X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Ftlsproxy-setup;h=155b8c90786c9aff26a520b0d9caad45dfbec69d;hb=636a400063eee95cfecaa4c4a655b0fbf032e210;hp=1c653267a40486c9fe174a225d947d8d591bc449;hpb=d778944d0403b093d43d9cbd94bd298bfc3a8d42;p=tlsproxy%2Ftlsproxy.git

diff --git a/src/tlsproxy-setup b/src/tlsproxy-setup
index 1c65326..155b8c9 100755
--- a/src/tlsproxy-setup
+++ b/src/tlsproxy-setup
@@ -20,26 +20,47 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 
-tempfile=`mktemp` || exit 1
+set -e
 
-die() {
-    rm -f "$tempfile"
+
+if test "$#" -ge 1 && test x"$*" != 'x--force'; then
+    echo "Usage: $0 [--force]" >&2
     exit 1
-}
+fi
+
+# Prevent accidental overwrites.
+if test x"$1" != 'x--force'; then
+    for x in proxy-ca-key.pem proxy-ca.pem \
+             proxy-key.pem proxy-invalid.pem proxy-dh.pem; do
+        if test -f "$x"; then
+            echo "File '$x' already exists. Use --force to overwrite." >&2
+            exit 2
+        fi
+    done
+fi
+
+
+tempfile=`mktemp`
+trap 'rm -f "$tempfile"' EXIT
 
 # Generate proxy CA key file.
-certtool --generate-privkey > proxy-ca-key.pem || die
+certtool --generate-privkey \
+         --sec-param high \
+         --outfile proxy-ca-key.pem
 # Generate proxy CA.
 echo 'cn = tlsproxy CA' > "$tempfile"
 echo ca                >> "$tempfile"
 echo cert_signing_key  >> "$tempfile"
+echo 'expiration_days = 3650' >> "$tempfile"
 certtool --generate-self-signed \
          --load-privkey proxy-ca-key.pem \
          --template "$tempfile" \
-         --outfile proxy-ca.pem || die
+         --outfile proxy-ca.pem
 
 # Generate proxy key file.
-certtool --generate-privkey > proxy-key.pem || die
+certtool --generate-privkey \
+         --sec-param high \
+         --outfile proxy-key.pem
 
 # Generate proxy "invalid" server certificate. It's used for problematic
 # connections.
@@ -48,11 +69,17 @@ echo 'cn = invalid'           >> "$tempfile"
 echo tls_www_server           >> "$tempfile"
 echo encryption_key           >> "$tempfile"
 echo signing_key              >> "$tempfile"
+echo 'expiration_days = 3650' >> "$tempfile"
 certtool --generate-self-signed \
          --load-privkey proxy-key.pem \
          --template "$tempfile" \
-         --outfile proxy-invalid.pem || die
+         --outfile proxy-invalid.pem
 
 rm "$tempfile"
 
+# Generate proxy Diffie-Hellman parameters.
+certtool --generate-dh-params \
+         --sec-param high \
+         --outfile proxy-dh.pem
+
 echo done