wallenstein/algo

Fork 0

mirror of https://github.com/trailofbits/algo.git synced 2025-09-04 19:13:04 +02:00

Commit graph

Author	SHA1	Message	Date
Dan Guido	0aaca43019	Security Hardening and Certificate Authority Constraints (#14811 ) * Security hardening and certificate authority constraints This commit addresses Issues #75 and #14804 with defensive security enhancements that provide additional protection layers for edge case scenarios. ## Issue #75: Technically Constrain Root CA - Add pathlen:0 basic constraints preventing subordinate CA creation - Implement name constraints restricting certificate issuance to specific IPs - Add extended key usage restrictions limiting CA scope to VPN certificates - Separate client/server certificate extensions (serverAuth vs clientAuth) - Enhanced CA with critical constraints for defense-in-depth when CA keys saved ## Issue #14804: Comprehensive SystemD Security Hardening - WireGuard: Added systemd hardening as additional defense-in-depth - StrongSwan: Enhanced systemd configuration complementing AppArmor profiles - dnscrypt-proxy: Additional systemd security alongside AppArmor protection - Applied privilege restrictions, filesystem isolation, and system call filtering ## Technical Changes - CA certificate constraints only relevant when users opt to save CA keys - SystemD hardening provides additional isolation layers beyond existing AppArmor - Enhanced client certificate validation for iOS/macOS profiles - Reliable AppArmor profile enforcement for Ubuntu 22.04 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Address PR review feedback and improve code quality ## Fixes Based on Review Feedback: ### Handler Consistency Issues - Fix notification naming: "daemon reload" → "daemon-reload" for consistency - Update deprecated syntax: `daemon_reload: yes` → `daemon_reload: true` ### Enhanced CA Certificate Constraints - Add .mil and .int to excluded DNS domains for completeness - Add .mil and .int to excluded email domains for consistency - Add explanatory comment for openssl_constraint_random_id security purpose ## Technical Improvements: - Ensures proper handler invocation across DNS and WireGuard services - Provides more comprehensive CA name constraints protection - Documents the security rationale for UUID-based CA constraints 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Address PR review feedback - improve documentation and fix duplicate key - Add IPv6 documentation range (2001:db8::/32) to excluded ranges - Add explanatory comment for CA name constraints defense-in-depth purpose - Remove duplicate DisableMOBIKE key from iOS configuration - Add comprehensive comments to iOS/macOS mobileconfig parameters - Explain MOBIKE, redirect disabling, certificate type, and routing settings 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>	2025-08-04 20:22:41 -07:00
Jack Ivanov	dbd68aa97d	WireGuard BSD (#1083 ) * WireGuard BSD * Remove unneeded config option * Enable PersistentKeepalive for NAT and Firewall Traversal Persistence * Install dnscrypt-proxy from repositories	2018-09-27 04:18:12 -04:00
Jack Ivanov	3488e660ad	Add WireGuard support for Android (#910 ) * WireGuard Implementation * Update client-android.md * Update README.md * WireGuard unattended upgrades * Update README.md * reload-module-on-update and syntax fix * SaveConfig to true * Azure firewall. Fixes #962 * Update README.md * Update client-android.md	2018-05-24 08:15:27 -07:00

Author

SHA1

Message

Date

Dan Guido

0aaca43019

Security Hardening and Certificate Authority Constraints (#14811 )

* Security hardening and certificate authority constraints

This commit addresses Issues #75 and #14804 with defensive security
enhancements that provide additional protection layers for edge case
scenarios.

## Issue #75: Technically Constrain Root CA
- Add pathlen:0 basic constraints preventing subordinate CA creation
- Implement name constraints restricting certificate issuance to specific IPs
- Add extended key usage restrictions limiting CA scope to VPN certificates
- Separate client/server certificate extensions (serverAuth vs clientAuth)
- Enhanced CA with critical constraints for defense-in-depth when CA keys saved

## Issue #14804: Comprehensive SystemD Security Hardening
- WireGuard: Added systemd hardening as additional defense-in-depth
- StrongSwan: Enhanced systemd configuration complementing AppArmor profiles
- dnscrypt-proxy: Additional systemd security alongside AppArmor protection
- Applied privilege restrictions, filesystem isolation, and system call filtering

## Technical Changes
- CA certificate constraints only relevant when users opt to save CA keys
- SystemD hardening provides additional isolation layers beyond existing AppArmor
- Enhanced client certificate validation for iOS/macOS profiles
- Reliable AppArmor profile enforcement for Ubuntu 22.04

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Address PR review feedback and improve code quality

## Fixes Based on Review Feedback:

### Handler Consistency Issues
- Fix notification naming: "daemon reload" → "daemon-reload" for consistency
- Update deprecated syntax: `daemon_reload: yes` → `daemon_reload: true`

### Enhanced CA Certificate Constraints
- Add .mil and .int to excluded DNS domains for completeness
- Add .mil and .int to excluded email domains for consistency
- Add explanatory comment for openssl_constraint_random_id security purpose

## Technical Improvements:
- Ensures proper handler invocation across DNS and WireGuard services
- Provides more comprehensive CA name constraints protection
- Documents the security rationale for UUID-based CA constraints

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Address PR review feedback - improve documentation and fix duplicate key

- Add IPv6 documentation range (2001:db8::/32) to excluded ranges
- Add explanatory comment for CA name constraints defense-in-depth purpose
- Remove duplicate DisableMOBIKE key from iOS configuration
- Add comprehensive comments to iOS/macOS mobileconfig parameters
- Explain MOBIKE, redirect disabling, certificate type, and routing settings

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

2025-08-04 20:22:41 -07:00

Jack Ivanov

dbd68aa97d

WireGuard BSD (#1083 )

* WireGuard BSD

* Remove unneeded config option

* Enable PersistentKeepalive for NAT and Firewall Traversal Persistence

* Install dnscrypt-proxy from repositories

2018-09-27 04:18:12 -04:00

Jack Ivanov

3488e660ad

Add WireGuard support for Android (#910 )

* WireGuard Implementation

* Update client-android.md

* Update README.md

* WireGuard unattended upgrades

* Update README.md

* reload-module-on-update and syntax fix

* SaveConfig to true

* Azure firewall. Fixes #962

* Update README.md

* Update client-android.md

2018-05-24 08:15:27 -07:00

3 commits