From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH v2] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation Date: Mon, 06 Jan 2020 19:26:00 +0000 Message-ID: <6cd74a1e-5a08-d7d0-4cc2-b51bd3c46a60@ipfire.org> In-Reply-To: <52D3C415-E81D-4303-A648-6B523211C1DF@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1444530671888586985==" List-Id: --===============1444530671888586985== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, hello *, > Hello, >=20 >> On 5 Jan 2020, at 18:11, Peter M=C3=BCller wr= ote: >> >> Some IPsec implementations such as OpenIKED require SubjectAlternativeName >> data on certificates and refuse to establish connections otherwise. >> >> The StrongSwan project also recommends it (see: >> https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although >> it is currently not enforced by their IPsec software. >> >> For convenience purposes and to raise awareness, this patch adds a default >> SubjectAlternativeName based on the machines hostname or IP address. Exist= ing >> certificates remain unchanged for obvious reasons. >> >> Fixes #11594 >> >> Signed-off-by: Peter M=C3=BCller >> --- >> html/cgi-bin/vpnmain.cgi | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi >> index 33b504bc9..9b7bd81ca 100644 >> --- a/html/cgi-bin/vpnmain.cgi >> +++ b/html/cgi-bin/vpnmain.cgi >> @@ -822,8 +822,10 @@ END >> close IPADDR; >> chomp ($ipaddr); >> $cgiparams{'ROOTCERT_HOSTNAME'} =3D (gethostbyaddr(pack("C4", split(/\.= /, $ipaddr)), 2))[0]; >> + $cgiparams{'SUBJECTALTNAME'} =3D "DNS:" . (gethostbyaddr(pack("C4", sp= lit(/\./, $ipaddr)), 2))[0]; >=20 > This relies on DNS working at the time of generating the certificate which = obviously is a very bad idea. I consider this being useful if a machine has a correct hostname set. If it f= ails, the CGI will fall back to the IP address assigned to red0/ppp0. >=20 > Since the original code is like this, I guess there is not point in changin= g it, but you could have however just copied the value of ROOTCERT_HOSTNAME t= o avoid a second DNS lookup. Agreed. I will hand in a third version of this patch. >=20 >> if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { >> $cgiparams{'ROOTCERT_HOSTNAME'} =3D $ipaddr; >> + $cgiparams{'SUBJECTALTNAME'} =3D "IP:" . $ipaddr; >> } >> } >=20 > Does overwriting SUBJECTALTNAME work? There is a place where the user can s= et this. Is that still being honoured? As far as I am concerned, yes. Thanks, and best regards, Peter M=C3=BCller >=20 > -Michael >=20 >> $cgiparams{'ROOTCERT_COUNTRY'} =3D $vpnsettings{'ROOTCERT_COUNTRY'} if (= !$cgiparams{'ROOTCERT_COUNTRY'}); >> --=20 >> 2.16.4 >> >=20 --===============1444530671888586985==--