[PATCH] vpnmain.cgi: set SubjectAlternativeName default during root, certificate generation

[PATCH] vpnmain.cgi: set SubjectAlternativeName default during root, certificate generation

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1402 bytes --]

Some IPsec implementations such as OpenIKED require SubjectAlternativeName
data on certificates and refuse to establish connections otherwise.

The StrongSwan project also recommends it (see:
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
it is currently not enforced by their IPsec software.

For convenience purposes and to raise awareness, this patch adds a default
SubjectAlternativeName based on the machines hostname or IP address. Existing
certificates remain unchanged for obvious reasons.

Fixes #11594

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 33b504bc9..9b7bd81ca 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -822,8 +822,10 @@ END
 			close IPADDR;
 			chomp ($ipaddr);
 			$cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
+			$cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
 			if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
 				$cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
+				$cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr;
 			}
 		}
 		$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
-- 
2.16.4

[PATCH v2] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1404 bytes --]

Some IPsec implementations such as OpenIKED require SubjectAlternativeName
data on certificates and refuse to establish connections otherwise.

The StrongSwan project also recommends it (see:
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
it is currently not enforced by their IPsec software.

For convenience purposes and to raise awareness, this patch adds a default
SubjectAlternativeName based on the machines hostname or IP address. Existing
certificates remain unchanged for obvious reasons.

Fixes #11594

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 33b504bc9..9b7bd81ca 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -822,8 +822,10 @@ END
 			close IPADDR;
 			chomp ($ipaddr);
 			$cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
+			$cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
 			if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
 				$cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
+				$cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr;
 			}
 		}
 		$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
-- 
2.16.4

Re: [PATCH v2] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1985 bytes --]

Hello,

> On 5 Jan 2020, at 18:11, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Some IPsec implementations such as OpenIKED require SubjectAlternativeName
> data on certificates and refuse to establish connections otherwise.
> 
> The StrongSwan project also recommends it (see:
> https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
> it is currently not enforced by their IPsec software.
> 
> For convenience purposes and to raise awareness, this patch adds a default
> SubjectAlternativeName based on the machines hostname or IP address. Existing
> certificates remain unchanged for obvious reasons.
> 
> Fixes #11594
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> html/cgi-bin/vpnmain.cgi | 2 ++
> 1 file changed, 2 insertions(+)
> 
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index 33b504bc9..9b7bd81ca 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -822,8 +822,10 @@ END
> 			close IPADDR;
> 			chomp ($ipaddr);
> 			$cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
> +			$cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];

This relies on DNS working at the time of generating the certificate which obviously is a very bad idea.

Since the original code is like this, I guess there is not point in changing it, but you could have however just copied the value of ROOTCERT_HOSTNAME to avoid a second DNS lookup.

> 			if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
> 				$cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
> +				$cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr;
> 			}
> 		}

Does overwriting SUBJECTALTNAME work? There is a place where the user can set this. Is that still being honoured?

-Michael

> 		$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
> -- 
> 2.16.4
> 

Re: [PATCH v2] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2351 bytes --]

Hello Michael, hello *,

> Hello,
> 
>> On 5 Jan 2020, at 18:11, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Some IPsec implementations such as OpenIKED require SubjectAlternativeName
>> data on certificates and refuse to establish connections otherwise.
>>
>> The StrongSwan project also recommends it (see:
>> https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
>> it is currently not enforced by their IPsec software.
>>
>> For convenience purposes and to raise awareness, this patch adds a default
>> SubjectAlternativeName based on the machines hostname or IP address. Existing
>> certificates remain unchanged for obvious reasons.
>>
>> Fixes #11594
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> html/cgi-bin/vpnmain.cgi | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
>> index 33b504bc9..9b7bd81ca 100644
>> --- a/html/cgi-bin/vpnmain.cgi
>> +++ b/html/cgi-bin/vpnmain.cgi
>> @@ -822,8 +822,10 @@ END
>> 			close IPADDR;
>> 			chomp ($ipaddr);
>> 			$cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
>> +			$cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
> 
> This relies on DNS working at the time of generating the certificate which obviously is a very bad idea.
I consider this being useful if a machine has a correct hostname set. If it fails,
the CGI will fall back to the IP address assigned to red0/ppp0.
> 
> Since the original code is like this, I guess there is not point in changing it, but you could have however just copied the value of ROOTCERT_HOSTNAME to avoid a second DNS lookup.
Agreed. I will hand in a third version of this patch.
> 
>> 			if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
>> 				$cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
>> +				$cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr;
>> 			}
>> 		}
> 
> Does overwriting SUBJECTALTNAME work? There is a place where the user can set this. Is that still being honoured?
As far as I am concerned, yes.

Thanks, and best regards,
Peter Müller

> 
> -Michael
> 
>> 		$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
>> -- 
>> 2.16.4
>>
> 

[PATCH v3 1/3] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3321 bytes --]

Some IPsec implementations such as OpenIKED require SubjectAlternativeName
data on certificates and refuse to establish connections otherwise.

The StrongSwan project also recommends it (see:
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
it is currently not enforced by their IPsec software.

For convenience purposes and to raise awareness, this patch adds a default
SubjectAlternativeName based on the machines hostname or IP address. Existing
certificates remain unchanged for obvious reasons.

The third version of this patch fixes a duplicate DNS query reported by Michael.

Fixes #11594

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 33b504bc9..43cdc5aa0 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2019  IPFire Team  info(a)ipfire.org                       #
+# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -822,8 +822,10 @@ END
 			close IPADDR;
 			chomp ($ipaddr);
 			$cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
+			$cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'};
 			if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
 				$cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
+				$cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'};
 			}
 		}
 		$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
@@ -975,6 +977,11 @@ END
 		#	IP: an IP address
 		# example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com
 
+		if ($cgiparams{'SUBJECTALTNAME'} eq '') {
+			$errormessage = $Lang::tr{'vpn subjectaltname missing'};
+			goto ROOTCERT_ERROR;
+		}
+
 		if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
 			$errormessage = $Lang::tr{'vpn altname syntax'};
 			goto VPNCONF_ERROR;
@@ -1129,7 +1136,7 @@ END
 	}
 	print <<END
 		</select></td></tr>
-	<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
+	<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)&nbsp;<img src='/blob.gif' alt='*' /></td>
 	<td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr>
 	<tr><td>&nbsp;</td>
 		<td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
-- 
2.16.4

[PATCH v3 2/3] update translation files for vpnmain.cgi changes

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3661 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 langs/de/cgi-bin/de.pl | 5 +++--
 langs/en/cgi-bin/en.pl | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 2e67e495f..2cd2e24a2 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -2760,7 +2760,7 @@
 'vpi number' => 'VPI-Nummer:',
 'vpn' => 'VPN',
 'vpn aggrmode' => 'IKE Aggressive Mode zugelassen. Möglichst vermeiden (preshared Schlüssel wird im Klartext übertragen)!',
-'vpn altname syntax' => 'Der Subjekt Alternativ Name ist eine durch Komma getrennte Liste von Email, DNS, URI, RID und IP Objekten. <br />Email: eine Email Adresse. Syntax Email: \'copy\' benutzt die Email Adresse aus dem Zertifikatfeld. <br />DNS: ein gültiger Domain Name.<br />URI: eine gültige URI.<br />RID: Registriertes Objekt Identifikation.<br />IP: eine IP Adresse.<br />Bitte beachten: der Zeichensatz ist eingeschränkt und die Groß-/Kleinschreibung ist entscheidend.<br />Beispiel:<br /><b>email:</b>info(a)ipfire.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/nach/irgendwo',
+'vpn altname syntax' => 'Der SubjectAlternativeName ist eine durch Komma getrennte Liste von Email, DNS, URI, RID und IP Objekten. <br />Email: eine Email Adresse. Syntax Email: \'copy\' benutzt die Email Adresse aus dem Zertifikatfeld. <br />DNS: ein gültiger Domain Name.<br />URI: eine gültige URI.<br />RID: Registriertes Objekt Identifikation.<br />IP: eine IP Adresse.<br />Bitte beachten: der Zeichensatz ist eingeschränkt und die Groß-/Kleinschreibung ist entscheidend.<br />Beispiel:<br /><b>email:</b>info(a)ipfire.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/nach/irgendwo',
 'vpn auth-dn' => 'Peer wird identifiziert durch entweder ein IPV4_ADDR, FQDN, USER_FQDN oder DER_ASN1_DN string in Remote ID Feld',
 'vpn broken' => 'gebrochen',
 'vpn connecting' => 'VERBINDUNGSAUFBAU',
@@ -2787,7 +2787,8 @@
 'vpn start action start' => 'Immer An',
 'vpn statistic n2n' => 'VPN: Netz-zu-Netz-Statistik',
 'vpn statistic rw' => 'VPN: Roadwarrior-Statistik',
-'vpn subjectaltname' => 'Subjekt Alternativer Name',
+'vpn subjectaltname' => 'SubjectAlternativeName',
+'vpn subjectaltname missing' => 'SubjectAlternativeName darf nicht leer bleiben.',
 'vpn wait' => 'WARTE',
 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).',
 'vpn weak' => 'schwach',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 0d30595b3..2dc325a3a 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1363,7 +1363,7 @@
 'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)',
 'hostname' => 'Hostname',
 'hostname and domain already in use' => 'Hostname and domain already in use.',
-'hostname cant be empty' => 'Hostname can\'t be empty.',
+'hostname cant be empty' => 'Hostname cannot be empty.',
 'hostname not set' => 'Hostname not set.',
 'hosts config added' => 'Hosts config added',
 'hosts config changed' => 'Hosts config changed',
@@ -2835,7 +2835,8 @@
 'vpn start action start' => 'Always On',
 'vpn statistic n2n' => 'VPN: Net-to-Net Statistics',
 'vpn statistic rw' => 'VPN: Roadwarrior Statistics',
-'vpn subjectaltname' => 'Subject Alt Name',
+'vpn subjectaltname' => 'SubjectAlternativeName',
+'vpn subjectaltname missing' => 'SubjectAlternativeName cannot be emtpy.',
 'vpn wait' => 'WAITING',
 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).',
 'vpn weak' => 'Weak',
-- 
2.16.4

[PATCH v3 3/3] Core Update 140: ship changed vpnmain.cgi

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 589 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/core/140/filelists/files | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/rootfiles/core/140/filelists/files b/config/rootfiles/core/140/filelists/files
index 0a38212e7..22d0330dc 100644
--- a/config/rootfiles/core/140/filelists/files
+++ b/config/rootfiles/core/140/filelists/files
@@ -7,4 +7,5 @@ etc/rc.d/init.d/unbound
 etc/rc.d/init.d/suricata
 opt/pakfire/lib/functions.pl
 srv/web/ipfire/cgi-bin/ids.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
 usr/sbin/convert-snort
-- 
2.16.4

Re: [PATCH v3 1/3] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3863 bytes --]

Hi,

I am not sure about the change of behaviour here.

I thought the consensus in the telephone conference was to always set it to the FQDN of the IPFire box and accept any additional values from the user. So it will always be set.

The code looks like it does not do that.

Did I get it wrong what we agreed on in the end?

-Michael

> On 7 Jan 2020, at 21:47, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Some IPsec implementations such as OpenIKED require SubjectAlternativeName
> data on certificates and refuse to establish connections otherwise.
> 
> The StrongSwan project also recommends it (see:
> https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
> it is currently not enforced by their IPsec software.
> 
> For convenience purposes and to raise awareness, this patch adds a default
> SubjectAlternativeName based on the machines hostname or IP address. Existing
> certificates remain unchanged for obvious reasons.
> 
> The third version of this patch fixes a duplicate DNS query reported by Michael.
> 
> Fixes #11594
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> html/cgi-bin/vpnmain.cgi | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index 33b504bc9..43cdc5aa0 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -2,7 +2,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2019  IPFire Team  info(a)ipfire.org                       #
> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -822,8 +822,10 @@ END
> 			close IPADDR;
> 			chomp ($ipaddr);
> 			$cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
> +			$cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'};
> 			if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
> 				$cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
> +				$cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'};
> 			}
> 		}
> 		$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
> @@ -975,6 +977,11 @@ END
> 		#	IP: an IP address
> 		# example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com
> 
> +		if ($cgiparams{'SUBJECTALTNAME'} eq '') {
> +			$errormessage = $Lang::tr{'vpn subjectaltname missing'};
> +			goto ROOTCERT_ERROR;
> +		}
> +
> 		if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
> 			$errormessage = $Lang::tr{'vpn altname syntax'};
> 			goto VPNCONF_ERROR;
> @@ -1129,7 +1136,7 @@ END
> 	}
> 	print <<END
> 		</select></td></tr>
> -	<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
> +	<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)&nbsp;<img src='/blob.gif' alt='*' /></td>
> 	<td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr>
> 	<tr><td>&nbsp;</td>
> 		<td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
> -- 
> 2.16.4
> 

Re: [PATCH v3 1/3] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1046 bytes --]

Hello Michael,

thanks for your reply. In my opinion: Partly. :-)

Actually, the code allows arbitrary user input as log as _any_
SubjectAlternativeName is provided during root/host certificate
generation. As far as I can recall, this is exactly what we agreed
on.

Regarding the FQDN, I do not think it makes sense to use IPFire's
hostname unconditionally: Most installations will not even have a
valid FQDN assigned to red0, not to mention missing DNS records if
the latter one is present.

Thereof, I consider using the same value filled into "$ROOTCERT_HOSTNAME"
as a SubjectAlternativeName makes sense.

Thanks, and best regards,
Peter Müller


> Hi,
> 
> I am not sure about the change of behaviour here.
> 
> I thought the consensus in the telephone conference was to always set it to the FQDN of the IPFire box and accept any additional values from the user. So it will always be set.
> 
> The code looks like it does not do that.
> 
> Did I get it wrong what we agreed on in the end?
> 
> -Michael
> 

Re: [PATCH v3 1/3] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1429 bytes --]

Hi,

> On 9 Jan 2020, at 15:20, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your reply. In my opinion: Partly. :-)
> 
> Actually, the code allows arbitrary user input as log as _any_
> SubjectAlternativeName is provided during root/host certificate
> generation. As far as I can recall, this is exactly what we agreed
> on.

Yes, we wanted to allow users to set whatever they want here in addition to the default which is the FQDN of the firewall.

> Regarding the FQDN, I do not think it makes sense to use IPFire's
> hostname unconditionally: Most installations will not even have a
> valid FQDN assigned to red0, not to mention missing DNS records if
> the latter one is present.

If people set an invalid FQDN, that is a configuration issue I believe.

> Thereof, I consider using the same value filled into "$ROOTCERT_HOSTNAME"
> as a SubjectAlternativeName makes sense.

And the default is the FQDN here?

> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hi,
>> 
>> I am not sure about the change of behaviour here.
>> 
>> I thought the consensus in the telephone conference was to always set it to the FQDN of the IPFire box and accept any additional values from the user. So it will always be set.
>> 
>> The code looks like it does not do that.
>> 
>> Did I get it wrong what we agreed on in the end?
>> 
>> -Michael
>> 
>