[v3,1/3] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation

  Some IPsec implementations such as OpenIKED require SubjectAlternativeName
data on certificates and refuse to establish connections otherwise.

The StrongSwan project also recommends it (see:
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
it is currently not enforced by their IPsec software.

For convenience purposes and to raise awareness, this patch adds a default
SubjectAlternativeName based on the machines hostname or IP address. Existing
certificates remain unchanged for obvious reasons.

The third version of this patch fixes a duplicate DNS query reported by Michael.

Fixes #11594

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)
  

Hi,

I am not sure about the change of behaviour here.

I thought the consensus in the telephone conference was to always set it to the FQDN of the IPFire box and accept any additional values from the user. So it will always be set.

The code looks like it does not do that.

Did I get it wrong what we agreed on in the end?

-Michael

> On 7 Jan 2020, at 21:47, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Some IPsec implementations such as OpenIKED require SubjectAlternativeName
> data on certificates and refuse to establish connections otherwise.
> 
> The StrongSwan project also recommends it (see:
> https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
> it is currently not enforced by their IPsec software.
> 
> For convenience purposes and to raise awareness, this patch adds a default
> SubjectAlternativeName based on the machines hostname or IP address. Existing
> certificates remain unchanged for obvious reasons.
> 
> The third version of this patch fixes a duplicate DNS query reported by Michael.
> 
> Fixes #11594
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> Cc: Michael Tremer <michael.tremer@ipfire.org>
> ---
> html/cgi-bin/vpnmain.cgi | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index 33b504bc9..43cdc5aa0 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -2,7 +2,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2019  IPFire Team  info@ipfire.org                       #
> +# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -822,8 +822,10 @@ END
> 			close IPADDR;
> 			chomp ($ipaddr);
> 			$cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
> +			$cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'};
> 			if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
> 				$cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
> +				$cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'};
> 			}
> 		}
> 		$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
> @@ -975,6 +977,11 @@ END
> 		#	IP: an IP address
> 		# example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
> 
> +		if ($cgiparams{'SUBJECTALTNAME'} eq '') {
> +			$errormessage = $Lang::tr{'vpn subjectaltname missing'};
> +			goto ROOTCERT_ERROR;
> +		}
> +
> 		if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
> 			$errormessage = $Lang::tr{'vpn altname syntax'};
> 			goto VPNCONF_ERROR;
> @@ -1129,7 +1136,7 @@ END
> 	}
> 	print <<END
> 		</select></td></tr>
> -	<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
> +	<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)&nbsp;<img src='/blob.gif' alt='*' /></td>
> 	<td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr>
> 	<tr><td>&nbsp;</td>
> 		<td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
> -- 
> 2.16.4
>
  

Hello Michael,

thanks for your reply. In my opinion: Partly. :-)

Actually, the code allows arbitrary user input as log as _any_
SubjectAlternativeName is provided during root/host certificate
generation. As far as I can recall, this is exactly what we agreed
on.

Regarding the FQDN, I do not think it makes sense to use IPFire's
hostname unconditionally: Most installations will not even have a
valid FQDN assigned to red0, not to mention missing DNS records if
the latter one is present.

Thereof, I consider using the same value filled into "$ROOTCERT_HOSTNAME"
as a SubjectAlternativeName makes sense.

Thanks, and best regards,
Peter Müller


> Hi,
> 
> I am not sure about the change of behaviour here.
> 
> I thought the consensus in the telephone conference was to always set it to the FQDN of the IPFire box and accept any additional values from the user. So it will always be set.
> 
> The code looks like it does not do that.
> 
> Did I get it wrong what we agreed on in the end?
> 
> -Michael
>
  

Hi,

> On 9 Jan 2020, at 15:20, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your reply. In my opinion: Partly. :-)
> 
> Actually, the code allows arbitrary user input as log as _any_
> SubjectAlternativeName is provided during root/host certificate
> generation. As far as I can recall, this is exactly what we agreed
> on.

Yes, we wanted to allow users to set whatever they want here in addition to the default which is the FQDN of the firewall.

> Regarding the FQDN, I do not think it makes sense to use IPFire's
> hostname unconditionally: Most installations will not even have a
> valid FQDN assigned to red0, not to mention missing DNS records if
> the latter one is present.

If people set an invalid FQDN, that is a configuration issue I believe.

> Thereof, I consider using the same value filled into "$ROOTCERT_HOSTNAME"
> as a SubjectAlternativeName makes sense.

And the default is the FQDN here?

> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hi,
>> 
>> I am not sure about the change of behaviour here.
>> 
>> I thought the consensus in the telephone conference was to always set it to the FQDN of the IPFire box and accept any additional values from the user. So it will always be set.
>> 
>> The code looks like it does not do that.
>> 
>> Did I get it wrong what we agreed on in the end?
>> 
>> -Michael
>> 
>