4 files changed, 34 insertions, 7 deletions

diff --git a/ca/rpki-confgen.xml b/ca/rpki-confgen.xml
index b3e50823..14f160ab 100644
--- a/ca/rpki-confgen.xml
+++ b/ca/rpki-confgen.xml
@@ -895,6 +895,14 @@
       </doc>
     </option>
 
+    <option name = "download-directory"
+            value = "/var/tmp">
+      <doc>
+	A directory large enough to hold the RouteViews.org routing table dump
+        fetched by the rpkigui-import-routes script.
+      </doc>
+    </option>
+
   </section>
 
   <section name = "autoconf">
diff --git a/ca/rpkigui-apache-conf-gen b/ca/rpkigui-apache-conf-gen
index 1270ad15..0658254f 100755
--- a/ca/rpkigui-apache-conf-gen
+++ b/ca/rpkigui-apache-conf-gen
@@ -141,6 +141,26 @@ Alias   /rrdp           %(datarootdir)s/rpki/rrdp-publication/
   SSLCertificateKeyFile  %(sysconfdir)s/rpki/apache.key
 
   #
+  # Recommended settings based on
+  # https://wiki.mozilla.org/Security/Server_Side_TLS
+  # (Currently using the Intermediate cipher suite)
+  #
+  SSLProtocol             all -SSLv2 -SSLv3
+  SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+  SSLHonorCipherOrder     on
+  SSLCompression          off
+
+  # OCSP Stapling, only in httpd 2.3.3 and later
+  #SSLUseStapling          on
+  #SSLStaplingResponderTimeout 5
+  #SSLStaplingReturnResponderErrors off
+  # On Apache 2.4+, SSLStaplingCache must be set *outside* of the VirtualHost
+  #SSLStaplingCache        shmcb:/var/run/ocsp(128000)
+
+  # Enable this if your want HSTS (recommended)
+  # Header add Strict-Transport-Security "max-age=15768000"
+
+  #
   # Take pity on users running Internet Exploder
   #
   BrowserMatch "MSIE [2-6]"  ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
diff --git a/ca/rpkigui-import-routes b/ca/rpkigui-import-routes
index 3dce26b3..0fbe0126 100755
--- a/ca/rpkigui-import-routes
+++ b/ca/rpkigui-import-routes
@@ -39,7 +39,7 @@ class BadArgument(Exception):
 
 
 def timed_out(*ignored):
-    logging.info('timed out')
+    logging.error('timed out')
     sys.exit(1)
 
 
@@ -51,11 +51,9 @@ from routeviews.org into the RPKI Web Portal database.  If the
 input file is a bzip2 compressed file, it will be decompressed
 automatically.""")
     parser.add_option('-t', '--type', dest='filetype', metavar='TYPE',
-                      help='Specify the input file type (auto, text, mrt) [Default: %default]')
+                      help='Specify the input file type (text, mrt) [Default: %default]')
     parser.add_option('-l', '--level', dest='log_level', default='ERROR',
                       help='Set logging level [Default: %default]')
-    parser.add_option('-u', '--bunzip2', dest='bunzip', metavar='PROG',
-                      help='Specify bunzip2 program to use')
     parser.add_option('-b', '--bgpdump', dest='bgpdump', metavar='PROG',
                       help='Specify path to bgdump binary')
     parser.add_option('-j', '--jitter', dest='jitter', type='int',
@@ -64,7 +62,7 @@ automatically.""")
                       help='Set name of lock file; empty string disables locking [Default: %default]')
     parser.add_option('--timeout', dest='timeout', type='int',
                       help='Specify timeout for download and import, in seconds [Default: %default]')
-    parser.set_defaults(debug=False, verbose=False, filetype='auto', jitter=0,
+    parser.set_defaults(debug=False, verbose=False, filetype='text', jitter=0,
                         lockfile='/tmp/rpkigui-import-routes.lock', timeout=90*60)
     options, args = parser.parse_args()
 
@@ -104,7 +102,7 @@ automatically.""")
             signal.signal(signal.SIGALRM, timed_out)
             signal.setitimer(signal.ITIMER_REAL, options.timeout)
 
-        import_routeviews_dump(*args)
+        import_routeviews_dump(*args, filetype=options.filetype)
 
         if options.timeout > 0:
             signal.setitimer(signal.ITIMER_REAL, 0)
diff --git a/ca/tests/testpoke.py b/ca/tests/testpoke.py
index 8a443e0d..9cd7b8fd 100644
--- a/ca/tests/testpoke.py
+++ b/ca/tests/testpoke.py
@@ -105,7 +105,8 @@ def query_up_down(q_pdu):
     msg          = q_der,
     url          = yaml_data["posturl"],
     callback     = done,
-    errback      = fail)
+    errback      = fail,
+    content_type = rpki.up_down.content_type)
 
 def do_list():
   query_up_down(rpki.up_down.list_pdu())