-#!/usr/bin/env perl -w
+#!/usr/bin/env perl
#
# InspIRCd -- Internet Relay Chat Daemon
#
BEGIN {
- require 5.8.0;
+ require 5.10.0;
}
+use feature ':5.10';
use strict;
use warnings FATAL => qw(all);
use File::Temp();
# IMPORTANT: This script has to be able to run by itself so that it can be used
-# by binary distributions where the make/utilities.pm module will not
+# by binary distributions where the make/console.pm module will not
# be available!
sub prompt($$) {
my ($question, $default) = @_;
- print "$question\n";
+ return prompt_string(1, $question, $default) if eval 'use FindBin;use lib $FindBin::RealDir;use make::console; 1';
+ say $question;
print "[$default] => ";
chomp(my $answer = <STDIN>);
- print "\n";
+ say '';
return $answer ? $answer : $default;
}
-if ($#ARGV != 0 || $ARGV[0] !~ /gnutls|openssl/i) {
- print "Syntax: genssl <gnutls|openssl>\n";
+if ($#ARGV != 0 || $ARGV[0] !~ /^(?:auto|gnutls|openssl)$/i) {
+ say STDERR "Usage: $0 <auto|gnutls|openssl>";
exit 1;
}
+# On OS X the GnuTLS certtool is prefixed to avoid collision with the system certtool.
+my $certtool = $^O eq 'darwin' ? 'gnutls-certtool' : 'certtool';
+
+# Check whether the user has the required tools installed.
+my $has_gnutls = `$certtool --version v 2>/dev/null`;
+my $has_openssl = !system 'openssl version >/dev/null 2>&1';
+
+# The framework the user has specified.
+my $tool = lc $ARGV[0];
+
+# If the user has not explicitly specified a framework then detect one.
+if ($tool eq 'auto') {
+ if ($has_gnutls) {
+ $tool = 'gnutls';
+ } elsif ($has_openssl) {
+ $tool = 'openssl';
+ } else {
+ say STDERR "SSL generation failed: could not find $certtool or openssl in the PATH!";
+ exit 1;
+ }
+} elsif ($tool eq 'gnutls' && !$has_gnutls) {
+ say STDERR "SSL generation failed: could not find '$certtool' in the PATH!";
+ exit 1;
+} elsif ($tool eq 'openssl' && !$has_openssl) {
+ say STDERR 'SSL generation failed: could not find \'openssl\' in the PATH!';
+ exit 1;
+}
+
+# Harvest information needed to generate the certificate.
my $common_name = prompt('What is the hostname of your server?', 'irc.example.com');
my $email = prompt('What email address can you be contacted at?', 'example@example.com');
my $unit = prompt('What is the name of your unit?', 'Server Admins');
my $country = prompt('What is the ISO 3166-1 code for the country you are located in?', 'XZ');
my $days = prompt('How many days do you want your certificate to be valid for?', '365');
+# Contains the SSL certificate in DER form.
+my $dercert;
+
# Contains the exit code of openssl/gnutls-certtool.
my $status = 0;
-if (lc $ARGV[0] eq 'gnutls') {
+if ($tool eq 'gnutls') {
+ $has_gnutls =~ /certtool.+?(\d+\.\d+)/;
+ my $sec_param = $1 lt '2.10' ? '--bits 2048' : '--sec-param normal';
my $tmp = new File::Temp();
print $tmp <<__GNUTLS_END__;
cn = "$common_name"
time_stamping_key
__GNUTLS_END__
close($tmp);
- my $certtool = `uname -s` eq "Darwin\n" ? 'gnutls-certtool' : 'certtool';
- $status ||= system "$certtool --version >/dev/null 2>1";
- $status ||= system "$certtool --generate-privkey --outfile key.pem";
+ $status ||= system "$certtool --generate-privkey $sec_param --outfile key.pem";
$status ||= system "$certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem --template $tmp";
-} elsif (lc $ARGV[0] eq 'openssl') {
+ $status ||= system "$certtool --generate-request --load-privkey key.pem --outfile csr.pem --template $tmp";
+ $status ||= system "$certtool --generate-dh-params $sec_param --outfile dhparams.pem";
+ $dercert = `$certtool --certificate-info --infile cert.pem --outder` unless $status;
+} elsif ($tool eq 'openssl') {
my $tmp = new File::Temp();
print $tmp <<__OPENSSL_END__;
$country
$unit
$common_name
$email
+.
+$organization
__OPENSSL_END__
close($tmp);
- $status ||= system 'openssl version >/dev/null 2>1';
$status ||= system "cat $tmp | openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days $days 2>/dev/null";
+ $status ||= system "cat $tmp | openssl req -new -nodes -key key.pem -out csr.pem 2>/dev/null";
$status ||= system 'openssl dhparam -out dhparams.pem 2048';
+ $dercert = `openssl x509 -in cert.pem -outform DER` unless $status;
}
if ($status) {
- print "SSL generation failed! Are you missing an $ARGV[0] binary package?\n";
+ say STDERR "SSL generation failed: $tool exited with a non-zero status!";
exit 1;
}
+if (defined $dercert && eval 'use Digest::SHA; 1') {
+ my $hash = Digest::SHA->new(256);
+ $hash->add($dercert);
+ say '';
+ say 'If you are using the self-signed certificate then add this TLSA record to your domain for DANE support:';
+ say "_6697._tcp." . $common_name . " TLSA 3 0 1 " . $hash->hexdigest;
+}