refs #2184 make stunnel use and/or verify tls

2025-06-06 11:58:26 +02:00 · 2025-06-06 11:58:26 +02:00 · df7d8d96cb
parent 4df8caa203
commit df7d8d96cb
2 changed files with 48 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [0.14.0] - 2025-06-07
+
+### Changed
+
+- Read $ogusetls and $ogverifytls from the environment and configure stunnel accordingly
+
 ## [0.13.9] - 2025-06-04

 ### Fixed
--- a/ogclient/etc/preinit/otherservices.sh
+++ b/ogclient/etc/preinit/otherservices.sh
@ -13,12 +13,49 @@ ogIsEfiActive && mount -t efivarfs none /sys/firmware/efi/efivars
 # Lanzar servicios complementarios del cliente.
 echo "${MSG_OTHERSERVICES:-.}"

-# Iniciar stunnel
-if [ -e /etc/stunnel/menu.conf ]; then
-    sed -i -e "s/__OGCORE_IP__/$ogcore/; s/__OGCORE_PORT__/8443/" /etc/stunnel/menu.conf
-    mkdir -p /var/run/stunnel4; chown stunnel4:stunnel4 /var/run/stunnel4
-    stunnel /etc/stunnel/menu.conf &>/var/log/stunnel4/menu.log &
+# stunnel start
+cat >/etc/stunnel/menu.conf <<__EOF__
+setuid = stunnel4
+setgid = stunnel4
+pid = /var/run/stunnel4/menu.pid
+foreground = yes
+debug = info
+
+[menu]
+client = yes
+accept = 127.0.0.1:81
+connect = $ogcore:8443
+__EOF__
+if [[ true == "$ogusetls" ]]; then
+    if [[ true == "$ogverifytls" ]]; then
+        ## use tls and verify
+        cat >>/etc/stunnel/menu.conf <<__EOF__
+cert = /opt/opengnsys/etc/ogagent.crt
+key = /opt/opengnsys/etc/ogagent.key
+CAfile = /opt/opengnsys/etc/ca.crt
+requireCert = yes
+verifyChain = yes
+__EOF__
+    else
+        ## use tls but not verify
+        cat >>/etc/stunnel/menu.conf <<__EOF__
+cert = /opt/opengnsys/etc/ogagent.crt
+key = /opt/opengnsys/etc/ogagent.key
+CAfile = /opt/opengnsys/etc/ca.crt
+requireCert = no
+verifyChain = no
+__EOF__
+    fi
+else
+    ## don't use tls
+    cat >>/etc/stunnel/menu.conf <<__EOF__
+requireCert = no
+verifyChain = no
+__EOF__
 fi
+mkdir -p /var/run/stunnel4; chown stunnel4:stunnel4 /var/run/stunnel4
+stunnel /etc/stunnel/menu.conf &>/var/log/stunnel4/menu.log &
+# stunnel end

 # Iniciar dbus
 if [ -e /etc/dbus-1/system.d/ogbrowser.conf ]; then