Re: [PATCH v3 1/3] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3863 bytes --]

Hi,

I am not sure about the change of behaviour here.

I thought the consensus in the telephone conference was to always set it to the FQDN of the IPFire box and accept any additional values from the user. So it will always be set.

The code looks like it does not do that.

Did I get it wrong what we agreed on in the end?

-Michael

> On 7 Jan 2020, at 21:47, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Some IPsec implementations such as OpenIKED require SubjectAlternativeName
> data on certificates and refuse to establish connections otherwise.
> 
> The StrongSwan project also recommends it (see:
> https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
> it is currently not enforced by their IPsec software.
> 
> For convenience purposes and to raise awareness, this patch adds a default
> SubjectAlternativeName based on the machines hostname or IP address. Existing
> certificates remain unchanged for obvious reasons.
> 
> The third version of this patch fixes a duplicate DNS query reported by Michael.
> 
> Fixes #11594
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> html/cgi-bin/vpnmain.cgi | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index 33b504bc9..43cdc5aa0 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -2,7 +2,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2019  IPFire Team  info(a)ipfire.org                       #
> +# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -822,8 +822,10 @@ END
> 			close IPADDR;
> 			chomp ($ipaddr);
> 			$cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
> +			$cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'};
> 			if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
> 				$cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
> +				$cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'};
> 			}
> 		}
> 		$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
> @@ -975,6 +977,11 @@ END
> 		#	IP: an IP address
> 		# example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com
> 
> +		if ($cgiparams{'SUBJECTALTNAME'} eq '') {
> +			$errormessage = $Lang::tr{'vpn subjectaltname missing'};
> +			goto ROOTCERT_ERROR;
> +		}
> +
> 		if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
> 			$errormessage = $Lang::tr{'vpn altname syntax'};
> 			goto VPNCONF_ERROR;
> @@ -1129,7 +1136,7 @@ END
> 	}
> 	print <<END
> 		</select></td></tr>
> -	<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
> +	<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)&nbsp;<img src='/blob.gif' alt='*' /></td>
> 	<td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr>
> 	<tr><td>&nbsp;</td>
> 		<td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
> -- 
> 2.16.4
>