Age | Commit message (Collapse) | Author |
|
Add possibility to provide a full CA chain to the openconnect server.
* Support multiple CA certificates
* For every CA certificate specified, always determine the full certificate
chain in the background and add the necessary SSL certificates
(cherry picked from commit 973f06c00b902c43dfea34bdf01bdec7c599c452)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
(cherry picked from commit f29caa824c02c833a3978b9236391e4277c1a6ba)
|
|
Commit 9f9891a2099 ("pki: T6241: Fix dependency updates on PKI changes") added
a print() statement which notified the users about the subsystems which got
supplied with an updated certificate.
Example:
> PKI: Updating config: interfaces openvpn vtun0 tls certificate openvpn_vtun0
> PKI: Updating config: interfaces openvpn vtun0 tls ca_certificate openvpn_vtun0_1
This is an informational message which should maybe (if needed) be sent to
syslog. But the main issue is that CLI paths are mangled (- to _) which makes
the about print output wrong and could potentially confuse users.
Statement has been commented to be re-enabled for debugging.
(cherry picked from commit a4d49a96918c0f0dac3d17f9cf3a5b8f3a9505c0)
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
* install_certificate() code path handles private_key=None &
key_passphrase=None OK already
* file and console output paths will error trying to encode None as a key
* This is only an issue for a couple of the generate_*_sign() functions,
where having a null private key is possible
* Self-signing and CA creation always generate a private key
* Certreqs will generate a private key if not already provided
* Do not prompt for a private key passphrase if we aren't giving back a
private key
(cherry picked from commit d2cf8eeee9053d04f34c5e8a22373290d078ab37)
Co-authored-by: Andrew Topp <andrewt@telekinetica.net>
|
|
Migration script introduced in commit 0f669a226 ("openvpn: T5487: Remove
eprecated option --cipher for server and client mode") lacked executable
permission.
|
|
op-mode: T6407: "generate pki" missed to mangle in ACME certificates when required
|
|
required
If the requested certificate to generate an Apple IOS profile was based on an
ACME certificate, we also need to mangle in the ACME certs content to retrieve
the certificates issuer name.
|
|
openvpn: T5487: Remove deprecated option --cipher for server and client mode
|
|
T6456: Convert "monitor traffic" to modern op-mode wrapper
|
|
T6045: Recreate show lldp detail views & improve remote port selection
|
|
output
|
|
|
|
The old "monitor traffic" definition had misaligned arguments under the verbose node
and manually offered the same parameter keyword in multiple positions to emulate
flexible parameters.
I've wrapped tcpdump for op-mode and replicated the "varargs" style from mtr.py/mtr.xml.in
to present a few more parameters in a more flexible manner.
Changes to the Makefile were required for recursive varargs lookup.
|
|
If the remote device has explicitly sent the interface name as the portID,
we should use that first as the interface name, before working through
the previous priority order.
I've brought back LLDP detail views directly calling lldpcli. This can be
extended to render a template from op_mode/lldp.py, but lldpcli isn't bad
at rendering readable info. Raw mode (including detailed raw) is still
accessible for programmatic access.
|
|
firewall: T3900: fix migration and smoketests
|
|
Commit 770edf016838523 ("T3900: T6394: extend functionalities in firewall")
changed the position in the CLI for conntrack timeout. This lead to failing
smoketests because of a regression in the migrator.
|
|
T6442: CGNAT add log for address allocation
|
|
vyos.utils: T5195: import vyos.cpu to this package
|
|
Add the configuration command to log current CGNAT allocation
set nat cgnat log-allocation
|
|
|
|
|
|
The intention of vyos.utils package is to have a common ground for repeating
actions/helpers. This is also true for number of CPUs and their respective
core count.
Move vyos.cpu to vyos.utils.cpu
|
|
op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation
|
|
pki: T6463: reverse-proxy service not reloaded when updating SSL certificate(s)
|
|
firewall: T3900: T6394: remove unused import
|
|
|
|
generation
In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed
support for multiple CAs when dealing with the generation of Apple IOS profiles.
This commit extends support to properly include the common name of the server
certificate issuer and all it's paren't CAs. A list of parent CAs is
automatically generated from the "PKI" subsystem content and embedded into the
resulting profile.
|
|
The haproxy reverse proxy was not reloaded/restarted with the new SSL
certificate(s) after a change in the PKI subsystem. This was due to missing
dependencies.
|
|
With commit 770edf016838 ("T3900: T6394: extend functionalities in firewall;
move netfilter sysctl timeout parameters defined in conntrack to firewall
global-opton section.") the import of the glob module is no longer
required.
Found my running: make unused-imports
|
|
|
|
Fix external address/port allocation for CGN.
It fixes some cases where external address/ports can be allocated again
to another user.
|
|
T3900: Add support for raw tables in firewall
|
|
|
|
|
|
timeout parameters defined in conntrack to firewall global-opton section.
|
|
nat64: T6403: validate source prefix for RFC compliance
|
|
|
|
|
|
Simplest fix is to comply with RFC6052. The code change is just masking
out the relevant bits and ensuring they're zeroed.
|
|
Unset params would mistakenly match when None and trigger a validation error even when used params were unique.
Updated check to ensure unique source-addresses if not None, and that (source-interfaces, source-addresses) are
unique together appropriately.
|
|
dns: T6422: allow multiple redundant NS records
|
|
added new syntax to work with class match filters in QoS policy
|
|
This was a leftover from the early days.
|
|
style fixes
|
|
reverse-proxy: T6409: Remove unused backend parameters
|
|
|
|
op-mode: ipsec: T6407: fix profile generation
|
|
NS is unlike CNAME or PTR, multiple NS records are perfectly valid and is a common use case: multiple redundant DNS servers is a common configuration and should be supported.
|
|
reverse-proxy: T6419: build full CA chain when verifying backend server
|
|
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates")
added support for multiple CA certificates which broke the OP mode command
to generate the IPSec profiles as it did not expect a list and was rather
working on a string.
Now multiple CAs can be rendered into the Apple IOS profile.
|