From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH v2] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation Date: Sun, 05 Jan 2020 18:11:00 +0000 Message-ID: <95311e7b-d60b-6a2f-e0af-95988d874fe7@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8068533971499596792==" List-Id: --===============8068533971499596792== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Some IPsec implementations such as OpenIKED require SubjectAlternativeName data on certificates and refuse to establish connections otherwise. The StrongSwan project also recommends it (see: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although it is currently not enforced by their IPsec software. For convenience purposes and to raise awareness, this patch adds a default SubjectAlternativeName based on the machines hostname or IP address. Existing certificates remain unchanged for obvious reasons. Fixes #11594 Signed-off-by: Peter M=C3=BCller --- html/cgi-bin/vpnmain.cgi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..9b7bd81ca 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} =3D (gethostbyaddr(pack("C4", split(/\./,= $ipaddr)), 2))[0]; + $cgiparams{'SUBJECTALTNAME'} =3D "DNS:" . (gethostbyaddr(pack("C4", split= (/\./, $ipaddr)), 2))[0]; if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} =3D $ipaddr; + $cgiparams{'SUBJECTALTNAME'} =3D "IP:" . $ipaddr; } } $cgiparams{'ROOTCERT_COUNTRY'} =3D $vpnsettings{'ROOTCERT_COUNTRY'} if (!$= cgiparams{'ROOTCERT_COUNTRY'}); --=20 2.16.4 --===============8068533971499596792==--