Date: Thu, 24 Nov 2016 23:42:04 +0000 (UTC) From: Peter Wemm <peter@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r49697 - head/en_US.ISO8859-1/htdocs/cgi Message-ID: <201611242342.uAONg4Ch001320@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: peter (src committer) Date: Thu Nov 24 23:42:04 2016 New Revision: 49697 URL: https://svnweb.freebsd.org/changeset/doc/49697 Log: Add an experimental dynamic fingerprint display for some regularly updated ssl/tls certificates in use on the cluster. This is a proof-of-concept and should not be referenced. Added: head/en_US.ISO8859-1/htdocs/cgi/fingerprints.cgi (contents, props changed) Modified: head/en_US.ISO8859-1/htdocs/cgi/Makefile Modified: head/en_US.ISO8859-1/htdocs/cgi/Makefile ============================================================================== --- head/en_US.ISO8859-1/htdocs/cgi/Makefile Thu Nov 24 12:29:35 2016 (r49696) +++ head/en_US.ISO8859-1/htdocs/cgi/Makefile Thu Nov 24 23:42:04 2016 (r49697) @@ -12,6 +12,7 @@ DATA+= cgi-lib.pl DATA+= cgi-style.pl CGI= +CGI+= fingerprints.cgi CGI+= getmsg.cgi CGI+= mailindex.cgi CGI+= man.cgi Added: head/en_US.ISO8859-1/htdocs/cgi/fingerprints.cgi ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/en_US.ISO8859-1/htdocs/cgi/fingerprints.cgi Thu Nov 24 23:42:04 2016 (r49697) @@ -0,0 +1,57 @@ +#!/usr/bin/perl -T +# +# Display current HTTPS/SSL/TLS certificate fingerprints. +# Should be replaced with something better. +# +# $FreeBSD$ + +require "./cgi-lib.pl"; +require "./cgi-style.pl"; +$ENV{PATH} = '/bin:/usr/bin'; + +# There is an internal post-renew propagation window of about 5-10 minutes. +# However, the script is expensive so we leverage the cache. The problem +# is that people could come here immediately after a fingerprint mismatch +# so we have to be quick to update. +print "Cache-control: public; max-age=120\n"; # 2 minutes +print &short_html_header("FreeBSD HTTPS/SSL/TLS Server Certificate Fingerprints"); + +print qq{<h1>FreeBSD HTTPS/SSL/TLS Server Certificate Fingerprints</h1>\n}; +print qq{<p>The FreeBSD Project makes use of <a href="https://letsencrypt.org">Let's Encrypt</a> certificates for many of its HTTPS/SSL/TLS services. These certificates are automatically updated every 60 days. The current certificate fingerprints of significant services are listed below.</p>\n}; + +# Note: These are all case sensitive. Use lower case to match the file names. +&Fingerprint('svn.freebsd.org'); +&Fingerprint('download.freebsd.org'); +&Fingerprint('pkg.freebsd.org'); + +print qq{<p>These fingerprints may be helpful in situations where automatic verification is not available.</p>\n}; +print &html_footer; +exit 0; + +sub Fingerprint +{ + my ($domain) = @_; + + my $message; + my $sha1, $sha256; + if ( -e "/etc/clusteradm/acme-certs/$domain.crt" ) { + $sha1 = `/usr/bin/openssl x509 -fingerprint -noout -sha1 -in /etc/clusteradm/acme-certs/$domain.crt`; + $sha256 = `/usr/bin/openssl x509 -fingerprint -noout -sha256 -in /etc/clusteradm/acme-certs/$domain.crt`; + chomp($sha1); + chomp($sha256); + $sha1 =~ s/^.*=//; + $sha256 =~ s/^.*=//; + } else { + $sha1 = 'Error'; + $sha256 = 'Error'; + } + + $message = qq{<p>The fingerprints of the current <b>$domain</b> certificate are:</p>\n}; + $message .= qq{<div class="informaltable"><table border="1"><colgroup><col /><col /></colgroup>}; + $message .= qq{<thead><tr><th>Hash</th><th>Fingerprint</th></tr></thead><tbody>}; + $message .= qq{<tr><td>SHA1</td><td><code class="literal">$sha1</code></td></tr>}; + $message .= qq{<tr><td>SHA256</td><td><code class="literal">$sha256</code></td></tr>}; + $message .= qq{</tbody></table></div>\n}; + + print $message; +}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201611242342.uAONg4Ch001320>