wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-07 07:33:52 +02:00
Code Issues Projects Releases Wiki Activity

Add ipv6 address to subjectAltName if supported (#881)

Browse source 
CHANGELOG

Some changes

Some changes
This commit is contained in:
Jack Ivanov 2018-04-24 02:06:34 +03:00 committed by Dan Guido
parent f585a416df
commit ed6e2d998d
4 changed files with 22 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
CHANGELOG.md Normal file
View file

@ -0,0 +1,9 @@
## 19 Apr 2018
### Added
- IPv6 in subjectAltName of the certificates. This allows connecting to the Algo instance via the main IPv6 address
### Fixed
- IPv6 DNS addresses were not passing to the client
### Release notes
- In order to use the IPv6 address as the connection endpoint you need to [reinit](https://github.com/trailofbits/algo/blob/master/config.cfg#L14) the PKI and [reconfigure](https://github.com/trailofbits/algo#configure-the-vpn-clients) your devices with new certificates.

3
roles/vpn/defaults/main.yml
View file

@ -1,4 +1,7 @@
---
ipv6_support: false
domain: false
subjectAltName_IP: "IP:{{ IP_subject_alt_name }}"
openssl_bin: openssl
strongswan_enabled_plugins:
- aes

14
roles/vpn/tasks/openssl.yml
View file

@ -1,11 +1,15 @@
---
- block:
- name: Set subjectAltName as a fact
set_fact:
subjectAltName: "{{ subjectAltName_IP }}{% if ipv6_support and ansible_default_ipv6 %},IP:{{ ansible_default_ipv6['address'] }}{% endif %}{% if domain and subjectAltName_DNS %},DNS:{{ subjectAltName_DNS }}{% endif %}"
tags: always
- name: Ensure the pki directory does not exist
file:
dest: configs/{{ IP_subject_alt_name }}/pki
state: absent
when: easyrsa_reinit_existent == True
when: easyrsa_reinit_existent|bool == True
- name: Ensure the pki directories exist
file:
@ -41,7 +45,7 @@
{{ openssl_bin }} ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
{{ openssl_bin }} req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
-keyout private/cakey.pem
-out cacert.pem -x509 -days 3650
-batch
@ -68,7 +72,7 @@
shell: >
{{ openssl_bin }} req -utf8 -new
-newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
-keyout private/{{ IP_subject_alt_name }}.key
-out reqs/{{ IP_subject_alt_name }}.req -nodes
-passin pass:"{{ easyrsa_CA_password }}"
@ -76,7 +80,7 @@
{{ openssl_bin }} ca -utf8
-in reqs/{{ IP_subject_alt_name }}.req
-out certs/{{ IP_subject_alt_name }}.crt
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
-days 3650 -batch
-passin pass:"{{ easyrsa_CA_password }}"
-subj "/CN={{ IP_subject_alt_name }}" &&

2
roles/vpn/templates/ipsec.conf.j2
View file

@ -31,7 +31,7 @@ conn %default
{% if local_dns is defined and local_dns == "Y" %}
rightdns={{ local_service_ip }}
{% else %}
rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
{% endif %}
conn ikev2-pubkey