Some IPsec implementations such as OpenIKED require SubjectAlternativeName data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default SubjectAlternativeName based on the machines hostname or IP address. Existing certificates remain unchanged for obvious reasons.
The third version of this patch fixes a duplicate DNS query reported by Michael.
Fixes #11594
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..43cdc5aa0 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; + $cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'}; if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; + $cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'}; } } $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); @@ -975,6 +977,11 @@ END # IP: an IP address # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
+ if ($cgiparams{'SUBJECTALTNAME'} eq '') { + $errormessage = $Lang::tr{'vpn subjectaltname missing'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :/,.-_@]*$/) { $errormessage = $Lang::tr{'vpn altname syntax'}; goto VPNCONF_ERROR; @@ -1129,7 +1136,7 @@ END } print <<END </select></td></tr> - <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> + <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*) <img src='/blob.gif' alt='*' /></td> <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr> <tr><td> </td> <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>