diff --git a/packaging/debian/xpra/xpra-server.postinst b/packaging/debian/xpra/xpra-server.postinst index cfbf24e16f..626ea4e77a 100644 --- a/packaging/debian/xpra/xpra-server.postinst +++ b/packaging/debian/xpra/xpra-server.postinst @@ -10,6 +10,6 @@ case "${1}" in ;; esac -xpra setup-ssl +xpra setup-ssl > /dev/null #DEBHELPER# diff --git a/packaging/rpm/xpra.spec b/packaging/rpm/xpra.spec index cd4e57cfd1..cb932d3725 100644 --- a/packaging/rpm/xpra.spec +++ b/packaging/rpm/xpra.spec @@ -784,7 +784,7 @@ restorecon -R /run/xpra* /run/user/*/xpra 2> /dev/null || : %endif %post -n %{package_prefix}-server -%{python3} /usr/bin/xpra setup-ssl +%{python3} /usr/bin/xpra setup-ssl > /dev/null %if 0%{update_firewall} ZONE=`firewall-offline-cmd --get-default-zone 2> /dev/null` if [ ! -z "${ZONE}" ]; then diff --git a/xpra/net/ssl_util.py b/xpra/net/ssl_util.py index 0d000aaebe..efe91e38bd 100644 --- a/xpra/net/ssl_util.py +++ b/xpra/net/ssl_util.py @@ -6,6 +6,7 @@ import sys import os.path from typing import Any +from collections.abc import Sequence from xpra.exit_codes import ExitCode from xpra.os_util import WIN32, POSIX, OSX, is_admin @@ -17,7 +18,7 @@ SSL_RETRY = envbool("XPRA_SSL_RETRY", True) -SSL_ATTRIBUTES = ( +SSL_ATTRIBUTES: Sequence[str] = ( "cert", "key", "ca-certs", "ca-data", "protocol", "client-verify-mode", "server-verify-mode", "verify-flags", @@ -25,6 +26,10 @@ "options", "ciphers", ) +KEY_SIZE = 4096 +KEY_DAYS = 3650 +KEY_SUBJ = "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost" + KEY_FILENAME = "key.pem" CERT_FILENAME = "cert.pem" SSL_CERT_FILENAME = "ssl-cert.pem" @@ -504,7 +509,7 @@ def gen_ssl_cert() -> tuple[str, str]: keypath = find_ssl_cert(KEY_FILENAME) certpath = find_ssl_cert(CERT_FILENAME) if keypath and certpath: - log.info("found an existing certificate:") + log.info("found an existing SSL certificate:") log.info(f" {keypath!r}") log.info(f" {certpath!r}") return keypath, certpath @@ -513,8 +518,11 @@ def gen_ssl_cert() -> tuple[str, str]: if not openssl: raise InitExit(ExitCode.SSL_FAILURE, "cannot find openssl executable") openssl_config = "" + creationflags = 0 if WIN32: from xpra.platform.paths import get_app_dir + from subprocess import CREATE_NO_WINDOW + creationflags = CREATE_NO_WINDOW openssl_config = os.path.join(get_app_dir(), "etc", "ssl", "openssl.cnf") if is_admin(): # running as root, use global location: @@ -577,22 +585,22 @@ def gen_ssl_cert() -> tuple[str, str]: cmd = [ openssl, "req", "-new", - "-newkey", "rsa:4096", - "-days", "3650", + "-newkey", f"rsa:{KEY_SIZE}", + "-days", f"{KEY_DAYS}", "-nodes", "-x509", - "-subj", "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost", + "-subj", KEY_SUBJ, "-keyout", keypath, "-out", certpath, ] if openssl_config and os.path.exists(openssl_config): cmd += ["-config", openssl_config] - log.info("generating a new certificate:") + log.info("generating a new SSL certificate:") log.info(f" {keypath!r}") log.info(f" {certpath!r}") log(f"openssl command: {cmd}") from subprocess import Popen with umask_context(0o022): - with Popen(cmd) as p: + with Popen(cmd, creationflags=creationflags) as p: exit_code = p.wait() if exit_code != 0: raise InitExit(ExitCode.FAILURE, f"openssl command returned {exit_code}") diff --git a/xpra/scripts/main.py b/xpra/scripts/main.py index 5d3659d2fb..8765231750 100755 --- a/xpra/scripts/main.py +++ b/xpra/scripts/main.py @@ -421,7 +421,7 @@ def run_mode(script_file: str, cmdline, error_cb, options, args, full_mode: str, # configure default logging handler: if POSIX and getuid() == options.uid == 0 and mode not in ( - "proxy", "autostart", "showconfig", + "proxy", "autostart", "showconfig", "setup-ssl", ) and not NO_ROOT_WARNING: warn("\nWarning: running as root\n")