From patchwork Tue Jan  7 21:47:00 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 2685
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 47smDx1dQJz3xY5
	for <patchwork@web04.haj.ipfire.org>; Tue,  7 Jan 2020 21:47:13 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 47smDw0V57z1qy;
	Tue,  7 Jan 2020 21:47:12 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 47smDv6lWkz2xqD;
	Tue,  7 Jan 2020 21:47:11 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
 client-signature ECDSA (P-384) client-digest SHA384)
 (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 47smDs6fxyz2xqD
 for <development@lists.ipfire.org>; Tue,  7 Jan 2020 21:47:09 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 47smDr6DPcz2L2
 for <development@lists.ipfire.org>; Tue,  7 Jan 2020 21:47:08 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909ed25519; t=1578433629;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=cBSCsfBnmD+HXmVrJX7qtcSBW6vw2HPIOLwPmzB3Y5I=;
 b=E4z8+gCUL6WvxOi1haow7Bs8vi4mpi/OwqgYzwfoj8ZyxHWQ6ShEBQqJ7ZIvo5dnuSzpLx
 avaOXfHk/Bi4OaCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909rsa;
 t=1578433629;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=cBSCsfBnmD+HXmVrJX7qtcSBW6vw2HPIOLwPmzB3Y5I=;
 b=nqRKTfFcDQdKog3BJQOg0sTCPcg0y4yNWPp2D+lNJyh4vN+6i4BWKVqhLoDxno228/riLs
 eFzxIlxAhfeBN5MZeS8ITLWj64d0yJguj8M2Xsp4skNHkQUK1Q99zI7+ignGOPvh/JU94m
 3sjUtFyiahhEOi/NqUo3XCiuVIpaIyxz9Ie3EGr/14UZUYfhsBxiY7cF7O0szXqtMOV8MS
 n4a/sNLFssOBaBPxsm1lgUHXDvK9kuO2JZjEKsCMvD06h2nx7j6tIB5VLA2+eoIAB5vGK/
 vcClZeTDfH3U/8KBPvmBJ1LviJetALqCbw2zTjonfk6iwC97dH4Lp6u9KWbgKw==
Subject: [PATCH v3 1/3] vpnmain.cgi: set SubjectAlternativeName default during
 root certificate generation
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
To: "IPFire: Development-List" <development@lists.ipfire.org>
References: <b67cba4c-38e6-7477-2ac2-e2a4df87680a@ipfire.org>
 <95311e7b-d60b-6a2f-e0af-95988d874fe7@ipfire.org>
Message-ID: <09672616-f2e0-2f1e-6d38-a30d5d70dae5@ipfire.org>
Date: Tue, 07 Jan 2020 21:47:00 +0000
MIME-Version: 1.0
In-Reply-To: <95311e7b-d60b-6a2f-e0af-95988d874fe7@ipfire.org>
Content-Language: en-US
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Some IPsec implementations such as OpenIKED require SubjectAlternativeName
data on certificates and refuse to establish connections otherwise.

The StrongSwan project also recommends it (see:
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although
it is currently not enforced by their IPsec software.

For convenience purposes and to raise awareness, this patch adds a default
SubjectAlternativeName based on the machines hostname or IP address. Existing
certificates remain unchanged for obvious reasons.

The third version of this patch fixes a duplicate DNS query reported by Michael.

Fixes #11594

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 33b504bc9..43cdc5aa0 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2019  IPFire Team  info@ipfire.org                       #
+# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -822,8 +822,10 @@ END
 			close IPADDR;
 			chomp ($ipaddr);
 			$cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
+			$cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'};
 			if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
 				$cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
+				$cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'};
 			}
 		}
 		$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
@@ -975,6 +977,11 @@ END
 		#	IP: an IP address
 		# example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
 
+		if ($cgiparams{'SUBJECTALTNAME'} eq '') {
+			$errormessage = $Lang::tr{'vpn subjectaltname missing'};
+			goto ROOTCERT_ERROR;
+		}
+
 		if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
 			$errormessage = $Lang::tr{'vpn altname syntax'};
 			goto VPNCONF_ERROR;
@@ -1129,7 +1136,7 @@ END
 	}
 	print <<END
 		</select></td></tr>
-	<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
+	<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)&nbsp;<img src='/blob.gif' alt='*' /></td>
 	<td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr>
 	<tr><td>&nbsp;</td>
 		<td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>