diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-04-09 09:22:56 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-04-09 09:22:56 +0000 |
| commit | 360dba98ba678692e46482beae42a1c7bf1d4b33 (patch) | |
| tree | fa1db227a0a803c1183e9c4a119b385e1ca7f737 /debian | |
| parent | 02c055c1366d390f55b20801a40d9d94e72efd19 (diff) | |
| download | vyos-strongswan-360dba98ba678692e46482beae42a1c7bf1d4b33.tar.gz vyos-strongswan-360dba98ba678692e46482beae42a1c7bf1d4b33.zip | |
Sync postinst, rules, and debconf handling with openswan.
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rw-r--r-- | debian/control | 18 | ||||
| -rwxr-xr-x | debian/rules | 2 | ||||
| -rw-r--r-- | debian/strongswan-starter.config | 61 | ||||
| -rw-r--r-- | debian/strongswan-starter.postinst | 210 | ||||
| -rw-r--r-- | debian/strongswan-starter.templates | 220 |
6 files changed, 287 insertions, 228 deletions
diff --git a/debian/changelog b/debian/changelog index 19f68a49a..35a33b255 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,10 @@ strongswan (4.3.6-1) unstable; urgency=low * New upstream release, now build-depends on gperf. * Switch to dpkg-source 3.0 (quilt) format + * Synchronize debconf handling with current openswan 2.6.25 package to keep + X509 certificate handling etc. similar. Thanks to Harald Jenny for + implementing these changes in openswan, which I just converted to + strongswan. -- Rene Mayrhofer <rmayr@debian.org> Tue, 23 Feb 2010 10:39:21 +0000 diff --git a/debian/control b/debian/control index 53a616ffe..ec25da5ce 100644 --- a/debian/control +++ b/debian/control @@ -2,8 +2,10 @@ Source: strongswan Section: net Priority: optional Maintainer: Rene Mayrhofer <rmayr@debian.org> -Standards-Version: 3.8.1 -Build-Depends: debhelper (>= 7.0.0), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-vpn-dev (>= 0.7), libnm-util-dev (>= 0.7), gperf +Standards-Version: 3.8.4 +Vcs-Browser: http://wiki.strongswan.org/repositories/show/strongswan +Vcs-Git: http://wiki.strongswan.org/repositories/show/strongswan +Build-Depends: debhelper (>= 7.1), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-vpn-dev (>= 0.7), libnm-util-dev (>= 0.7), gperf Homepage: http://www.strongswan.org Package: strongswan @@ -35,6 +37,18 @@ Description: strongSwan utility and crypto library components. It is built in a modular way and is extendable through various plugins. +Package: strongswan-dbg +Architecture: any +Section: debug +Priority: extra +Depends: ${misc:Depends}, strongswan +Description: strongSwan library and binaries - debugging symbols + StrongSwan is an IPsec-based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + This package provides the symbols needed for debugging of strongswan. + Package: strongswan-starter Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-ikev1 | strongswan-ikev2 diff --git a/debian/rules b/debian/rules index e2c40f268..a6fe632b5 100755 --- a/debian/rules +++ b/debian/rules @@ -142,7 +142,7 @@ binary-common: dh_installchangelogs NEWS dh_installdocs README dh_link - dh_strip + dh_strip --dbg-package=strongswan-dbg dh_compress dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d dh_makeshlibs diff --git a/debian/strongswan-starter.config b/debian/strongswan-starter.config index eb5f2c2dd..cb9de0964 100644 --- a/debian/strongswan-starter.config +++ b/debian/strongswan-starter.config @@ -2,8 +2,6 @@ . /usr/share/debconf/confmodule -db_input medium strongswan/start_level || true - # disable for now, until we can deal with the don't-edit-conffiles situation #db_input high strongswan/ikev1 || true #db_input high strongswan/ikev2 || true @@ -12,36 +10,37 @@ db_input medium strongswan/restart || true db_input high strongswan/enable-oe || true -db_input high strongswan/create_rsa_key || true -db_go || true - -db_get strongswan/create_rsa_key +db_get strongswan/install_x509_certificate if [ "$RET" = "true" ]; then - # create a new certificate - db_input medium strongswan/rsa_key_length || true - db_input high strongswan/x509_self_signed || true - # we can't allow the country code to be empty - openssl will - # refuse to create a certificate this way - countrycode="" - while [ -z "$countrycode" ]; do - db_input medium strongswan/x509_country_code || true - db_go || true - db_get strongswan/x509_country_code - countrycode="$RET" - done - db_input medium strongswan/x509_state_name || true - db_input medium strongswan/x509_locality_name || true - db_input medium strongswan/x509_organization_name || true - db_input medium strongswan/x509_organizational_unit || true - db_input medium strongswan/x509_common_name || true - db_input medium strongswan/x509_email_address || true + db_input high strongswan/how_to_get_x509_certificate || true db_go || true -else - db_get strongswan/existing_x509_certificate - if [ "$RET" = "true" ]; then - # existing certificate - use it - db_input critical strongswan/existing_x509_certificate_filename || true - db_input critical strongswan/existing_x509_key_filename || true - db_go || true + + db_get strongswan/how_to_get_x509_certificate + if [ "$RET" = "create" ]; then + # create a new certificate + db_input medium strongswan/rsa_key_length || true + db_input high strongswan/x509_self_signed || true + # we can't allow the country code to be empty - openssl will + # refuse to create a certificate this way + countrycode="" + while [ -z "$countrycode" ]; do + db_input medium strongswan/x509_country_code || true + db_go || true + db_get strongswan/x509_country_code + countrycode="$RET" + done + db_input medium strongswan/x509_state_name || true + db_input medium strongswan/x509_locality_name || true + db_input medium strongswan/x509_organization_name || true + db_input medium strongswan/x509_organizational_unit || true + db_input medium strongswan/x509_common_name || true + db_input medium strongswan/x509_email_address || true + db_go || true + elif [ "$RET" = "import" ]; then + # existing certificate - use it + db_input critical strongswan/existing_x509_certificate_filename || true + db_input critical strongswan/existing_x509_key_filename || true + db_input critical strongswan/existing_x509_rootca_filename || true + db_go || true fi fi diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst index c63273dc2..98de3493c 100644 --- a/debian/strongswan-starter.postinst +++ b/debian/strongswan-starter.postinst @@ -32,39 +32,20 @@ set -e CONF_FILE=/var/lib/strongswan/ipsec.conf.inc SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc -insert_private_key_filename() { - if [ ! -e $SECRETS_FILE ] || ! grep -q ": RSA $1" $SECRETS_FILE; then - echo ": RSA $1" >> $SECRETS_FILE - fi +Warn () +{ + echo "$*" >&2 } -IPSEC_SECRETS_PATTERN_1=': RSA {' -IPSEC_SECRETS_PATTERN_2=' # yyy' -IPSEC_SECRETS_PATTERN_3=' }' -IPSEC_SECRETS_PATTERN_4='# do not change the indenting of that "}"' +Error () +{ + Warn "Error: $*" +} -# remove old, misguided attempts at a default ipsec.secrets files -repair_legacy_secrets() { - if [ -e $SECRETS_FILE ] && grep -A 2 "$IPSEC_SECRETS_PATTERN_1" $SECRETS_FILE | - tail --lines=2 | - grep -A 1 "$IPSEC_SECRETS_PATTERN_2" | - tail --lines=1 | - grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then - echo "Old default config file detected, removing the old defaults now." - umask 077 ; ( - # this is ugly, and someone maybe can formulate this in sed, but - # this was the quickest way for me - line=`grep -n "$IPSEC_SECRETS_PATTERN_2" $SECRETS_FILE | cut -d':' -f1` - until=`expr $line - 1` - head -n $until $SECRETS_FILE - sum=`wc -l $SECRETS_FILE | cut -d ' ' -f1` - from=`expr $sum - $line -1` - tail -n $from $SECRETS_FILE - ) > $SECRETS_FILE.tmp - mv $SECRETS_FILE.tmp $SECRETS_FILE - grep -v "$IPSEC_SECRETS_PATTERN_4" $SECRETS_FILE > $SECRETS_FILE.tmp - mv $SECRETS_FILE.tmp $SECRETS_FILE - fi +insert_private_key_filename() { + if ! ( [ -e $SECRETS_INC_FILE ] && egrep -q ": RSA $1" $SECRETS_INC_FILE ); then + echo ": RSA $1" >> $SECRETS_INC_FILE + fi } make_x509_cert() { @@ -142,87 +123,110 @@ disable_daemon_start() { case "$1" in configure) - db_get strongswan/create_rsa_key + db_get strongswan/install_x509_certificate if [ "$RET" = "true" ]; then - repair_legacy_secrets - # OK, ipsec.secrets should now be correct - # create a new keypair - host=`hostname` - newkeyfile="/etc/ipsec.d/private/${host}Key.pem" - newcertfile="/etc/ipsec.d/certs/${host}Cert.pem" - if [ -e $newcertfile -o -e $newkeyfile ]; then - echo "Error: $newcertfile or $newkeyfile already exists." - echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." - else - # create a new certificate - db_get strongswan/rsa_key_length - keylength=$RET - db_get strongswan/x509_self_signed - selfsigned=$RET - db_get strongswan/x509_country_code - countrycode=$RET - if [ -z "$countrycode" ]; then countrycode="."; fi - db_get strongswan/x509_state_name - statename=$RET - if [ -z "$statename" ]; then statename="."; fi - db_get strongswan/x509_locality_name - localityname=$RET - if [ -z "$localityname" ]; then localityname="."; fi - db_get strongswan/x509_organization_name - orgname=$RET - if [ -z "$orgname" ]; then orgname="."; fi - db_get strongswan/x509_organizational_unit - orgunit=$RET - if [ -z "$orgunit" ]; then orgunit="."; fi - db_get strongswan/x509_common_name - commonname=$RET - if [ -z "$commonname" ]; then commonname="."; fi - db_get strongswan/x509_email_address - email=$RET - if [ -z "$email" ]; then email="."; fi - make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email" - chmod 0600 "$newkeyfile" - umask 077 - insert_private_key_filename "$newkeyfile" - echo "Successfully created x509 certificate." - fi - else - db_get strongswan/existing_x509_certificate - if [ "$RET" = "true" ]; then + db_get strongswan/how_to_get_x509_certificate + if [ "$RET" = "create" ]; then + # extract the key from a (newly created) x509 certificate + host=`hostname` + newkeyfile="/etc/ipsec.d/private/${host}Key.pem" + newcertfile="/etc/ipsec.d/certs/${host}Cert.pem" if [ -e $newcertfile -o -e $newkeyfile ]; then - echo "Error: $newcertfile or $newkeyfile already exists." - echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." + Error "$newcertfile or $newkeyfile already exists." + Error "Please remove them first an then re-run dpkg-reconfigure to create a new keypair." else - # existing certificate - use it - db_get strongswan/existing_x509_certificate_filename - certfile=$RET - db_get strongswan/existing_x509_key_filename - keyfile=$RET - if [ ! -r $certfile ] || [ ! -r $keyfile ]; then - echo "Either the certificate or the key file could not be read !" - else - cp "$certfile" /etc/ipsec.d/certs - umask 077 - cp "$keyfile" "/etc/ipsec.d/private" - newkeyfile="/etc/ipsec.d/private/`basename $keyfile`" - chmod 0600 "$newkeyfile" - insert_private_key_filename "$newkeyfile" - echo "Successfully extracted RSA key from existing x509 certificate." - fi + # create a new certificate + db_get strongswan/rsa_key_length + keylength=$RET + db_get strongswan/x509_self_signed + selfsigned=$RET + db_get strongswan/x509_country_code + countrycode=$RET + if [ -z "$countrycode" ]; then countrycode="."; fi + db_get strongswan/x509_state_name + statename=$RET + if [ -z "$statename" ]; then statename="."; fi + db_get strongswan/x509_locality_name + localityname=$RET + if [ -z "$localityname" ]; then localityname="."; fi + db_get strongswan/x509_organization_name + orgname=$RET + if [ -z "$orgname" ]; then orgname="."; fi + db_get strongswan/x509_organizational_unit + orgunit=$RET + if [ -z "$orgunit" ]; then orgunit="."; fi + db_get strongswan/x509_common_name + commonname=$RET + if [ -z "$commonname" ]; then commonname="."; fi + db_get strongswan/x509_email_address + email=$RET + if [ -z "$email" ]; then email="."; fi + make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email" + chmod 0600 "$newkeyfile" + umask 077 + insert_private_key_filename "$newkeyfile" + echo "Successfully created x509 certificate." + fi + elif [ "$RET" = "import" ]; then + # existing certificate - use it + db_get strongswan/existing_x509_certificate_filename + certfile=$RET + db_get strongswan/existing_x509_key_filename + keyfile=$RET + db_get strongswan/existing_x509_rootca_filename + cafile=$RET + + if [ ! "$certfile" ] || [ ! "$keyfile" ]; then + Error "Either the certificate or the key filename is not specified." + elif ! ( ( [ -f "$certfile" ] || [ -L "$certfile" ] ) && ( [ -f "$keyfile" ] || [ -L "$keyfile" ] ) && ( [ "$cafile" = "" ] || ( [ -f "$cafile" ] || [ -L "$cafile" ] ) ) ); then + Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a regular file or symbolic link." + elif [ ! "`grep 'BEGIN CERTIFICATE' $certfile`" ] || [ ! "`grep 'BEGIN RSA PRIVATE KEY' $keyfile`" ] || ( [ "$cafile" != "" ] && [ ! "`grep 'BEGIN CERTIFICATE' $cafile`" ] ); then + Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a valid PEM type file." + elif [ "$cafile" ] && ( [ "$certfile" = "$cafile" ] || [ "$keyfile" = "$cafile" ]); then + Error "The certificate or the key file contains the rootca - unable to import automatically." + elif [ "`grep 'BEGIN CERTIFICATE' $certfile | wc -l`" -gt 1 ]; then + Error "The certificate file contains more than one certificate - unable to import automatically." + elif [ "`grep 'ENCRYPTED' $keyfile`" ]; then + Error "The key file contains an encrypted key - unable to import automatically." + else + newcertfile="/etc/ipsec.d/certs/$(basename "$certfile")" + newkeyfile="/etc/ipsec.d/private/$(basename "$keyfile")" + if [ "$cafile" ]; then + newcafile="/etc/ipsec.d/private/$(basename "$cafile")" + else + newcafile="" + fi + + if [ -e "$newcertfile" ] || [ -e "$newkeyfile" ] || ( [ "$newcafile" != "" ] && [ -e "$newcafile" ] ); then + Error "$newcertfile or $newkeyfile"${newcafile:+ or $newcafile}" already exists." + Error "Please remove them first and then re-run dpkg-reconfigure to extract an existing keypair"${newcafile:+ and a rootca}"." + else + openssl x509 -in $certfile -out $newcertfile 2>/dev/null + umask 077 + openssl rsa -passin pass:"" -in $keyfile -out $newkeyfile 2>/dev/null + chmod 0600 "$newkeyfile" + insert_private_key_filename "$newkeyfile" + cp "$cafile" /etc/ipsec.d/cacerts + echo "Successfully integrated existing x509 certificate." + fi fi fi + db_set strongswan/install_x509_certificate false fi - # figure out the correct start time - db_get strongswan/start_level - if [ "$RET" = "earliest" ]; then - LEVELS="start 41 S . stop 34 0 6 ." - elif [ "$RET" = "after NFS" ]; then - LEVELS="start 15 2 3 4 5 . stop 30 0 1 6 ." - else - LEVELS="start 21 2 3 4 5 . stop 19 0 1 6 ." + # lets see if we are already using dependency based booting or the correct runlevel parameters + if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then + db_fset strongswan/runlevel_changes seen false + db_input high strongswan/runlevel_changes || true + db_go + + # if the admin did not change the runlevels which got installed by older packages we can modify them + if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then + update-rc.d -f ipsec remove + fi + + update-rc.d ipsec defaults 16 84 > /dev/null fi - update-rc.d ipsec $LEVELS > /dev/null db_get strongswan/enable-oe if [ "$RET" != "true" ]; then diff --git a/debian/strongswan-starter.templates b/debian/strongswan-starter.templates index 8d239c271..a330005a9 100644 --- a/debian/strongswan-starter.templates +++ b/debian/strongswan-starter.templates @@ -7,33 +7,27 @@ # Even minor modifications require translation updates and such # changes should be coordinated with translators and reviewers. -Template: strongswan/start_level -Type: select -__Choices: earliest, after NFS, after PCMCIA -Default: earliest -_Description: When to start strongSwan: - StrongSwan starts during system startup so that it can protect filesystems - that are automatically mounted. - . - * earliest: if /usr is not mounted through NFS and you don't use a - PCMCIA network card, it is best to start strongSwan as soon as - possible, so that NFS mounts can be secured by IPSec; - * after NFS: recommended when /usr is mounted through NFS and no - PCMCIA network card is used; - * after PCMCIA: recommended if the IPSec connection uses a PCMCIA - network card or if it needs keys to be fetched from a locally running DNS - server with DNSSec support. +Template: strongswan/runlevel_changes +Type: note +_Description: Old runlevel management superseded + Previous versions of the strongSwan package allowed the user to choose between + three different Start/Stop-Levels. Due to changes in the standard system + startup procedure, this is no longer necessary and useful. For all new + installations as well as old ones running in any of the predefined modes, + sane default levels set will now be set. If you are upgrading from a previous + version and changed your strongSwan startup parameters, then please take a + look at NEWS.Debian for instructions on how to modify your setup accordingly. Template: strongswan/restart Type: boolean Default: true -_Description: Restart strongSwan now? - Restarting strongSwan is recommended, because if there is a security fix, it - will not be applied until the daemon restarts. However, this might close - existing connections and then bring them back up. - . - If you don't restart strongSwan now, you should do so manually at the first - opportunity. +_Description: Do you wish to restart strongSwan? + Restarting strongSwan is a good idea, since if there is a security fix, it + will not be fixed until the daemon restarts. Most people expect the daemon + to restart, so this is generally a good idea. However, this might take down + existing connections and then bring them back up (including the connection + currently used for this update, so it is recommended not to restart if you + are using any of the tunnel for administration). Template: strongswan/ikev1 Type: boolean @@ -49,118 +43,162 @@ _Description: Start strongSwan's IKEv2 daemon? The charon daemon must be running to support version 2 of the Internet Key Exchange protocol. -Template: strongswan/create_rsa_key +Template: strongswan/install_x509_certificate Type: boolean -Default: true -_Description: Create an RSA public/private keypair for this host? - StrongSwan can use a Pre-Shared Key (PSK) or an RSA keypair to authenticate - IPSec connections to other hosts. RSA authentication is generally considered - more secure and is easier to administer. You can use PSK and RSA authentication - simultaneously. +Default: false +_Description: Do you want to use a X509 certificate for this host? + This installer can automatically create or import a X509 certificate for + this host. It can be used to authenticate IPsec connections to other hosts + and is the preferred way for building up secure IPsec connections. The other + possibility would be to use shared secrets (passwords that are the same on + both sides of the tunnel) for authenticating an connection, but for a larger + number of connections, key based authentication is easier to administer and + more secure. . - If you do not want to create a new public/private keypair, you can choose to - use an existing one in the next step. + If you do not want to this now you can answer "No" and later use the command + "dpkg-reconfigure openswan" to come back. -Template: strongswan/existing_x509_certificate -Type: boolean -Default: false -_Description: Use an existing X.509 certificate for strongSwan? - The required information can automatically be extracted from an - existing X.509 certificate with a matching RSA private key. Both parts can - be in one file, if it is in PEM format. - You should choose this option if you have such an existing - certificate and key file and want to use it for authenticating IPSec - connections. +Template: strongswan/how_to_get_x509_certificate +Type: select +__Choices: create, import +Default: create +_Description: Methods for using a X509 certificate to authenticate this host: + It is possible to create a new X509 certificate with user-defined settings + or to import an existing public and private key stored in PEM file(s) for + authenticating IPsec connections. + . + If you choose to create a new X509 certificate you will first be presented + a number of questions which must be answered before the creation can start. + Please keep in mind that if you want the public key to get signed by + an existing certification authority you should not select to create a + self-signed certificate and all the answers given must match exactly the + requirements of the CA, otherwise the certificate request may be rejected. + . + In case you want to import an existing public and private key you will be + prompted for their filenames (may be identical if both parts are stored + together in one file). Optionally you may also specify a filename where the + public key(s) of the certification authority are kept, but this file cannot + be the same as the former ones. Please be also aware that the format for the + X509 certificates has to be PEM and that the private key must not be encrypted + or the import procedure will fail. Template: strongswan/existing_x509_certificate_filename Type: string -_Description: File name of your X.509 certificate in PEM format: - Please enter the full location of the file containing your X.509 - certificate in PEM format. +_Description: Please enter the location of your X509 certificate in PEM format: + Please enter the location of the file containing your X509 certificate in + PEM format. Template: strongswan/existing_x509_key_filename Type: string -_Description: File name of your existing X.509 private key in PEM format: - Please enter the full location of the file containing the private RSA key - matching your X.509 certificate in PEM format. This can be the same file - as the X.509 certificate. +_Description: Please enter the location of your X509 private key in PEM format: + Please enter the location of the file containing the private RSA key + matching your X509 certificate in PEM format. This can be the same file + that contains the X509 certificate. + +Template: strongswan/existing_x509_rootca_filename +Type: string +_Description: You may now enter the location of your X509 RootCA in PEM format: + Optionally you can now enter the location of the file containing the X509 + certificate authority root used to sign your certificate in PEM format. If you + do not have one or do not want to use it please leave the field empty. Please + note that it's not possible to store the RootCA in the same file as your X509 + certificate or private key. Template: strongswan/rsa_key_length Type: string Default: 2048 -_Description: RSA key length: - Please enter the length of RSA key you wish to generate. A value of less than - 1024 bits is not considered secure. A value of more than 2048 bits will - probably affect performance. +_Description: Please enter which length the created RSA key should have: + Please enter the length of the created RSA key. it should not be less than + 1024 bits because this should be considered unsecure and you will probably + not need anything more than 4096 bits because it only slows the + authentication process down and is not needed at the moment. Template: strongswan/x509_self_signed Type: boolean Default: true -_Description: Create a self-signed X.509 certificate? - Only self-signed X.509 certificates can be created +_Description: Do you want to create a self-signed X509 certificate? + This installer can only create self-signed X509 certificates automatically, because otherwise a certificate authority is needed to sign - the certificate request. + the certificate request. If you want to create a self-signed certificate, + you can use it immediately to connect to other IPsec hosts that support + X509 certificate for authentication of IPsec connections. However, if you + want to use the new PKI features of strongSwan >= 1.91, you will need to + have all X509 certificates signed by a single certificate authority to + create a trust path. . - If you accept this option, the certificate created can be used - immediately to connect to other IPSec hosts that support authentication via - an X.509 certificate. However, using strongSwan's PKI features requires a - trust path to be created by having all X.509 certificates signed by a single + If you do not want to create a self-signed certificate, then this + installer will only create the RSA private key and the certificate request + and you will have to sign the certificate request with your certificate authority. - . - If you do not accept this option, only the RSA private key will be created, - along with a certificate request which you will need to have signed by a - certificate authority. Template: strongswan/x509_country_code Type: string Default: AT -_Description: Country code for the X.509 certificate request: - Please enter the two-letter ISO3166 country code that should be - used in the certificate request. +_Description: Please enter the country code for the X509 certificate request: + Please enter the 2 letter country code for your country. This code will be + placed in the certificate request. + . + You really need to enter a valid country code here, because openssl will + refuse to generate certificates without one. An empty field is allowed for + any other field of the X.509 certificate, but not for this one. . - This field is mandatory; otherwise a certificate cannot be generated. + Example: AT Template: strongswan/x509_state_name Type: string Default: -_Description: State or province name for the X.509 certificate request: - Please enter the full name of the state or province to include in - the certificate request. +_Description: Please enter the state or province name for the X509 certificate request: + Please enter the full name of the state or province you live in. This name + will be placed in the certificate request. + . + Example: Upper Austria Template: strongswan/x509_locality_name Type: string -Default: -_Description: Locality name for the X.509 certificate request: - Please enter the locality name (often a city) - that should be used in the certificate request. +Default: +_Description: Please enter the locality name for the X509 certificate request: + Please enter the locality (e.g. city) where you live. This name will be + placed in the certificate request. + . + Example: Vienna Template: strongswan/x509_organization_name Type: string -Default: -_Description: Organization name for the X.509 certificate request: - Please enter the organization name (often a company) - that should be used in the certificate request. +Default: +_Description: Please enter the organization name for the X509 certificate request: + Please enter the organization (e.g. company) that the X509 certificate + should be created for. This name will be placed in the certificate + request. + . + Example: Debian Template: strongswan/x509_organizational_unit Type: string -Default: -_Description: Organizational unit for the X.509 certificate request: - Please enter the organizational unit name (often a department) - that should be used in the certificate request. +Default: +_Description: Please enter the organizational unit for the X509 certificate request: + Please enter the organizational unit (e.g. section) that the X509 + certificate should be created for. This name will be placed in the + certificate request. + . + Example: security group Template: strongswan/x509_common_name Type: string -Default: -_Description: Common name for the X.509 certificate request: - Please enter the common name (such as the host name of this machine) - that should be used in the certificate request. +Default: +_Description: Please enter the common name for the X509 certificate request: + Please enter the common name (e.g. the host name of this machine) for + which the X509 certificate should be created for. This name will be placed + in the certificate request. + . + Example: gateway.debian.org Template: strongswan/x509_email_address Type: string -Default: -_Description: Email address for the X.509 certificate request: - Please enter the email address (for the individual or organization responsible) - that should be used in the certificate request. +Default: +_Description: Please enter the email address for the X509 certificate request: + Please enter the email address of the person or organization who is + responsible for the X509 certificate, This address will be placed in the + certificate request. Template: strongswan/enable-oe Type: boolean |