From patchwork Sun Jan 5 17:54:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2682 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 47rR9K6114z3xXr for ; Sun, 5 Jan 2020 17:54:29 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 47rR9H2tKPz2L1; Sun, 5 Jan 2020 17:54:27 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 47rR9H08CYz2xmW; Sun, 5 Jan 2020 17:54:27 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 47rR9F0dmpz2xJ9 for ; Sun, 5 Jan 2020 17:54:25 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 47rR9D04MDz2L1 for ; Sun, 5 Jan 2020 17:54:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1578246864; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mv822rK67wL+6l7WIhA8p78upqFll8pgy6CeYLiIbl4=; b=cKl33zhSCLYOIP4zMgtH8IEKvCN1cxncu7YqIqNOz5nXr1UUC/d+B59ZUqH9eqzJWjTpij TCcVJ9LntRp+4l14q8FZg7ktdWKWeZsu8Lbgcaqy3gg9UMB5QCNlD1lXplP9nKUiYNTxG8 xlHQBhijBSCMKKj7/I7nB8FpwhyGCdYdZ/OozfICXcj+BM4eZaPCN6veSqS/7Rsb2TPV0y 4p5xy47vy2vA5bkDOPtmL8Hp1qY7tpKAsp/L2/fV5txAxuoo7aTXmECHEXCzD8Lop/fP4c 65dbBSumALwWXP1a8oFCURcORoDAcPjzUZZD6SIrrE3s+LRC6FftTf5Tk9Bz8Q== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1578246864; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mv822rK67wL+6l7WIhA8p78upqFll8pgy6CeYLiIbl4=; b=OIzpWTBLKi4t+RoGYMY6Hj3uUUaQd2OVU7+17+hk/X2QzVvhSAKgfiTf61fKE7arFo5tIq XFdka5IZb6p4lUCA== To: "IPFire: Development-List" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] vpnmain.cgi: set SubjectAlternativeName default during root, certificate generation Message-ID: Date: Sun, 05 Jan 2020 17:54:00 +0000 MIME-Version: 1.0 Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Some IPsec implementations such as OpenIKED require SubjectAlternativeName data on certificates and refuse to establish connections otherwise. The StrongSwan project also recommends it (see: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although it is currently not enforced by their IPsec software. For convenience purposes and to raise awareness, this patch adds a default SubjectAlternativeName based on the machines hostname or IP address. Existing certificates remain unchanged for obvious reasons. Fixes #11594 Signed-off-by: Peter Müller --- html/cgi-bin/vpnmain.cgi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..9b7bd81ca 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; + $cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; + $cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr; } } $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});