[v2] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation
| Message ID | 95311e7b-d60b-6a2f-e0af-95988d874fe7@ipfire.org |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 47rRXp0ndFz3yQR for <patchwork@web04.haj.ipfire.org>; Sun, 5 Jan 2020 18:11:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 47rRXn0ZHJz2JJ; Sun, 5 Jan 2020 18:11:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 47rRXm6NRYz2xdK; Sun, 5 Jan 2020 18:11:20 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 47rRXk6tZ9z2xcM for <development@lists.ipfire.org>; Sun, 5 Jan 2020 18:11:18 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 47rRXj59Djz2JJ for <development@lists.ipfire.org>; Sun, 5 Jan 2020 18:11:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1578247878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mv822rK67wL+6l7WIhA8p78upqFll8pgy6CeYLiIbl4=; b=eG9mLIvCXLCRxzpCpwoSmSgKzoYUf/q+hlZ5wSJfx7XRsbipnnKbpyeWRDpaW4/GOaQ5wz OEMpYbLQlMNjIvEgYabDid5WBUZ8Wfu9ihnekfUNMrLrAepdMs6p7XBqpIBLrXg9OUs2Re v3sVzS3lmrkRh2UPaSZu5OlFLVdIBSebfN6p6rL3WyJ80cqV2ARaXBcOlepk6WAzBE36PU voTcq7DD7X23fIza0twPTTavoDP5EwbA4HNux3QcMYAIr4gSTodv16CNuXpiOp5qd9FE51 sgB+J/v2uzTYtF4i06Q/DbjaHUT0r9VuL8LwjznkHwT8WOzQz2mHSFOC758a6w== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1578247878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mv822rK67wL+6l7WIhA8p78upqFll8pgy6CeYLiIbl4=; b=uBhE/yP46PHpX0TrwYSYmpkVQdKRo+L08yamt0ASGqBBm4756unvCAvtGMFc2QuVb3PkKz U7Okj4cdjT9EaMAA== Subject: [PATCH v2] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> To: "IPFire: Development-List" <development@lists.ipfire.org> References: <b67cba4c-38e6-7477-2ac2-e2a4df87680a@ipfire.org> Message-ID: <95311e7b-d60b-6a2f-e0af-95988d874fe7@ipfire.org> Date: Sun, 05 Jan 2020 18:11:00 +0000 MIME-Version: 1.0 In-Reply-To: <b67cba4c-38e6-7477-2ac2-e2a4df87680a@ipfire.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
[v2] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation
|
|
Commit Message
Peter Müller
Jan. 5, 2020, 6:11 p.m. UTC
Some IPsec implementations such as OpenIKED require SubjectAlternativeName
data on certificates and refuse to establish connections otherwise.
The StrongSwan project also recommends it (see:
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
it is currently not enforced by their IPsec software.
For convenience purposes and to raise awareness, this patch adds a default
SubjectAlternativeName based on the machines hostname or IP address. Existing
certificates remain unchanged for obvious reasons.
Fixes #11594
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
html/cgi-bin/vpnmain.cgi | 2 ++
1 file changed, 2 insertions(+)
Comments
Hello, > On 5 Jan 2020, at 18:11, Peter Müller <peter.mueller@ipfire.org> wrote: > > Some IPsec implementations such as OpenIKED require SubjectAlternativeName > data on certificates and refuse to establish connections otherwise. > > The StrongSwan project also recommends it (see: > https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although > it is currently not enforced by their IPsec software. > > For convenience purposes and to raise awareness, this patch adds a default > SubjectAlternativeName based on the machines hostname or IP address. Existing > certificates remain unchanged for obvious reasons. > > Fixes #11594 > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > html/cgi-bin/vpnmain.cgi | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi > index 33b504bc9..9b7bd81ca 100644 > --- a/html/cgi-bin/vpnmain.cgi > +++ b/html/cgi-bin/vpnmain.cgi > @@ -822,8 +822,10 @@ END > close IPADDR; > chomp ($ipaddr); > $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; > + $cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; This relies on DNS working at the time of generating the certificate which obviously is a very bad idea. Since the original code is like this, I guess there is not point in changing it, but you could have however just copied the value of ROOTCERT_HOSTNAME to avoid a second DNS lookup. > if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { > $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; > + $cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr; > } > } Does overwriting SUBJECTALTNAME work? There is a place where the user can set this. Is that still being honoured? -Michael > $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); > -- > 2.16.4 >
Hello Michael, hello *, > Hello, > >> On 5 Jan 2020, at 18:11, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Some IPsec implementations such as OpenIKED require SubjectAlternativeName >> data on certificates and refuse to establish connections otherwise. >> >> The StrongSwan project also recommends it (see: >> https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although >> it is currently not enforced by their IPsec software. >> >> For convenience purposes and to raise awareness, this patch adds a default >> SubjectAlternativeName based on the machines hostname or IP address. Existing >> certificates remain unchanged for obvious reasons. >> >> Fixes #11594 >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> html/cgi-bin/vpnmain.cgi | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi >> index 33b504bc9..9b7bd81ca 100644 >> --- a/html/cgi-bin/vpnmain.cgi >> +++ b/html/cgi-bin/vpnmain.cgi >> @@ -822,8 +822,10 @@ END >> close IPADDR; >> chomp ($ipaddr); >> $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; >> + $cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; > > This relies on DNS working at the time of generating the certificate which obviously is a very bad idea. I consider this being useful if a machine has a correct hostname set. If it fails, the CGI will fall back to the IP address assigned to red0/ppp0. > > Since the original code is like this, I guess there is not point in changing it, but you could have however just copied the value of ROOTCERT_HOSTNAME to avoid a second DNS lookup. Agreed. I will hand in a third version of this patch. > >> if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { >> $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; >> + $cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr; >> } >> } > > Does overwriting SUBJECTALTNAME work? There is a place where the user can set this. Is that still being honoured? As far as I am concerned, yes. Thanks, and best regards, Peter Müller > > -Michael > >> $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); >> -- >> 2.16.4 >> >
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..9b7bd81ca 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; + $cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; + $cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr; } } $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});