From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] vpnmain.cgi: set SubjectAlternativeName default during
 root certificate generation
Date: Mon, 06 Jan 2020 11:15:16 +0000
Message-ID: <52D3C415-E81D-4303-A648-6B523211C1DF@ipfire.org>
In-Reply-To: <95311e7b-d60b-6a2f-e0af-95988d874fe7@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2429793222566647881=="
List-Id: <development.lists.ipfire.org>

--===============2429793222566647881==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

> On 5 Jan 2020, at 18:11, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wro=
te:
>=20
> Some IPsec implementations such as OpenIKED require SubjectAlternativeName
> data on certificates and refuse to establish connections otherwise.
>=20
> The StrongSwan project also recommends it (see:
> https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
> it is currently not enforced by their IPsec software.
>=20
> For convenience purposes and to raise awareness, this patch adds a default
> SubjectAlternativeName based on the machines hostname or IP address. Existi=
ng
> certificates remain unchanged for obvious reasons.
>=20
> Fixes #11594
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> html/cgi-bin/vpnmain.cgi | 2 ++
> 1 file changed, 2 insertions(+)
>=20
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index 33b504bc9..9b7bd81ca 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -822,8 +822,10 @@ END
> 			close IPADDR;
> 			chomp ($ipaddr);
> 			$cgiparams{'ROOTCERT_HOSTNAME'} =3D (gethostbyaddr(pack("C4", split(/\./=
, $ipaddr)), 2))[0];
> +			$cgiparams{'SUBJECTALTNAME'} =3D "DNS:" . (gethostbyaddr(pack("C4", spl=
it(/\./, $ipaddr)), 2))[0];

This relies on DNS working at the time of generating the certificate which ob=
viously is a very bad idea.

Since the original code is like this, I guess there is not point in changing =
it, but you could have however just copied the value of ROOTCERT_HOSTNAME to =
avoid a second DNS lookup.

> 			if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
> 				$cgiparams{'ROOTCERT_HOSTNAME'} =3D $ipaddr;
> +				$cgiparams{'SUBJECTALTNAME'} =3D "IP:" . $ipaddr;
> 			}
> 		}

Does overwriting SUBJECTALTNAME work? There is a place where the user can set=
 this. Is that still being honoured?

-Michael

> 		$cgiparams{'ROOTCERT_COUNTRY'} =3D $vpnsettings{'ROOTCERT_COUNTRY'} if (!=
$cgiparams{'ROOTCERT_COUNTRY'});
> --=20
> 2.16.4
>=20


--===============2429793222566647881==--