From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v3 1/3] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation
Date: Mon, 13 Jan 2020 12:37:05 +0000 [thread overview]
Message-ID: <05730869-F1FA-406A-9F29-3B4CA721BF23@ipfire.org> (raw)
In-Reply-To: <2df8655d-f6eb-e2b6-f642-59b9c1a1bce0@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 1429 bytes --]
Hi,
> On 9 Jan 2020, at 15:20, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Hello Michael,
>
> thanks for your reply. In my opinion: Partly. :-)
>
> Actually, the code allows arbitrary user input as log as _any_
> SubjectAlternativeName is provided during root/host certificate
> generation. As far as I can recall, this is exactly what we agreed
> on.
Yes, we wanted to allow users to set whatever they want here in addition to the default which is the FQDN of the firewall.
> Regarding the FQDN, I do not think it makes sense to use IPFire's
> hostname unconditionally: Most installations will not even have a
> valid FQDN assigned to red0, not to mention missing DNS records if
> the latter one is present.
If people set an invalid FQDN, that is a configuration issue I believe.
> Thereof, I consider using the same value filled into "$ROOTCERT_HOSTNAME"
> as a SubjectAlternativeName makes sense.
And the default is the FQDN here?
>
> Thanks, and best regards,
> Peter Müller
>
>
>> Hi,
>>
>> I am not sure about the change of behaviour here.
>>
>> I thought the consensus in the telephone conference was to always set it to the FQDN of the IPFire box and accept any additional values from the user. So it will always be set.
>>
>> The code looks like it does not do that.
>>
>> Did I get it wrong what we agreed on in the end?
>>
>> -Michael
>>
>
prev parent reply other threads:[~2020-01-13 12:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-05 17:54 [PATCH] vpnmain.cgi: set SubjectAlternativeName default during root, " Peter Müller
2020-01-05 18:11 ` [PATCH v2] vpnmain.cgi: set SubjectAlternativeName default during root " Peter Müller
2020-01-06 11:15 ` Michael Tremer
2020-01-06 19:26 ` Peter Müller
2020-01-07 21:47 ` [PATCH v3 1/3] " Peter Müller
2020-01-07 21:47 ` [PATCH v3 2/3] update translation files for vpnmain.cgi changes Peter Müller
2020-01-07 21:48 ` [PATCH v3 3/3] Core Update 140: ship changed vpnmain.cgi Peter Müller
2020-01-08 10:58 ` [PATCH v3 1/3] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation Michael Tremer
2020-01-09 15:20 ` Peter Müller
2020-01-13 12:37 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=05730869-F1FA-406A-9F29-3B4CA721BF23@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox