nameConstraints to a random generated uuid

2025-08-02 02:43:01 +02:00 · 2020-01-07 15:53:40 +01:00 · 2020-01-07 15:53:40 +01:00 · c4a020e162
commit c4a020e162
parent 2a3b821f01
3 changed files with 4 additions and 4 deletions
--- a/roles/strongswan/defaults/main.yml
+++ b/roles/strongswan/defaults/main.yml
@ -11,9 +11,9 @@ algo_dns_adblocking: false
 ipv6_support: false
 dns_encryption: true
 domain: false
-openssl_user_domain: algo.vpn
+openssl_constraint_random_id: "{{ IP_subject_alt_name | to_uuid }}"
 subjectAltName_IP: "{{ 'DNS:' if IP_subject_alt_name|regex_search('[a-z]') else 'IP:' }}{{ IP_subject_alt_name }}"
-subjectAltName_USER: "email:{{ item }}@{{ openssl_user_domain }}"
+subjectAltName_USER: "email:{{ item }}@{{ openssl_constraint_random_id }}"
 openssl_bin: openssl
 strongswan_enabled_plugins:
  - aes
--- a/roles/strongswan/templates/mobileconfig.j2
+++ b/roles/strongswan/templates/mobileconfig.j2
@ -93,7 +93,7 @@
                    <integer>1440</integer>
                </dict>
                <key>LocalIdentifier</key>
-                <string>{{ item.0 }}@{{ openssl_user_domain }}</string>
+                <string>{{ item.0 }}@{{ openssl_constraint_random_id }}</string>
                <key>PayloadCertificateUUID</key>
                <string>{{ pkcs12_PayloadCertificateUUID }}</string>
                <key>CertificateType</key>
--- a/roles/strongswan/templates/openssl.cnf.j2
+++ b/roles/strongswan/templates/openssl.cnf.j2
@ -120,7 +120,7 @@ subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always

 basicConstraints = critical,CA:true,pathlen:0
-nameConstraints = critical,permitted;{{ subjectAltName_IP }}/255.255.255.255{{ ',permitted;IP:' + ansible_default_ipv6['address'] + '/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' if ipv6_support else '' }}{{ ',permitted;DNS:' + subjectAltName_DNS if domain and subjectAltName_DNS else '' }},permitted;DNS:algo.local,permitted;email:{{ openssl_user_domain }}
+nameConstraints = critical,permitted;{{ subjectAltName_IP }}/255.255.255.255{{ ',permitted;IP:' + ansible_default_ipv6['address'] + '/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' if ipv6_support else '' }}{{ ',permitted;DNS:' + subjectAltName_DNS if domain and subjectAltName_DNS else '' }},permitted;DNS:{{ openssl_constraint_random_id }},permitted;email:{{ openssl_constraint_random_id }}

 # Limit key usage to CA tasks. If you really want to use the generated pair as
 # a self-signed cert, comment this out.