From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH v3 1/3] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation Date: Thu, 09 Jan 2020 15:20:00 +0000 Message-ID: <2df8655d-f6eb-e2b6-f642-59b9c1a1bce0@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9114936179152715293==" List-Id: --===============9114936179152715293== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your reply. In my opinion: Partly. :-) Actually, the code allows arbitrary user input as log as _any_ SubjectAlternativeName is provided during root/host certificate generation. As far as I can recall, this is exactly what we agreed on. Regarding the FQDN, I do not think it makes sense to use IPFire's hostname unconditionally: Most installations will not even have a valid FQDN assigned to red0, not to mention missing DNS records if the latter one is present. Thereof, I consider using the same value filled into "$ROOTCERT_HOSTNAME" as a SubjectAlternativeName makes sense. Thanks, and best regards, Peter M=C3=BCller > Hi, >=20 > I am not sure about the change of behaviour here. >=20 > I thought the consensus in the telephone conference was to always set it to= the FQDN of the IPFire box and accept any additional values from the user. S= o it will always be set. >=20 > The code looks like it does not do that. >=20 > Did I get it wrong what we agreed on in the end? >=20 > -Michael >=20 --===============9114936179152715293==--