From mboxrd@z Thu Jan 1 00:00:00 1970 From: Arne Fitzenreiter To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 34ae42da0f2b25c2dc89313dcf0adb3ed88a4ae1 Date: Sat, 11 Jan 2020 14:20:30 +0000 Message-ID: <47w27f4GGCz2y1R@people01.haj.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0089427672828104673==" List-Id: --===============0089427672828104673== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 34ae42da0f2b25c2dc89313dcf0adb3ed88a4ae1 (commit) via 22e0e241ce47979be7306fd1f15c4a48205f65ac (commit) via 8e9f096e702d4bb7cd7ca74e40686e6a23d77abc (commit) via 993724b4dd9837af033880d7816511818f030d59 (commit) from fde4f231a08239cd4a1eeeb0522a781ea0371efa (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 34ae42da0f2b25c2dc89313dcf0adb3ed88a4ae1 Author: Michael Tremer Date: Fri Jan 10 10:57:49 2020 +0000 unbound: No longer try to include safe-search.conf =20 This file is no longer generated and therefore cannot be imported any more. =20 Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 22e0e241ce47979be7306fd1f15c4a48205f65ac Author: Arne Fitzenreiter Date: Sat Jan 11 14:17:50 2020 +0000 core140: ship updated vpnmain.cgi =20 Signed-off-by: Arne Fitzenreiter commit 8e9f096e702d4bb7cd7ca74e40686e6a23d77abc Author: Peter M=C3=BCller Date: Tue Jan 7 21:47:00 2020 +0000 update translation files for vpnmain.cgi changes =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Arne Fitzenreiter commit 993724b4dd9837af033880d7816511818f030d59 Author: Peter M=C3=BCller Date: Tue Jan 7 21:47:00 2020 +0000 vpnmain.cgi: set SubjectAlternativeName default during root certificate g= eneration =20 Some IPsec implementations such as OpenIKED require SubjectAlternativeName data on certificates and refuse to establish connections otherwise. =20 The StrongSwan project also recommends it (see: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although it is currently not enforced by their IPsec software. =20 For convenience purposes and to raise awareness, this patch adds a default SubjectAlternativeName based on the machines hostname or IP address. Exis= ting certificates remain unchanged for obvious reasons. =20 The third version of this patch fixes a duplicate DNS query reported by M= ichael. =20 Fixes #11594 =20 Signed-off-by: Peter M=C3=BCller Cc: Michael Tremer Signed-off-by: Arne Fitzenreiter ----------------------------------------------------------------------- Summary of changes: config/rootfiles/core/140/filelists/files | 1 + config/unbound/unbound.conf | 3 --- html/cgi-bin/vpnmain.cgi | 11 +++++++++-- langs/de/cgi-bin/de.pl | 5 +++-- langs/en/cgi-bin/en.pl | 5 +++-- 5 files changed, 16 insertions(+), 9 deletions(-) Difference in files: diff --git a/config/rootfiles/core/140/filelists/files b/config/rootfiles/cor= e/140/filelists/files index a76ec6678..82c6e5ec0 100644 --- a/config/rootfiles/core/140/filelists/files +++ b/config/rootfiles/core/140/filelists/files @@ -8,5 +8,6 @@ etc/rc.d/init.d/suricata opt/pakfire/etc/pakfire.conf opt/pakfire/lib/functions.pl srv/web/ipfire/cgi-bin/ids.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi usr/sbin/convert-snort usr/sbin/setup diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 4d492a5bc..e20c3330d 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -81,9 +81,6 @@ server: # Include any forward zones include: "/etc/unbound/forward.conf" =20 - # Include safe search settings - include: "/etc/unbound/safe-search.conf" - remote-control: control-enable: yes control-use-cert: no diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..43cdc5aa0 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2019 IPFire Team info(a)ipfire.org = # +# Copyright (C) 2007-2020 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} =3D (gethostbyaddr(pack("C4", split(/\./,= $ipaddr)), 2))[0]; + $cgiparams{'SUBJECTALTNAME'} =3D "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'}; if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} =3D $ipaddr; + $cgiparams{'SUBJECTALTNAME'} =3D "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'}; } } $cgiparams{'ROOTCERT_COUNTRY'} =3D $vpnsettings{'ROOTCERT_COUNTRY'} if (!$= cgiparams{'ROOTCERT_COUNTRY'}); @@ -975,6 +977,11 @@ END # IP: an IP address # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com =20 + if ($cgiparams{'SUBJECTALTNAME'} eq '') { + $errormessage =3D $Lang::tr{'vpn subjectaltname missing'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ = /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) { $errormessage =3D $Lang::tr{'vpn altname syntax'}; goto VPNCONF_ERROR; @@ -1129,7 +1136,7 @@ END } print < - $Lang::tr{'vpn subjectaltname'} (subjectAltName=3Dem= ail:*,URI:*,DNS:*,RID:*) + $Lang::tr{'vpn subjectaltname'} (subjectAltName=3Dem= ail:*,URI:*,DNS:*,RID:*) 3D'*'  


diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 2e67e495f..2cd2e24a2 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2760,7 +2760,7 @@ 'vpi number' =3D> 'VPI-Nummer:', 'vpn' =3D> 'VPN', 'vpn aggrmode' =3D> 'IKE Aggressive Mode zugelassen. M=C3=B6glichst vermeide= n (preshared Schl=C3=BCssel wird im Klartext =C3=BCbertragen)!', -'vpn altname syntax' =3D> 'Der Subjekt Alternativ Name ist eine durch Komma = getrennte Liste von Email, DNS, URI, RID und IP Objekten.
Email: eine E= mail Adresse. Syntax Email: \'copy\' benutzt die Email Adresse aus dem Zertif= ikatfeld.
DNS: ein g=C3=BCltiger Domain Name.
URI: eine g=C3=BClti= ge URI.
RID: Registriertes Objekt Identifikation.
IP: eine IP Adres= se.
Bitte beachten: der Zeichensatz ist eingeschr=C3=A4nkt und die Gro= =C3=9F-/Kleinschreibung ist entscheidend.
Beispiel:
email:in= fo(a)ipfire.org,email:copy,DNS:www.ipfire.org,IP:127.0.0= .1,URI:http://url/nach/irgendwo', +'vpn altname syntax' =3D> 'Der SubjectAlternativeName ist eine durch Komma g= etrennte Liste von Email, DNS, URI, RID und IP Objekten.
Email: eine Em= ail Adresse. Syntax Email: \'copy\' benutzt die Email Adresse aus dem Zertifi= katfeld.
DNS: ein g=C3=BCltiger Domain Name.
URI: eine g=C3=BCltig= e URI.
RID: Registriertes Objekt Identifikation.
IP: eine IP Adress= e.
Bitte beachten: der Zeichensatz ist eingeschr=C3=A4nkt und die Gro=C3= =9F-/Kleinschreibung ist entscheidend.
Beispiel:
email:info(= a)ipfire.org,email:copy,DNS:www.ipfire.org,IP:127.0.0.1<= b>,URI:http://url/nach/irgendwo', 'vpn auth-dn' =3D> 'Peer wird identifiziert durch entweder ein IPV4_ADDR, FQ= DN, USER_FQDN oder DER_ASN1_DN string in Remote ID Feld', 'vpn broken' =3D> 'gebrochen', 'vpn connecting' =3D> 'VERBINDUNGSAUFBAU', @@ -2787,7 +2787,8 @@ 'vpn start action start' =3D> 'Immer An', 'vpn statistic n2n' =3D> 'VPN: Netz-zu-Netz-Statistik', 'vpn statistic rw' =3D> 'VPN: Roadwarrior-Statistik', -'vpn subjectaltname' =3D> 'Subjekt Alternativer Name', +'vpn subjectaltname' =3D> 'SubjectAlternativeName', +'vpn subjectaltname missing' =3D> 'SubjectAlternativeName darf nicht leer bl= eiben.', 'vpn wait' =3D> 'WARTE', 'vpn watch' =3D> 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP =C3=A4nd= ert (DynDNS).', 'vpn weak' =3D> 'schwach', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 0d30595b3..2dc325a3a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1363,7 +1363,7 @@ 'host to net vpn' =3D> 'Host-to-Net Virtual Private Network (RoadWarrior)', 'hostname' =3D> 'Hostname', 'hostname and domain already in use' =3D> 'Hostname and domain already in us= e.', -'hostname cant be empty' =3D> 'Hostname can\'t be empty.', +'hostname cant be empty' =3D> 'Hostname cannot be empty.', 'hostname not set' =3D> 'Hostname not set.', 'hosts config added' =3D> 'Hosts config added', 'hosts config changed' =3D> 'Hosts config changed', @@ -2835,7 +2835,8 @@ 'vpn start action start' =3D> 'Always On', 'vpn statistic n2n' =3D> 'VPN: Net-to-Net Statistics', 'vpn statistic rw' =3D> 'VPN: Roadwarrior Statistics', -'vpn subjectaltname' =3D> 'Subject Alt Name', +'vpn subjectaltname' =3D> 'SubjectAlternativeName', +'vpn subjectaltname missing' =3D> 'SubjectAlternativeName cannot be emtpy.', 'vpn wait' =3D> 'WAITING', 'vpn watch' =3D> 'Restart net-to-net vpn when remote peer IP changes (dyndns= ).', 'vpn weak' =3D> 'Weak', hooks/post-receive -- IPFire 2.x development tree --===============0089427672828104673==--