From patchwork Sun Jan 5 18:11:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2683 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 47rRXp0ndFz3yQR for ; Sun, 5 Jan 2020 18:11:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 47rRXn0ZHJz2JJ; Sun, 5 Jan 2020 18:11:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 47rRXm6NRYz2xdK; Sun, 5 Jan 2020 18:11:20 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 47rRXk6tZ9z2xcM for ; Sun, 5 Jan 2020 18:11:18 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 47rRXj59Djz2JJ for ; Sun, 5 Jan 2020 18:11:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1578247878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mv822rK67wL+6l7WIhA8p78upqFll8pgy6CeYLiIbl4=; b=eG9mLIvCXLCRxzpCpwoSmSgKzoYUf/q+hlZ5wSJfx7XRsbipnnKbpyeWRDpaW4/GOaQ5wz OEMpYbLQlMNjIvEgYabDid5WBUZ8Wfu9ihnekfUNMrLrAepdMs6p7XBqpIBLrXg9OUs2Re v3sVzS3lmrkRh2UPaSZu5OlFLVdIBSebfN6p6rL3WyJ80cqV2ARaXBcOlepk6WAzBE36PU voTcq7DD7X23fIza0twPTTavoDP5EwbA4HNux3QcMYAIr4gSTodv16CNuXpiOp5qd9FE51 sgB+J/v2uzTYtF4i06Q/DbjaHUT0r9VuL8LwjznkHwT8WOzQz2mHSFOC758a6w== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1578247878; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mv822rK67wL+6l7WIhA8p78upqFll8pgy6CeYLiIbl4=; b=uBhE/yP46PHpX0TrwYSYmpkVQdKRo+L08yamt0ASGqBBm4756unvCAvtGMFc2QuVb3PkKz U7Okj4cdjT9EaMAA== Subject: [PATCH v2] vpnmain.cgi: set SubjectAlternativeName default during root certificate generation From: =?utf-8?q?Peter_M=C3=BCller?= To: "IPFire: Development-List" References: Message-ID: <95311e7b-d60b-6a2f-e0af-95988d874fe7@ipfire.org> Date: Sun, 05 Jan 2020 18:11:00 +0000 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Some IPsec implementations such as OpenIKED require SubjectAlternativeName data on certificates and refuse to establish connections otherwise. The StrongSwan project also recommends it (see: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) although it is currently not enforced by their IPsec software. For convenience purposes and to raise awareness, this patch adds a default SubjectAlternativeName based on the machines hostname or IP address. Existing certificates remain unchanged for obvious reasons. Fixes #11594 Signed-off-by: Peter Müller --- html/cgi-bin/vpnmain.cgi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 33b504bc9..9b7bd81ca 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -822,8 +822,10 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; + $cgiparams{'SUBJECTALTNAME'} = "DNS:" . (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; + $cgiparams{'SUBJECTALTNAME'} = "IP:" . $ipaddr; } } $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});