* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 34ae42da0f2b25c2dc89313dcf0adb3ed88a4ae1
@ 2020-01-11 14:20 Arne Fitzenreiter
0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2020-01-11 14:20 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 10187 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 34ae42da0f2b25c2dc89313dcf0adb3ed88a4ae1 (commit)
via 22e0e241ce47979be7306fd1f15c4a48205f65ac (commit)
via 8e9f096e702d4bb7cd7ca74e40686e6a23d77abc (commit)
via 993724b4dd9837af033880d7816511818f030d59 (commit)
from fde4f231a08239cd4a1eeeb0522a781ea0371efa (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 34ae42da0f2b25c2dc89313dcf0adb3ed88a4ae1
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Jan 10 10:57:49 2020 +0000
unbound: No longer try to include safe-search.conf
This file is no longer generated and therefore cannot
be imported any more.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 22e0e241ce47979be7306fd1f15c4a48205f65ac
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sat Jan 11 14:17:50 2020 +0000
core140: ship updated vpnmain.cgi
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 8e9f096e702d4bb7cd7ca74e40686e6a23d77abc
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Jan 7 21:47:00 2020 +0000
update translation files for vpnmain.cgi changes
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 993724b4dd9837af033880d7816511818f030d59
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Jan 7 21:47:00 2020 +0000
vpnmain.cgi: set SubjectAlternativeName default during root certificate generation
Some IPsec implementations such as OpenIKED require SubjectAlternativeName
data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see:
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default
SubjectAlternativeName based on the machines hostname or IP address. Existing
certificates remain unchanged for obvious reasons.
The third version of this patch fixes a duplicate DNS query reported by Michael.
Fixes #11594
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/140/filelists/files | 1 +
config/unbound/unbound.conf | 3 ---
html/cgi-bin/vpnmain.cgi | 11 +++++++++--
langs/de/cgi-bin/de.pl | 5 +++--
langs/en/cgi-bin/en.pl | 5 +++--
5 files changed, 16 insertions(+), 9 deletions(-)
Difference in files:
diff --git a/config/rootfiles/core/140/filelists/files b/config/rootfiles/core/140/filelists/files
index a76ec6678..82c6e5ec0 100644
--- a/config/rootfiles/core/140/filelists/files
+++ b/config/rootfiles/core/140/filelists/files
@@ -8,5 +8,6 @@ etc/rc.d/init.d/suricata
opt/pakfire/etc/pakfire.conf
opt/pakfire/lib/functions.pl
srv/web/ipfire/cgi-bin/ids.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
usr/sbin/convert-snort
usr/sbin/setup
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 4d492a5bc..e20c3330d 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -81,9 +81,6 @@ server:
# Include any forward zones
include: "/etc/unbound/forward.conf"
- # Include safe search settings
- include: "/etc/unbound/safe-search.conf"
-
remote-control:
control-enable: yes
control-use-cert: no
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 33b504bc9..43cdc5aa0 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2019 IPFire Team info(a)ipfire.org #
+# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -822,8 +822,10 @@ END
close IPADDR;
chomp ($ipaddr);
$cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
+ $cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'};
if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
$cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
+ $cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'};
}
}
$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
@@ -975,6 +977,11 @@ END
# IP: an IP address
# example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com
+ if ($cgiparams{'SUBJECTALTNAME'} eq '') {
+ $errormessage = $Lang::tr{'vpn subjectaltname missing'};
+ goto ROOTCERT_ERROR;
+ }
+
if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
$errormessage = $Lang::tr{'vpn altname syntax'};
goto VPNCONF_ERROR;
@@ -1129,7 +1136,7 @@ END
}
print <<END
</select></td></tr>
- <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
+ <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*) <img src='/blob.gif' alt='*' /></td>
<td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr>
<tr><td> </td>
<td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 2e67e495f..2cd2e24a2 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -2760,7 +2760,7 @@
'vpi number' => 'VPI-Nummer:',
'vpn' => 'VPN',
'vpn aggrmode' => 'IKE Aggressive Mode zugelassen. Möglichst vermeiden (preshared Schlüssel wird im Klartext übertragen)!',
-'vpn altname syntax' => 'Der Subjekt Alternativ Name ist eine durch Komma getrennte Liste von Email, DNS, URI, RID und IP Objekten. <br />Email: eine Email Adresse. Syntax Email: \'copy\' benutzt die Email Adresse aus dem Zertifikatfeld. <br />DNS: ein gültiger Domain Name.<br />URI: eine gültige URI.<br />RID: Registriertes Objekt Identifikation.<br />IP: eine IP Adresse.<br />Bitte beachten: der Zeichensatz ist eingeschränkt und die Groß-/Kleinschreibung ist entscheidend.<br />Beispiel:<br /><b>email:</b>info(a)ipfire.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/nach/irgendwo',
+'vpn altname syntax' => 'Der SubjectAlternativeName ist eine durch Komma getrennte Liste von Email, DNS, URI, RID und IP Objekten. <br />Email: eine Email Adresse. Syntax Email: \'copy\' benutzt die Email Adresse aus dem Zertifikatfeld. <br />DNS: ein gültiger Domain Name.<br />URI: eine gültige URI.<br />RID: Registriertes Objekt Identifikation.<br />IP: eine IP Adresse.<br />Bitte beachten: der Zeichensatz ist eingeschränkt und die Groß-/Kleinschreibung ist entscheidend.<br />Beispiel:<br /><b>email:</b>info(a)ipfire.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/nach/irgendwo',
'vpn auth-dn' => 'Peer wird identifiziert durch entweder ein IPV4_ADDR, FQDN, USER_FQDN oder DER_ASN1_DN string in Remote ID Feld',
'vpn broken' => 'gebrochen',
'vpn connecting' => 'VERBINDUNGSAUFBAU',
@@ -2787,7 +2787,8 @@
'vpn start action start' => 'Immer An',
'vpn statistic n2n' => 'VPN: Netz-zu-Netz-Statistik',
'vpn statistic rw' => 'VPN: Roadwarrior-Statistik',
-'vpn subjectaltname' => 'Subjekt Alternativer Name',
+'vpn subjectaltname' => 'SubjectAlternativeName',
+'vpn subjectaltname missing' => 'SubjectAlternativeName darf nicht leer bleiben.',
'vpn wait' => 'WARTE',
'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).',
'vpn weak' => 'schwach',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 0d30595b3..2dc325a3a 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1363,7 +1363,7 @@
'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)',
'hostname' => 'Hostname',
'hostname and domain already in use' => 'Hostname and domain already in use.',
-'hostname cant be empty' => 'Hostname can\'t be empty.',
+'hostname cant be empty' => 'Hostname cannot be empty.',
'hostname not set' => 'Hostname not set.',
'hosts config added' => 'Hosts config added',
'hosts config changed' => 'Hosts config changed',
@@ -2835,7 +2835,8 @@
'vpn start action start' => 'Always On',
'vpn statistic n2n' => 'VPN: Net-to-Net Statistics',
'vpn statistic rw' => 'VPN: Roadwarrior Statistics',
-'vpn subjectaltname' => 'Subject Alt Name',
+'vpn subjectaltname' => 'SubjectAlternativeName',
+'vpn subjectaltname missing' => 'SubjectAlternativeName cannot be emtpy.',
'vpn wait' => 'WAITING',
'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).',
'vpn weak' => 'Weak',
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-01-11 14:20 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-11 14:20 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 34ae42da0f2b25c2dc89313dcf0adb3ed88a4ae1 Arne Fitzenreiter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox