mailinabox/setup/ssl.sh

#!/bin/bash
#
# RSA private key, SSL certificate, Diffie-Hellman bits files
# -------------------------------------------

# Create an RSA private key, a self-signed SSL certificate, and some
# Diffie-Hellman cipher bits, if they have not yet been created.
#
# The RSA private key and certificate are used for:
#
#  * DNSSEC DANE TLSA records
#  * IMAP
#  * SMTP (opportunistic TLS for port 25 and submission on port 587)
#  * HTTPS
#
# The certificate is created with its CN set to the PRIMARY_HOSTNAME. It is
# also used for other domains served over HTTPS until the user installs a
# better certificate for those domains.
#
# The Diffie-Hellman cipher bits are used for SMTP and HTTPS, when a
# Diffie-Hellman cipher is selected during TLS negotiation. Diffie-Hellman
# provides Perfect Forward Secrecy. 

source setup/functions.sh # load our functions
source /etc/mailinabox.conf # load global vars

echo "Creating initial SSL certificate and perfect forward secrecy Diffie-Hellman parameters..."
apt_install openssl

mkdir -p $STORAGE_ROOT/ssl

# Generate a new private key.
#
# The key is only as good as the entropy available to openssl so that it
# can generate a random key. "OpenSSL’s built-in RSA key generator ....
# is seeded on first use with (on Linux) 32 bytes read from /dev/urandom,
# the process ID, user ID, and the current time in seconds. [During key
# generation OpenSSL] mixes into the entropy pool the current time in seconds,
# the process ID, and the possibly uninitialized contents of a ... buffer
# ... dozens to hundreds of times." /dev/urandom is, in turn, seeded from
# "the uninitialized contents of the pool buffers when the kernel starts,
# the startup clock time in nanosecond resolution, input event and disk
# access timings, and entropy saved across boots to a local file" as well
# as the order of execution of concurrent accesses to /dev/urandom.
# (Heninger et al 2012, https://factorable.net/weakkeys12.conference.pdf)
#
# /dev/urandom draws from the same entropy sources as /dev/random, but
# doesn't block or issue any warnings if no entropy is actually available.
# (http://www.2uo.de/myths-about-urandom/) Thus eventually /dev/urandom
# can be expected to have been seeded with the "input event and disk access
# timings", but there's no guarantee that this has even ocurred.
#
# Some of these seeds are obviously not helpful for us: There are no input
# events on severs (keyboard/mouse), and the user ID of this process is
# always the same (we're root). And the seeding of /dev/urandom with the
# time and a seed from a previous boot is handled by *during boot* by
# /etc/init.d/urandom, which, in principle, may not have occurred yet!
#
# A perfect storm of issues can cause the generated key to be not very random:
#
#   * zero'd memory (plausible on embedded systems, cloud VMs?)
#   * a predictable process ID (likely on an embedded/virtualized system)
#   * a system clock reset to a fixed time on boot
#   * one CPU or no concurrent processes on /dev/urandom (so no concurrent accesses)
#   * no hard disk (so no disk access timings - but is this possible for us?)
#   * early run (no entry yet, boot not finished)
#   * first boot (no entropy saved from previous boot)
#
if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then
	# Set the umask so the key file is never world-readable.
	(umask 077; hide_output \
		openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
fi

# Generate a certificate signing request.
if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
	hide_output \
	openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
	  -sha256 -subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PRIMARY_HOSTNAME"
fi

# Generate a SSL certificate by self-signing.
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
	hide_output \
	openssl x509 -req -days 365 \
	  -in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
fi

# Generate some Diffie-Hellman cipher bits.
# openssl's default bit length for this is 1024 bits, but we'll create
# 2048 bits of bits per the latest recommendations.
if [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
	openssl dhparam -out $STORAGE_ROOT/ssl/dh2048.pem 2048
fi
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
+								#!/bin/bash
 								#
-												add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random

see #596

											
										
										
											2015-11-17 20:41:13 +00:00
+								# RSA private key, SSL certificate, Diffie-Hellman bits files
 								# -------------------------------------------
-												more work on making the bash scripts readable

											
										
										
											2014-10-04 21:57:26 +00:00
-												add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random

see #596

											
										
										
											2015-11-17 20:41:13 +00:00
+								# Create an RSA private key, a self-signed SSL certificate, and some
 								# Diffie-Hellman cipher bits, if they have not yet been created.
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
+								#
-												add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random

see #596

											
										
										
											2015-11-17 20:41:13 +00:00
+								# The RSA private key and certificate are used for:
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
+								#
-												add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random

see #596

											
										
										
											2015-11-17 20:41:13 +00:00
+								#  * DNSSEC DANE TLSA records
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
+								#  * IMAP
-												add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random

see #596

											
										
										
											2015-11-17 20:41:13 +00:00
+								#  * SMTP (opportunistic TLS for port 25 and submission on port 587)
 								#  * HTTPS
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
+								#
-												add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random

see #596

											
										
										
											2015-11-17 20:41:13 +00:00
+								# The certificate is created with its CN set to the PRIMARY_HOSTNAME. It is
 								# also used for other domains served over HTTPS until the user installs a
 								# better certificate for those domains.
 								#
 								# The Diffie-Hellman cipher bits are used for SMTP and HTTPS, when a
 								# Diffie-Hellman cipher is selected during TLS negotiation. Diffie-Hellman
 								# provides Perfect Forward Secrecy.
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
 								source setup/functions.sh # load our functions
 								source /etc/mailinabox.conf # load global vars
-												silence all of the installing/already installed package messages on installation

Querying dpkg for each package is slow, and we have way too much output on installation because of it.

											
										
										
											2015-08-19 19:58:35 +00:00
+								echo "Creating initial SSL certificate and perfect forward secrecy Diffie-Hellman parameters..."
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
+								apt_install openssl
 								mkdir -p $STORAGE_ROOT/ssl
-												add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random

see #596

											
										
										
											2015-11-17 20:41:13 +00:00
-												more work on making the bash scripts readable

											
										
										
											2014-10-04 21:57:26 +00:00
+								# Generate a new private key.
-												add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random

see #596

											
										
										
											2015-11-17 20:41:13 +00:00
+								#
 								# The key is only as good as the entropy available to openssl so that it
 								# can generate a random key. "OpenSSL’s built-in RSA key generator ....
 								# is seeded on first use with (on Linux) 32 bytes read from /dev/urandom,
 								# the process ID, user ID, and the current time in seconds. [During key
 								# generation OpenSSL] mixes into the entropy pool the current time in seconds,
 								# the process ID, and the possibly uninitialized contents of a ... buffer
 								# ... dozens to hundreds of times." /dev/urandom is, in turn, seeded from
 								# "the uninitialized contents of the pool buffers when the kernel starts,
 								# the startup clock time in nanosecond resolution, input event and disk
 								# access timings, and entropy saved across boots to a local file" as well
 								# as the order of execution of concurrent accesses to /dev/urandom.
 								# (Heninger et al 2012, https://factorable.net/weakkeys12.conference.pdf)
 								#
 								# /dev/urandom draws from the same entropy sources as /dev/random, but
 								# doesn't block or issue any warnings if no entropy is actually available.
 								# (http://www.2uo.de/myths-about-urandom/) Thus eventually /dev/urandom
 								# can be expected to have been seeded with the "input event and disk access
 								# timings", but there's no guarantee that this has even ocurred.
 								#
 								# Some of these seeds are obviously not helpful for us: There are no input
 								# events on severs (keyboard/mouse), and the user ID of this process is
 								# always the same (we're root). And the seeding of /dev/urandom with the
 								# time and a seed from a previous boot is handled by *during boot* by
 								# /etc/init.d/urandom, which, in principle, may not have occurred yet!
 								#
 								# A perfect storm of issues can cause the generated key to be not very random:
 								#
 								#   * zero'd memory (plausible on embedded systems, cloud VMs?)
 								#   * a predictable process ID (likely on an embedded/virtualized system)
 								#   * a system clock reset to a fixed time on boot
 								#   * one CPU or no concurrent processes on /dev/urandom (so no concurrent accesses)
 								#   * no hard disk (so no disk access timings - but is this possible for us?)
 								#   * early run (no entry yet, boot not finished)
 								#   * first boot (no entropy saved from previous boot)
 								#
-												the SSL private key would be overwritten if ssl_certificate.pem file was deleted; maybe the cause of #98

											
										
										
											2014-07-28 19:38:17 +00:00
+								if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then
-												add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random

see #596

											
										
										
											2015-11-17 20:41:13 +00:00
+									# Set the umask so the key file is never world-readable.
-												hide lots of unnecessary and scary output during setup

											
										
										
											2014-07-16 13:06:45 +00:00
+									(umask 077; hide_output \
 										openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
+								fi
-												first pass at making readable documentation by parsing the bash scripts

											
										
										
											2014-09-21 17:43:21 +00:00
-												more work on making the bash scripts readable

											
										
										
											2014-10-04 21:57:26 +00:00
+								# Generate a certificate signing request.
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
+								if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
-												hide lots of unnecessary and scary output during setup

											
										
										
											2014-07-16 13:06:45 +00:00
+									hide_output \
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
+									openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
-												when generating SSL CSRs, using SHA256 as SHA1 is being phased out, per @konklone

											
										
										
											2014-08-23 21:49:33 +00:00
+									  -sha256 -subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PRIMARY_HOSTNAME"
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
+								fi
-												first pass at making readable documentation by parsing the bash scripts

											
										
										
											2014-09-21 17:43:21 +00:00
-												more work on making the bash scripts readable

											
										
										
											2014-10-04 21:57:26 +00:00
+								# Generate a SSL certificate by self-signing.
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
+								if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
-												hide lots of unnecessary and scary output during setup

											
										
										
											2014-07-16 13:06:45 +00:00
+									hide_output \
-												move the SSL setup into its own bash script since it is used for much more than email now

											
										
										
											2014-06-21 22:15:53 +00:00
+									openssl x509 -req -days 365 \
 									  -in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
 								fi
-												add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random

see #596

											
										
										
											2015-11-17 20:41:13 +00:00
+								# Generate some Diffie-Hellman cipher bits.
 								# openssl's default bit length for this is 1024 bits, but we'll create
 								# 2048 bits of bits per the latest recommendations.
-												add 2048 bits of DH params for nginx, postfix, dovecot

nginx/postfix use a new pre-generated dh2048.pem file. dovecot generates the bits on its own.

ssllabs.com reports that TLS_DHE ciphers went from 1024 to 2048 bits as expected. The ECDHE ciphers remain at 256 bits --- no idea what that really means. (This tests nginx only. I haven't tested postfix/dovecot.)

see https://discourse.mailinabox.email/t/fips-ready-for-ssl-dhec-key-exchange/76/3

											
										
										
											2014-09-26 22:01:38 +00:00
+								if [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
 									openssl dhparam -out $STORAGE_ROOT/ssl/dh2048.pem 2048
 								fi