[Fedora-packaging] running openssl dhparam in %post
Daniel Pocock
daniel at pocock.pro
Thu Sep 17 19:07:47 UTC 2015
For reSIProcate 1.10.0, we will support PFS on TLS connections, this
requires a DH parameters file to be generated on each installation of
the package. There is probably a similar requirement for other packages
that have a TLS server and don't generate DH parameters at compile time.
My current solution involves adding the following to %post
if [ ! -e %{_sysconfdir}/repro/dh2048.pem ] ;
then
/usr/bin/openssl dhparam -outform PEM \
-out %{_sysconfdir}/repro/dh2048.pem 2048
chown root:repro %{_sysconfdir}/repro/dh2048.pem
chmod 0640 %{_sysconfdir}/repro/dh2048.pem
fi
and then adding this to %files
%config(missingok) %ghost %{_sysconfdir}/repro/dh2048.pem
The dh2048.pem file is created correctly during package installation but
it is not removed when the package is removed with "rpm -e"
Is there a better way to do this or does it look OK?
More information about the packaging
mailing list