From 4ac09def4160c485483bf5f62e8c48c7489fc5eb Mon Sep 17 00:00:00 2001 From: Eirik Oeverby Date: Tue, 10 Mar 2009 20:05:30 +0100 Subject: Added certificate management Major change which allows assigning certificates to tunnels. Certificates are managed on a separate tab, but they must be manually generated on another system and pasted in along with RSA keys. Certificate status display lists status including days until expiry. --- config/stunnel.xml | 107 +++++++++++++++++++++++++---------------------------- 1 file changed, 50 insertions(+), 57 deletions(-) (limited to 'config/stunnel.xml') diff --git a/config/stunnel.xml b/config/stunnel.xml index 64c9becd..6ea9f99f 100644 --- a/config/stunnel.xml +++ b/config/stunnel.xml @@ -51,11 +51,35 @@
Services
stunnel.xml + + + /usr/local/pkg/ + 0644 + http://www.pfsense.com/packages/config/stunnel/stunnel.inc + + + /usr/local/pkg/ + 0644 + http://www.pfsense.com/packages/config/stunnel/stunnel_certs.xml + ['installedpackages']['package']['$packagename']['configuration'] + + + + Tunnels + /pkg.php?xml=stunnel.xml + + + + Certificates + /pkg.php?xml=stunnel_certs.xml + + + + items. An example of this would be the nat page where you add new nat redirects --> Description @@ -69,6 +93,10 @@ Listen on Port localport + + Certificate + certificatelink + Redirects to IP redirectip @@ -99,6 +127,16 @@ Enter the local port to bind this redirection to. input + + Certificate + certificate + Select server certificate to use for this tunnel. Certificates are defined on the 'Certificates' page. + select + + + + + Redirects to IP redirectip @@ -117,72 +155,27 @@ Enter the source IP address for outgoing connections. input - + stunnel /usr/local/etc/rc.d/stunnel.sh stunnel + + /usr/local/pkg/stunnel.inc + - /dev/null"); - system("/usr/local/etc/rc.d/stunnel.sh start 2>/dev/null"); - ]]> + stunnel_save($config); - /dev/null"); - chmod("/usr/local/etc/stunnel/stunnel.pem", 600); - make_dirs("/var/tmp/stunnel/var/tmp/run/stunnel"); - system("/usr/sbin/chown -R stunnel:stunnel /var/tmp/stunnel"); - $_rcfile['file']='stunnel.sh'; - $_rcfile['start'].="/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf \n\t"; - $_rcfile['stop'].="killall stunnel \n\t"; - write_rcfile($_rcfile); - unlink_if_exists("/usr/local/etc/rc.d/stunnel"); - conf_mount_rw(); - config_lock(); - $fout = fopen("/usr/local/etc/stunnel/stunnel.conf","w"); - fwrite($fout, "cert = /usr/local/etc/stunnel/stunnel.pem \n"); - fwrite($fout, "chroot = /var/tmp/stunnel \n"); - fwrite($fout, "setuid = stunnel \n"); - fwrite($fout, "setgid = stunnel \n"); - foreach($config['installedpackages']['stunnel']['config'] as $pkgconfig) { - fwrite($fout, "\n[" . $pkgconfig['description'] . "]\n"); - if($pkgconfig['sourceip']) fwrite($fout, "local = " . $pkgconfig['sourceip'] . "\n"); - fwrite($fout, "accept = " . $pkgconfig['localip'] . ":" . $pkgconfig['localport'] . "\n"); - fwrite($fout, "connect = " . $pkgconfig['redirectip'] . ":" . $pkgconfig['redirectport'] . "\n"); - fwrite($fout, "TIMEOUTclose = 0\n\n"); - } - fclose($fout); - conf_mount_ro(); - config_unlock(); - ]]> + stunnel_install(); - + stunnel_deinstall(); + + stunnel_addcerts($config); + + -- cgit v1.2.3