chain looks as follows for {fullchain}:')
indent = ' ' indent = ' '
has_found_PIN = False has_found_PIN = False
@@ -113,7 +117,7 @@ def format_for_nginx(fullchain, output, strip_CA=args.get('LETSENCRYPT_SHORTCHAI
for cert in valid_chain: for cert in valid_chain:
if strip_CA and (cert.subject.rfc4514_string() in ['CN=ISRG Root X1,O=Internet Security Research Group,C=US', 'CN=ISRG Root X2,O=Internet Security Research Group,C=US']): if strip_CA and (cert.subject.rfc4514_string() in ['CN=ISRG Root X1,O=Internet Security Research Group,C=US', 'CN=ISRG Root X2,O=Internet Security Research Group,C=US']):
continue continue
f.write(f'{cert.public_bytes(encoding=Encoding.PEM).decode("ascii").strip()}') f.write(f'{cert.public_bytes(encoding=Encoding.PEM).decode("ascii").strip()}\n')
if args['TLS_FLAVOR'] in ['letsencrypt', 'mail-letsencrypt']: if args['TLS_FLAVOR'] in ['letsencrypt', 'mail-letsencrypt']:
format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem') format_for_nginx('/certs/letsencrypt/live/mailu/fullchain.pem', '/certs/letsencrypt/live/mailu/nginx-chain.pem')
@@ -131,4 +135,4 @@ conf.jinja("/conf/proxy.conf", args, "/etc/nginx/proxy.conf")
conf.jinja("/conf/nginx.conf", args, "/etc/nginx/nginx.conf") conf.jinja("/conf/nginx.conf", args, "/etc/nginx/nginx.conf")
conf.jinja("/dovecot_conf/login.lua", args, "/etc/dovecot/login.lua") conf.jinja("/dovecot_conf/login.lua", args, "/etc/dovecot/login.lua")
conf.jinja("/dovecot_conf/proxy.conf", args, "/etc/dovecot/proxy.conf") conf.jinja("/dovecot_conf/proxy.conf", args, "/etc/dovecot/proxy.conf")
os.system("killall -HUP nginx dovecot") os.system("killall -q -HUP nginx dovecot")

2
core/nginx/letsencrypt.py
View File

@@ -23,7 +23,6 @@ command = [
"--keep-until-expiring", "--keep-until-expiring",
"--allow-subset-of-names", "--allow-subset-of-names",
"--renew-with-new-domains", "--renew-with-new-domains",
"--preferred-chain 'ISRG Root X1'",
"--config-dir", "/certs/letsencrypt", "--config-dir", "/certs/letsencrypt",
"--post-hook", "/config.py" "--post-hook", "/config.py"
] ]
@@ -39,7 +38,6 @@ command2 = [
"--allow-subset-of-names", "--allow-subset-of-names",
"--key-type", "ecdsa", "--key-type", "ecdsa",
"--renew-with-new-domains", "--renew-with-new-domains",
"--preferred-chain 'ISRG Root X1'",
"--config-dir", "/certs/letsencrypt", "--config-dir", "/certs/letsencrypt",
"--post-hook", "/config.py" "--post-hook", "/config.py"
] ]