From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH v3 1/3] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation Date: Mon, 13 Jan 2020 12:37:05 +0000 Message-ID: <05730869-F1FA-406A-9F29-3B4CA721BF23@ipfire.org> In-Reply-To: <2df8655d-f6eb-e2b6-f642-59b9c1a1bce0@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0151233150833013005==" List-Id: --===============0151233150833013005== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 9 Jan 2020, at 15:20, Peter M=C3=BCller wro= te: >=20 > Hello Michael, >=20 > thanks for your reply. In my opinion: Partly. :-) >=20 > Actually, the code allows arbitrary user input as log as _any_ > SubjectAlternativeName is provided during root/host certificate > generation. As far as I can recall, this is exactly what we agreed > on. Yes, we wanted to allow users to set whatever they want here in addition to t= he default which is the FQDN of the firewall. > Regarding the FQDN, I do not think it makes sense to use IPFire's > hostname unconditionally: Most installations will not even have a > valid FQDN assigned to red0, not to mention missing DNS records if > the latter one is present. If people set an invalid FQDN, that is a configuration issue I believe. > Thereof, I consider using the same value filled into "$ROOTCERT_HOSTNAME" > as a SubjectAlternativeName makes sense. And the default is the FQDN here? >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >=20 >> Hi, >>=20 >> I am not sure about the change of behaviour here. >>=20 >> I thought the consensus in the telephone conference was to always set it t= o the FQDN of the IPFire box and accept any additional values from the user. = So it will always be set. >>=20 >> The code looks like it does not do that. >>=20 >> Did I get it wrong what we agreed on in the end? >>=20 >> -Michael >>=20 >=20 --===============0151233150833013005==--