svn commit: r49697 - head/en_US.ISO8859-1/htdocs/cgi
Peter Wemm
peter at FreeBSD.org
Thu Nov 24 23:42:05 UTC 2016
Author: peter (src committer)
Date: Thu Nov 24 23:42:04 2016
New Revision: 49697
URL: https://svnweb.freebsd.org/changeset/doc/49697
Log:
Add an experimental dynamic fingerprint display for some regularly updated
ssl/tls certificates in use on the cluster. This is a proof-of-concept and
should not be referenced.
Added:
head/en_US.ISO8859-1/htdocs/cgi/fingerprints.cgi (contents, props changed)
Modified:
head/en_US.ISO8859-1/htdocs/cgi/Makefile
Modified: head/en_US.ISO8859-1/htdocs/cgi/Makefile
==============================================================================
--- head/en_US.ISO8859-1/htdocs/cgi/Makefile Thu Nov 24 12:29:35 2016 (r49696)
+++ head/en_US.ISO8859-1/htdocs/cgi/Makefile Thu Nov 24 23:42:04 2016 (r49697)
@@ -12,6 +12,7 @@ DATA+= cgi-lib.pl
DATA+= cgi-style.pl
CGI=
+CGI+= fingerprints.cgi
CGI+= getmsg.cgi
CGI+= mailindex.cgi
CGI+= man.cgi
Added: head/en_US.ISO8859-1/htdocs/cgi/fingerprints.cgi
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/en_US.ISO8859-1/htdocs/cgi/fingerprints.cgi Thu Nov 24 23:42:04 2016 (r49697)
@@ -0,0 +1,57 @@
+#!/usr/bin/perl -T
+#
+# Display current HTTPS/SSL/TLS certificate fingerprints.
+# Should be replaced with something better.
+#
+# $FreeBSD$
+
+require "./cgi-lib.pl";
+require "./cgi-style.pl";
+$ENV{PATH} = '/bin:/usr/bin';
+
+# There is an internal post-renew propagation window of about 5-10 minutes.
+# However, the script is expensive so we leverage the cache. The problem
+# is that people could come here immediately after a fingerprint mismatch
+# so we have to be quick to update.
+print "Cache-control: public; max-age=120\n"; # 2 minutes
+print &short_html_header("FreeBSD HTTPS/SSL/TLS Server Certificate Fingerprints");
+
+print qq{<h1>FreeBSD HTTPS/SSL/TLS Server Certificate Fingerprints</h1>\n};
+print qq{<p>The FreeBSD Project makes use of <a href="https://letsencrypt.org">Let's Encrypt</a> certificates for many of its HTTPS/SSL/TLS services. These certificates are automatically updated every 60 days. The current certificate fingerprints of significant services are listed below.</p>\n};
+
+# Note: These are all case sensitive. Use lower case to match the file names.
+&Fingerprint('svn.freebsd.org');
+&Fingerprint('download.freebsd.org');
+&Fingerprint('pkg.freebsd.org');
+
+print qq{<p>These fingerprints may be helpful in situations where automatic verification is not available.</p>\n};
+print &html_footer;
+exit 0;
+
+sub Fingerprint
+{
+ my ($domain) = @_;
+
+ my $message;
+ my $sha1, $sha256;
+ if ( -e "/etc/clusteradm/acme-certs/$domain.crt" ) {
+ $sha1 = `/usr/bin/openssl x509 -fingerprint -noout -sha1 -in /etc/clusteradm/acme-certs/$domain.crt`;
+ $sha256 = `/usr/bin/openssl x509 -fingerprint -noout -sha256 -in /etc/clusteradm/acme-certs/$domain.crt`;
+ chomp($sha1);
+ chomp($sha256);
+ $sha1 =~ s/^.*=//;
+ $sha256 =~ s/^.*=//;
+ } else {
+ $sha1 = 'Error';
+ $sha256 = 'Error';
+ }
+
+ $message = qq{<p>The fingerprints of the current <b>$domain</b> certificate are:</p>\n};
+ $message .= qq{<div class="informaltable"><table border="1"><colgroup><col /><col /></colgroup>};
+ $message .= qq{<thead><tr><th>Hash</th><th>Fingerprint</th></tr></thead><tbody>};
+ $message .= qq{<tr><td>SHA1</td><td><code class="literal">$sha1</code></td></tr>};
+ $message .= qq{<tr><td>SHA256</td><td><code class="literal">$sha256</code></td></tr>};
+ $message .= qq{</tbody></table></div>\n};
+
+ print $message;
+}
More information about the svn-doc-head
mailing list