From owner-svn-doc-head@freebsd.org  Thu Nov 24 23:42:05 2016
Return-Path: <owner-svn-doc-head@freebsd.org>
Delivered-To: svn-doc-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AFD2DC544AF;
 Thu, 24 Nov 2016 23:42:05 +0000 (UTC)
 (envelope-from peter@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 83E3EEAD;
 Thu, 24 Nov 2016 23:42:05 +0000 (UTC)
 (envelope-from peter@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAONg47d001322;
 Thu, 24 Nov 2016 23:42:04 GMT (envelope-from peter@FreeBSD.org)
Received: (from peter@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAONg4Ch001320;
 Thu, 24 Nov 2016 23:42:04 GMT (envelope-from peter@FreeBSD.org)
Message-Id: <201611242342.uAONg4Ch001320@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: peter set sender to
 peter@FreeBSD.org using -f
From: Peter Wemm <peter@FreeBSD.org>
Date: Thu, 24 Nov 2016 23:42:04 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-all@freebsd.org,
 svn-doc-head@freebsd.org
Subject: svn commit: r49697 - head/en_US.ISO8859-1/htdocs/cgi
X-SVN-Group: doc-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the doc tree for head
 <svn-doc-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-doc-head>,
 <mailto:svn-doc-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-doc-head/>
List-Post: <mailto:svn-doc-head@freebsd.org>
List-Help: <mailto:svn-doc-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-doc-head>,
 <mailto:svn-doc-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2016 23:42:05 -0000

Author: peter (src committer)
Date: Thu Nov 24 23:42:04 2016
New Revision: 49697
URL: https://svnweb.freebsd.org/changeset/doc/49697

Log:
  Add an experimental dynamic fingerprint display for some regularly updated
  ssl/tls certificates in use on the cluster.  This is a proof-of-concept and
  should not be referenced.

Added:
  head/en_US.ISO8859-1/htdocs/cgi/fingerprints.cgi   (contents, props changed)
Modified:
  head/en_US.ISO8859-1/htdocs/cgi/Makefile

Modified: head/en_US.ISO8859-1/htdocs/cgi/Makefile
==============================================================================
--- head/en_US.ISO8859-1/htdocs/cgi/Makefile	Thu Nov 24 12:29:35 2016	(r49696)
+++ head/en_US.ISO8859-1/htdocs/cgi/Makefile	Thu Nov 24 23:42:04 2016	(r49697)
@@ -12,6 +12,7 @@ DATA+=	cgi-lib.pl
 DATA+=	cgi-style.pl
 
 CGI=
+CGI+=	fingerprints.cgi
 CGI+=	getmsg.cgi
 CGI+=	mailindex.cgi
 CGI+=	man.cgi

Added: head/en_US.ISO8859-1/htdocs/cgi/fingerprints.cgi
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/en_US.ISO8859-1/htdocs/cgi/fingerprints.cgi	Thu Nov 24 23:42:04 2016	(r49697)
@@ -0,0 +1,57 @@
+#!/usr/bin/perl -T
+#
+# Display current HTTPS/SSL/TLS certificate fingerprints.
+# Should be replaced with something better.
+#
+# $FreeBSD$
+
+require "./cgi-lib.pl";
+require "./cgi-style.pl";
+$ENV{PATH} = '/bin:/usr/bin';
+
+# There is an internal post-renew propagation window of about 5-10 minutes.
+# However, the script is expensive so we leverage the cache.  The problem
+# is that people could come here immediately after a fingerprint mismatch
+# so we have to be quick to update.
+print "Cache-control: public; max-age=120\n";	# 2 minutes
+print &short_html_header("FreeBSD HTTPS/SSL/TLS Server Certificate Fingerprints");
+
+print qq{<h1>FreeBSD HTTPS/SSL/TLS Server Certificate Fingerprints</h1>\n};
+print qq{<p>The FreeBSD Project makes use of <a href="https://letsencrypt.org">Let's Encrypt</a> certificates for many of its HTTPS/SSL/TLS services.  These certificates are automatically updated every 60 days.  The current certificate fingerprints of significant services are listed below.</p>\n};
+
+# Note: These are all case sensitive.  Use lower case to match the file names.
+&Fingerprint('svn.freebsd.org');
+&Fingerprint('download.freebsd.org');
+&Fingerprint('pkg.freebsd.org');
+
+print qq{<p>These fingerprints may be helpful in situations where automatic verification is not available.</p>\n};
+print &html_footer;
+exit 0;
+
+sub Fingerprint
+{
+    my ($domain) = @_;
+
+    my $message;
+    my $sha1, $sha256;
+    if ( -e "/etc/clusteradm/acme-certs/$domain.crt" ) {
+	$sha1 = `/usr/bin/openssl x509 -fingerprint -noout -sha1 -in /etc/clusteradm/acme-certs/$domain.crt`;
+	$sha256 = `/usr/bin/openssl x509 -fingerprint -noout -sha256 -in /etc/clusteradm/acme-certs/$domain.crt`;
+	chomp($sha1);
+	chomp($sha256);
+	$sha1 =~ s/^.*=//;
+	$sha256 =~ s/^.*=//;
+    } else {
+	$sha1 = 'Error';
+	$sha256 = 'Error';
+    }
+
+    $message = qq{<p>The fingerprints of the current <b>$domain</b> certificate are:</p>\n};
+    $message .= qq{<div class="informaltable"><table border="1"><colgroup><col /><col /></colgroup>};
+    $message .= qq{<thead><tr><th>Hash</th><th>Fingerprint</th></tr></thead><tbody>};
+    $message .= qq{<tr><td>SHA1</td><td><code class="literal">$sha1</code></td></tr>};
+    $message .= qq{<tr><td>SHA256</td><td><code class="literal">$sha256</code></td></tr>};
+    $message .= qq{</tbody></table></div>\n};
+
+    print $message;
+}