summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/lib/tls/config.m41
-rw-r--r--source4/lib/tls/tls.c10
-rw-r--r--source4/lib/tls/tlscert.c21
3 files changed, 22 insertions, 10 deletions
diff --git a/source4/lib/tls/config.m4 b/source4/lib/tls/config.m4
index 74c6bd1d44..0bafc5ddf1 100644
--- a/source4/lib/tls/config.m4
+++ b/source4/lib/tls/config.m4
@@ -39,4 +39,5 @@ if test x$use_gnutls = xyes; then
AC_CHECK_TYPES([gnutls_datum],,,[#include "gnutls/gnutls.h"])
AC_CHECK_TYPES([gnutls_datum_t],,,[#include "gnutls/gnutls.h"])
AC_DEFINE(ENABLE_GNUTLS,1,[Whether we have gnutls support (SSL)])
+ AC_CHECK_HEADERS(gcrypt.h)
fi
diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c
index 99a15059ad..1014ab07a8 100644
--- a/source4/lib/tls/tls.c
+++ b/source4/lib/tls/tls.c
@@ -362,7 +362,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *
const char *cafile = lp_tls_cafile(tmp_ctx, lp_ctx);
const char *crlfile = lp_tls_crlfile(tmp_ctx, lp_ctx);
const char *dhpfile = lp_tls_dhpfile(tmp_ctx, lp_ctx);
- void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *);
+ void tls_cert_generate(TALLOC_CTX *, const char *, const char *, const char *, const char *);
params = talloc(mem_ctx, struct tls_params);
if (params == NULL) {
talloc_free(tmp_ctx);
@@ -376,7 +376,13 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *
}
if (!file_exist(cafile)) {
- tls_cert_generate(params, keyfile, certfile, cafile);
+ char *hostname = talloc_asprintf(mem_ctx, "%s.%s",
+ lp_netbios_name(lp_ctx), lp_realm(lp_ctx));
+ if (hostname == NULL) {
+ goto init_failed;
+ }
+ tls_cert_generate(params, hostname, keyfile, certfile, cafile);
+ talloc_free(hostname);
}
ret = gnutls_global_init();
diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index f2e79f2a89..62e7a72240 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -24,21 +24,20 @@
#if ENABLE_GNUTLS
#include "gnutls/gnutls.h"
#include "gnutls/x509.h"
+#if HAVE_GCRYPT_H
+#include <gcrypt.h>
+#endif
#define ORGANISATION_NAME "Samba Administration"
#define UNIT_NAME "Samba - temporary autogenerated certificate"
-#define COMMON_NAME "Samba"
#define LIFETIME 700*24*60*60
#define DH_BITS 1024
-void tls_cert_generate(TALLOC_CTX *mem_ctx,
- const char *keyfile, const char *certfile,
- const char *cafile);
-
/*
auto-generate a set of self signed certificates
*/
void tls_cert_generate(TALLOC_CTX *mem_ctx,
+ const char *hostname,
const char *keyfile, const char *certfile,
const char *cafile)
{
@@ -67,8 +66,14 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
TLSCHECK(gnutls_global_init());
- DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https\n"));
+ DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n",
+ hostname));
+#ifdef HAVE_GCRYPT_H
+ DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
+ gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+#endif
+
DEBUG(3,("Generating private key\n"));
TLSCHECK(gnutls_x509_privkey_init(&key));
TLSCHECK(gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, DH_BITS, 0));
@@ -87,7 +92,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
UNIT_NAME, strlen(UNIT_NAME)));
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
GNUTLS_OID_X520_COMMON_NAME, 0,
- COMMON_NAME, strlen(COMMON_NAME)));
+ hostname, strlen(hostname)));
TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
@@ -113,7 +118,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
UNIT_NAME, strlen(UNIT_NAME)));
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
GNUTLS_OID_X520_COMMON_NAME, 0,
- COMMON_NAME, strlen(COMMON_NAME)));
+ hostname, strlen(hostname)));
TLSCHECK(gnutls_x509_crt_set_key(crt, key));
TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));