Commit f7d04fc4 authored by Julien Muchembled's avatar Julien Muchembled

By default, get DH parameters from the registry instead of requiring each node to generate them

Generating them takes a lot of time and there's no reason to do this by default.
We keep --dh option in 're6stnet' to not break existing configuration.
parent 8ebdd500
......@@ -10,9 +10,6 @@
public IPv6. If there's only one interface like this, a workaround is to
use --main-interface option on it.
- Nodes should not have to generate their own DH parameters. Add a `getDh(cn)`
registry RPC that is called at re6stnet startup if they're missing.
- Filter non-routable IPs. Add an option not to do it.
- Abort in case of import child process failure (babel, openvpn server,
......
......@@ -2,7 +2,6 @@ log m1/
run m1/run
state m1/
pp 1194 tcp
dh dh2048.pem
ca ca.crt
cert m1/cert.crt
key m1/cert.key
......
......@@ -2,7 +2,6 @@ log m2/
run m2/run
state m2/
pp 1194 tcp
dh dh2048.pem
ca ca.crt
cert m2/cert.crt
key m2/cert.key
......
......@@ -2,7 +2,6 @@ log m3/
run m3/run
state m3/
pp 1194 tcp
dh dh2048.pem
ca ca.crt
cert m3/cert.crt
key m3/cert.key
......
......@@ -2,7 +2,6 @@ log m4/
run m4/run
state m4/
pp 1194 tcp
dh dh2048.pem
ca ca.crt
cert m4/cert.crt
key m4/cert.key
......
......@@ -2,7 +2,6 @@ log m6/
run m6/run
state m6/
pp 1194 tcp
dh dh2048.pem
ca ca.crt
cert m6/cert.crt
key m6/cert.key
......
......@@ -2,7 +2,6 @@ log m7/
run m7/run
state m7/
pp 1194 tcp
dh dh2048.pem
ca ca.crt
cert m7/cert.crt
key m7/cert.key
......
ca ca.crt
key registry/ca.key
dh dh2048.pem
logfile registry/registry.log
run registry/run
hello 4
......
......@@ -50,7 +50,6 @@ def main():
ca_path = 'ca.crt'
cert_path = 'cert.crt'
key_path = 'cert.key'
dh_path = 'dh2048.pem'
# Establish connection with server
s = registry.RegistryClient(config.registry)
......@@ -81,12 +80,6 @@ def main():
if config.ca_only:
sys.exit()
# Generating dh file
if not os.access(dh_path, os.F_OK):
r = subprocess.call(('openssl', 'dhparam', '-out', dh_path, '2048'))
if r:
sys.exit(r)
reserved = 'CN', 'serial'
req = crypto.X509Req()
try:
......@@ -175,7 +168,6 @@ registry %s
ca %s
cert %s
key %s
dh %s
# increase re6stnet verbosity:
#verbose 3
# enable OpenVPN logging:
......@@ -183,7 +175,7 @@ dh %s
# increase OpenVPN verbosity:
#O--verb
#O3
""" % (config.registry, ca_path, cert_path, key_path, dh_path))
""" % (config.registry, ca_path, cert_path, key_path))
print "Sample configuration file created."
cn = x509.subnetFromCert(cert)
......
......@@ -69,6 +69,8 @@ def main():
_('--db', default='/var/lib/re6stnet/registry.db',
help="Path to SQLite database file. It is automatically initialized"
" if the file does not exist.")
_('--dh',
help='File containing Diffie-Hellman parameters in .pem format')
_('--ca', required=True, help=parser._ca_help)
_('--key', required=True,
help="CA private key in .pem format.")
......
......@@ -120,6 +120,22 @@ class Cache(object):
logging.warning("There's a new version of re6stnet:"
" you should update.")
def getDh(self, path):
if not os.path.exists(path):
retry = 1
while True:
try:
dh = self._registry.getDh(self._prefix)
break
except socket.error, e:
logging.warning(
"Failed to get DH parameters from the registry."
" Will retry in %s seconds", retry, exc_info=1)
time.sleep(retry)
retry = min(60, retry * 2)
with open(path, "wb") as f:
f.write(dh)
def log(self):
if logging.getLogger().isEnabledFor(5):
logging.trace("Cache:")
......
......@@ -427,6 +427,11 @@ class RegistryServer(object):
def getCa(self):
return crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert.ca)
@rpc
def getDh(self, cn):
with open(self.config.dh) as f:
return f.read()
@rpc
def getNetworkConfig(self, cn):
return self.network_config
......
......@@ -79,7 +79,8 @@ def getConfig():
" openvpn server on the first given port."
" (default: --pp 1194 udp --pp 1194 tcp)")
_('--dh',
help='File containing Diffie-Hellman parameters in .pem format')
help="File containing Diffie-Hellman parameters in .pem format"
" (default: DH from registry)")
_('--ca', required=True, help=parser._ca_help)
_('--cert', required=True,
help="Local peer's signed certificate in .pem format."
......@@ -220,9 +221,6 @@ def main():
raise EnvironmentError("%r failed with error %u\n%s"
% (' '.join(cmd), p.returncode, stderr))
return stdout
def required(arg):
if not getattr(config, arg):
sys.exit("error: argument --%s is required" % arg)
def ip(object, *args):
args = ['ip', '-6', object, 'add'] + list(args)
call(args)
......@@ -285,11 +283,14 @@ def main():
address_list, cache.encrypt, '--ping-restart',
str(timeout), *config.openvpn_args).stop)
elif server_tunnels:
required('dh')
dh = config.dh
if not dh:
dh = os.path.join(config.state, "dh.pem")
cache.getDh(dh)
for iface, (port, proto) in server_tunnels.iteritems():
r, x = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM)
cleanup.append(plib.server(iface, config.max_clients,
config.dh, x.fileno(), port, proto, cache.encrypt,
dh, x.fileno(), port, proto, cache.encrypt,
'--ping-exit', str(timeout), *config.openvpn_args,
preexec_fn=r.close).stop)
R[r] = partial(tunnel_manager.handleServerEvent, r)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment