[PATCH] vpnmain.cgi: set SubjectAlternativeName default during root, certificate generation
Some IPsec implementations such as OpenIKED require SubjectAlternativeName data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default SubjectAlternativeName based on the machines hostname or IP address. Existing certificates remain unchanged for obvious reasons.
Fixes #11594
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- html/cgi-bin/vpnmain.cgi | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..9b7bd81ca 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; + $cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; + $cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr; } } $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
Some IPsec implementations such as OpenIKED require SubjectAlternativeName data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default SubjectAlternativeName based on the machines hostname or IP address. Existing certificates remain unchanged for obvious reasons.
Fixes #11594
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- html/cgi-bin/vpnmain.cgi | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..9b7bd81ca 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; + $cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; + $cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr; } } $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
Hello,
On 5 Jan 2020, at 18:11, Peter Müller peter.mueller@ipfire.org wrote:
Some IPsec implementations such as OpenIKED require SubjectAlternativeName data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default SubjectAlternativeName based on the machines hostname or IP address. Existing certificates remain unchanged for obvious reasons.
Fixes #11594
Signed-off-by: Peter Müller peter.mueller@ipfire.org
html/cgi-bin/vpnmain.cgi | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..9b7bd81ca 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0];
$cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
This relies on DNS working at the time of generating the certificate which obviously is a very bad idea.
Since the original code is like this, I guess there is not point in changing it, but you could have however just copied the value of ROOTCERT_HOSTNAME to avoid a second DNS lookup.
if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
$cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr; }
Does overwriting SUBJECTALTNAME work? There is a place where the user can set this. Is that still being honoured?
-Michael
$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});-- 2.16.4
Hello Michael, hello *,
Hello,
On 5 Jan 2020, at 18:11, Peter Müller peter.mueller@ipfire.org wrote:
Some IPsec implementations such as OpenIKED require SubjectAlternativeName data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default SubjectAlternativeName based on the machines hostname or IP address. Existing certificates remain unchanged for obvious reasons.
Fixes #11594
Signed-off-by: Peter Müller peter.mueller@ipfire.org
html/cgi-bin/vpnmain.cgi | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..9b7bd81ca 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0];
$cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];This relies on DNS working at the time of generating the certificate which obviously is a very bad idea.
I consider this being useful if a machine has a correct hostname set. If it fails, the CGI will fall back to the IP address assigned to red0/ppp0.
Since the original code is like this, I guess there is not point in changing it, but you could have however just copied the value of ROOTCERT_HOSTNAME to avoid a second DNS lookup.
Agreed. I will hand in a third version of this patch.
if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
$cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr; }Does overwriting SUBJECTALTNAME work? There is a place where the user can set this. Is that still being honoured?
As far as I am concerned, yes.
Thanks, and best regards, Peter Müller
-Michael
$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});-- 2.16.4
Some IPsec implementations such as OpenIKED require SubjectAlternativeName data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default SubjectAlternativeName based on the machines hostname or IP address. Existing certificates remain unchanged for obvious reasons.
The third version of this patch fixes a duplicate DNS query reported by Michael.
Fixes #11594
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..43cdc5aa0 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; + $cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'}; if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; + $cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'}; } } $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); @@ -975,6 +977,11 @@ END # IP: an IP address # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
+ if ($cgiparams{'SUBJECTALTNAME'} eq '') { + $errormessage = $Lang::tr{'vpn subjectaltname missing'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :/,.-_@]*$/) { $errormessage = $Lang::tr{'vpn altname syntax'}; goto VPNCONF_ERROR; @@ -1129,7 +1136,7 @@ END } print <<END </select></td></tr> - <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> + <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*) <img src='/blob.gif' alt='*' /></td> <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr> <tr><td> </td> <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- langs/de/cgi-bin/de.pl | 5 +++-- langs/en/cgi-bin/en.pl | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 2e67e495f..2cd2e24a2 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2760,7 +2760,7 @@ 'vpi number' => 'VPI-Nummer:', 'vpn' => 'VPN', 'vpn aggrmode' => 'IKE Aggressive Mode zugelassen. Möglichst vermeiden (preshared Schlüssel wird im Klartext übertragen)!', -'vpn altname syntax' => 'Der Subjekt Alternativ Name ist eine durch Komma getrennte Liste von Email, DNS, URI, RID und IP Objekten. <br />Email: eine Email Adresse. Syntax Email: 'copy' benutzt die Email Adresse aus dem Zertifikatfeld. <br />DNS: ein gültiger Domain Name.<br />URI: eine gültige URI.<br />RID: Registriertes Objekt Identifikation.<br />IP: eine IP Adresse.<br />Bitte beachten: der Zeichensatz ist eingeschränkt und die Groß-/Kleinschreibung ist entscheidend.<br />Beispiel:<br /><b>email:</b>info@ipfire.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/nach/irgendwo', +'vpn altname syntax' => 'Der SubjectAlternativeName ist eine durch Komma getrennte Liste von Email, DNS, URI, RID und IP Objekten. <br />Email: eine Email Adresse. Syntax Email: 'copy' benutzt die Email Adresse aus dem Zertifikatfeld. <br />DNS: ein gültiger Domain Name.<br />URI: eine gültige URI.<br />RID: Registriertes Objekt Identifikation.<br />IP: eine IP Adresse.<br />Bitte beachten: der Zeichensatz ist eingeschränkt und die Groß-/Kleinschreibung ist entscheidend.<br />Beispiel:<br /><b>email:</b>info@ipfire.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/nach/irgendwo', 'vpn auth-dn' => 'Peer wird identifiziert durch entweder ein IPV4_ADDR, FQDN, USER_FQDN oder DER_ASN1_DN string in Remote ID Feld', 'vpn broken' => 'gebrochen', 'vpn connecting' => 'VERBINDUNGSAUFBAU', @@ -2787,7 +2787,8 @@ 'vpn start action start' => 'Immer An', 'vpn statistic n2n' => 'VPN: Netz-zu-Netz-Statistik', 'vpn statistic rw' => 'VPN: Roadwarrior-Statistik', -'vpn subjectaltname' => 'Subjekt Alternativer Name', +'vpn subjectaltname' => 'SubjectAlternativeName', +'vpn subjectaltname missing' => 'SubjectAlternativeName darf nicht leer bleiben.', 'vpn wait' => 'WARTE', 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).', 'vpn weak' => 'schwach', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 0d30595b3..2dc325a3a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1363,7 +1363,7 @@ 'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)', 'hostname' => 'Hostname', 'hostname and domain already in use' => 'Hostname and domain already in use.', -'hostname cant be empty' => 'Hostname can't be empty.', +'hostname cant be empty' => 'Hostname cannot be empty.', 'hostname not set' => 'Hostname not set.', 'hosts config added' => 'Hosts config added', 'hosts config changed' => 'Hosts config changed', @@ -2835,7 +2835,8 @@ 'vpn start action start' => 'Always On', 'vpn statistic n2n' => 'VPN: Net-to-Net Statistics', 'vpn statistic rw' => 'VPN: Roadwarrior Statistics', -'vpn subjectaltname' => 'Subject Alt Name', +'vpn subjectaltname' => 'SubjectAlternativeName', +'vpn subjectaltname missing' => 'SubjectAlternativeName cannot be emtpy.', 'vpn wait' => 'WAITING', 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).', 'vpn weak' => 'Weak',
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/140/filelists/files | 1 + 1 file changed, 1 insertion(+)
diff --git a/config/rootfiles/core/140/filelists/files b/config/rootfiles/core/140/filelists/files index 0a38212e7..22d0330dc 100644 --- a/config/rootfiles/core/140/filelists/files +++ b/config/rootfiles/core/140/filelists/files @@ -7,4 +7,5 @@ etc/rc.d/init.d/unbound etc/rc.d/init.d/suricata opt/pakfire/lib/functions.pl srv/web/ipfire/cgi-bin/ids.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi usr/sbin/convert-snort
Hi,
I am not sure about the change of behaviour here.
I thought the consensus in the telephone conference was to always set it to the FQDN of the IPFire box and accept any additional values from the user. So it will always be set.
The code looks like it does not do that.
Did I get it wrong what we agreed on in the end?
-Michael
On 7 Jan 2020, at 21:47, Peter Müller peter.mueller@ipfire.org wrote:
Some IPsec implementations such as OpenIKED require SubjectAlternativeName data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default SubjectAlternativeName based on the machines hostname or IP address. Existing certificates remain unchanged for obvious reasons.
The third version of this patch fixes a duplicate DNS query reported by Michael.
Fixes #11594
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org
html/cgi-bin/vpnmain.cgi | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..43cdc5aa0 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0];
$cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'}; if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;$cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'}; }@@ -975,6 +977,11 @@ END # IP: an IP address # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
if ($cgiparams{'SUBJECTALTNAME'} eq '') {$errormessage = $Lang::tr{'vpn subjectaltname missing'};goto ROOTCERT_ERROR;}- if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :/,.-_@]*$/) { $errormessage = $Lang::tr{'vpn altname syntax'}; goto VPNCONF_ERROR;
@@ -1129,7 +1136,7 @@ END } print <<END </select></td></tr>
<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*) <img src='/blob.gif' alt='*' /></td> <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr> <tr><td> </td> <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
-- 2.16.4
Hello Michael,
thanks for your reply. In my opinion: Partly. :-)
Actually, the code allows arbitrary user input as log as _any_ SubjectAlternativeName is provided during root/host certificate generation. As far as I can recall, this is exactly what we agreed on.
Regarding the FQDN, I do not think it makes sense to use IPFire's hostname unconditionally: Most installations will not even have a valid FQDN assigned to red0, not to mention missing DNS records if the latter one is present.
Thereof, I consider using the same value filled into "$ROOTCERT_HOSTNAME" as a SubjectAlternativeName makes sense.
Thanks, and best regards, Peter Müller
Hi,
I am not sure about the change of behaviour here.
I thought the consensus in the telephone conference was to always set it to the FQDN of the IPFire box and accept any additional values from the user. So it will always be set.
The code looks like it does not do that.
Did I get it wrong what we agreed on in the end?
-Michael
Hi,
On 9 Jan 2020, at 15:20, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thanks for your reply. In my opinion: Partly. :-)
Actually, the code allows arbitrary user input as log as _any_ SubjectAlternativeName is provided during root/host certificate generation. As far as I can recall, this is exactly what we agreed on.
Yes, we wanted to allow users to set whatever they want here in addition to the default which is the FQDN of the firewall.
Regarding the FQDN, I do not think it makes sense to use IPFire's hostname unconditionally: Most installations will not even have a valid FQDN assigned to red0, not to mention missing DNS records if the latter one is present.
If people set an invalid FQDN, that is a configuration issue I believe.
Thereof, I consider using the same value filled into "$ROOTCERT_HOSTNAME" as a SubjectAlternativeName makes sense.
And the default is the FQDN here?
Thanks, and best regards, Peter Müller
Hi,
I am not sure about the change of behaviour here.
I thought the consensus in the telephone conference was to always set it to the FQDN of the IPFire box and accept any additional values from the user. So it will always be set.
The code looks like it does not do that.
Did I get it wrong what we agreed on in the end?
-Michael
-
Michael Tremer -
Peter Müller