This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 34ae42da0f2b25c2dc89313dcf0adb3ed88a4ae1 (commit) via 22e0e241ce47979be7306fd1f15c4a48205f65ac (commit) via 8e9f096e702d4bb7cd7ca74e40686e6a23d77abc (commit) via 993724b4dd9837af033880d7816511818f030d59 (commit) from fde4f231a08239cd4a1eeeb0522a781ea0371efa (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 34ae42da0f2b25c2dc89313dcf0adb3ed88a4ae1 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Jan 10 10:57:49 2020 +0000
unbound: No longer try to include safe-search.conf
This file is no longer generated and therefore cannot be imported any more.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 22e0e241ce47979be7306fd1f15c4a48205f65ac Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Jan 11 14:17:50 2020 +0000
core140: ship updated vpnmain.cgi
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 8e9f096e702d4bb7cd7ca74e40686e6a23d77abc Author: Peter Müller peter.mueller@ipfire.org Date: Tue Jan 7 21:47:00 2020 +0000
update translation files for vpnmain.cgi changes
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 993724b4dd9837af033880d7816511818f030d59 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Jan 7 21:47:00 2020 +0000
vpnmain.cgi: set SubjectAlternativeName default during root certificate generation
Some IPsec implementations such as OpenIKED require SubjectAlternativeName data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default SubjectAlternativeName based on the machines hostname or IP address. Existing certificates remain unchanged for obvious reasons.
The third version of this patch fixes a duplicate DNS query reported by Michael.
Fixes #11594
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/140/filelists/files | 1 + config/unbound/unbound.conf | 3 --- html/cgi-bin/vpnmain.cgi | 11 +++++++++-- langs/de/cgi-bin/de.pl | 5 +++-- langs/en/cgi-bin/en.pl | 5 +++-- 5 files changed, 16 insertions(+), 9 deletions(-)
Difference in files: diff --git a/config/rootfiles/core/140/filelists/files b/config/rootfiles/core/140/filelists/files index a76ec6678..82c6e5ec0 100644 --- a/config/rootfiles/core/140/filelists/files +++ b/config/rootfiles/core/140/filelists/files @@ -8,5 +8,6 @@ etc/rc.d/init.d/suricata opt/pakfire/etc/pakfire.conf opt/pakfire/lib/functions.pl srv/web/ipfire/cgi-bin/ids.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi usr/sbin/convert-snort usr/sbin/setup diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 4d492a5bc..e20c3330d 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -81,9 +81,6 @@ server: # Include any forward zones include: "/etc/unbound/forward.conf"
- # Include safe search settings - include: "/etc/unbound/safe-search.conf" - remote-control: control-enable: yes control-use-cert: no diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..43cdc5aa0 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; + $cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'}; if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; + $cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'}; } } $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); @@ -975,6 +977,11 @@ END # IP: an IP address # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
+ if ($cgiparams{'SUBJECTALTNAME'} eq '') { + $errormessage = $Lang::tr{'vpn subjectaltname missing'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :/,.-_@]*$/) { $errormessage = $Lang::tr{'vpn altname syntax'}; goto VPNCONF_ERROR; @@ -1129,7 +1136,7 @@ END } print <<END </select></td></tr> - <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> + <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*) <img src='/blob.gif' alt='*' /></td> <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr> <tr><td> </td> <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 2e67e495f..2cd2e24a2 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2760,7 +2760,7 @@ 'vpi number' => 'VPI-Nummer:', 'vpn' => 'VPN', 'vpn aggrmode' => 'IKE Aggressive Mode zugelassen. Möglichst vermeiden (preshared Schlüssel wird im Klartext übertragen)!', -'vpn altname syntax' => 'Der Subjekt Alternativ Name ist eine durch Komma getrennte Liste von Email, DNS, URI, RID und IP Objekten. <br />Email: eine Email Adresse. Syntax Email: 'copy' benutzt die Email Adresse aus dem Zertifikatfeld. <br />DNS: ein gültiger Domain Name.<br />URI: eine gültige URI.<br />RID: Registriertes Objekt Identifikation.<br />IP: eine IP Adresse.<br />Bitte beachten: der Zeichensatz ist eingeschränkt und die Groß-/Kleinschreibung ist entscheidend.<br />Beispiel:<br /><b>email:</b>info@ipfire.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/nach/irgendwo', +'vpn altname syntax' => 'Der SubjectAlternativeName ist eine durch Komma getrennte Liste von Email, DNS, URI, RID und IP Objekten. <br />Email: eine Email Adresse. Syntax Email: 'copy' benutzt die Email Adresse aus dem Zertifikatfeld. <br />DNS: ein gültiger Domain Name.<br />URI: eine gültige URI.<br />RID: Registriertes Objekt Identifikation.<br />IP: eine IP Adresse.<br />Bitte beachten: der Zeichensatz ist eingeschränkt und die Groß-/Kleinschreibung ist entscheidend.<br />Beispiel:<br /><b>email:</b>info@ipfire.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/nach/irgendwo', 'vpn auth-dn' => 'Peer wird identifiziert durch entweder ein IPV4_ADDR, FQDN, USER_FQDN oder DER_ASN1_DN string in Remote ID Feld', 'vpn broken' => 'gebrochen', 'vpn connecting' => 'VERBINDUNGSAUFBAU', @@ -2787,7 +2787,8 @@ 'vpn start action start' => 'Immer An', 'vpn statistic n2n' => 'VPN: Netz-zu-Netz-Statistik', 'vpn statistic rw' => 'VPN: Roadwarrior-Statistik', -'vpn subjectaltname' => 'Subjekt Alternativer Name', +'vpn subjectaltname' => 'SubjectAlternativeName', +'vpn subjectaltname missing' => 'SubjectAlternativeName darf nicht leer bleiben.', 'vpn wait' => 'WARTE', 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).', 'vpn weak' => 'schwach', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 0d30595b3..2dc325a3a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1363,7 +1363,7 @@ 'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)', 'hostname' => 'Hostname', 'hostname and domain already in use' => 'Hostname and domain already in use.', -'hostname cant be empty' => 'Hostname can't be empty.', +'hostname cant be empty' => 'Hostname cannot be empty.', 'hostname not set' => 'Hostname not set.', 'hosts config added' => 'Hosts config added', 'hosts config changed' => 'Hosts config changed', @@ -2835,7 +2835,8 @@ 'vpn start action start' => 'Always On', 'vpn statistic n2n' => 'VPN: Net-to-Net Statistics', 'vpn statistic rw' => 'VPN: Roadwarrior Statistics', -'vpn subjectaltname' => 'Subject Alt Name', +'vpn subjectaltname' => 'SubjectAlternativeName', +'vpn subjectaltname missing' => 'SubjectAlternativeName cannot be emtpy.', 'vpn wait' => 'WAITING', 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).', 'vpn weak' => 'Weak',
hooks/post-receive -- IPFire 2.x development tree