diff --git a/roles/strongswan/defaults/main.yml b/roles/strongswan/defaults/main.yml index 5ddb699..2506fe0 100644 --- a/roles/strongswan/defaults/main.yml +++ b/roles/strongswan/defaults/main.yml @@ -10,10 +10,25 @@ algo_ondemand_wifi_exclude: '_null' algo_dns_adblocking: false ipv6_support: false dns_encryption: true -domain: false openssl_constraint_random_id: "{{ IP_subject_alt_name | to_uuid }}.algo" -subjectAltName_IP: "{{ 'DNS:' if IP_subject_alt_name|regex_search('[a-z]') else 'IP:' }}{{ IP_subject_alt_name }}" +subjectAltName_type: "{{ 'DNS' if IP_subject_alt_name|regex_search('[a-z]') else 'IP' }}" +subjectAltName: >- + {{ subjectAltName_type }}:{{ IP_subject_alt_name }} + {%- if ipv6_support -%},IP:{{ ansible_default_ipv6['address'] }}{%- endif -%} subjectAltName_USER: "email:{{ item }}@{{ openssl_constraint_random_id }}" +nameConstraints: >- + permitted;{{ subjectAltName_type }}:{{ IP_subject_alt_name }}{{- '/255.255.255.255' if subjectAltName_type == 'IP' else '' -}} + {%- if subjectAltName_type == 'IP' -%} + ,permitted;DNS:{{ openssl_constraint_random_id }} + {%- else -%} + ,excluded;IP:0.0.0.0/0.0.0.0 + {%- endif -%} + ,permitted;email:{{ openssl_constraint_random_id }} + {%- if ipv6_support -%} + ,permitted;IP:{{ ansible_default_ipv6['address'] }}/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + {%- else -%} + ,excluded;IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 + {%- endif -%} openssl_bin: openssl strongswan_enabled_plugins: - aes diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml index f12c4a0..c7e193f 100644 --- a/roles/strongswan/tasks/openssl.yml +++ b/roles/strongswan/tasks/openssl.yml @@ -1,13 +1,5 @@ --- - block: - - name: Set subjectAltName as a fact - set_fact: - subjectAltName: >- - {{ subjectAltName_IP }} - {%- if ipv6_support -%},IP:{{ ansible_default_ipv6['address'] }}{%- endif -%} - {%- if domain and subjectAltName_DNS -%},DNS:{{ subjectAltName_DNS }}{%- endif -%} - tags: always - - debug: var=subjectAltName - name: Ensure the pki directory does not exist diff --git a/roles/strongswan/templates/openssl.cnf.j2 b/roles/strongswan/templates/openssl.cnf.j2 index 25b048c..fa22017 100644 --- a/roles/strongswan/templates/openssl.cnf.j2 +++ b/roles/strongswan/templates/openssl.cnf.j2 @@ -120,7 +120,8 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = critical,CA:true,pathlen:0 -nameConstraints = critical,permitted;{{ subjectAltName_IP }}/255.255.255.255{{ ',permitted;IP:' + ansible_default_ipv6['address'] + '/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' if ipv6_support else '' }}{{ ',permitted;DNS:' + subjectAltName_DNS if domain and subjectAltName_DNS else '' }},permitted;DNS:{{ openssl_constraint_random_id }},permitted;email:{{ openssl_constraint_random_id }} +nameConstraints = {{ nameConstraints }} + # Limit key usage to CA tasks. If you really want to use the generated pair as # a self-signed cert, comment this out.