Need review of adding X.509 certs to Strongswan
Philip Prindeville
philipp_subx at redfish-solutions.com
Fri Jan 22 19:46:29 EST 2021
I'll try splitting it into smaller pieces as well.
https://github.com/openwrt/packages/pull/14535
> On Jan 22, 2021, at 11:47 AM, Philip Prindeville <philipp_subx at redfish-solutions.com> wrote:
>
> Hi,
>
> I posted the following PR some time ago (late November) and it's languishing:
>
> https://github.com/openwrt/packages/pull/14028
>
> Can I get some reviews of it?
>
> X.509 authentication is a more attractive alternative to simple PSK authentication (more entropy, less susceptible to dictionary attacks, etc).
>
> It's a short series of commits that do:
>
> * suppress multiple logging in /var/log/messages for authentication messages;
> * adds the /etc/swanctl/conf.d/ which is read from /etc/swanctl/swanctl.conf but doesn't exist;
> * cleans up some of the UCI and corrects the handling of the "updown" and "firewall" scripts (there is no "left" or "right" version, since it's always local by definition);
> * adds new parameters "reauth", "fragmentation", "closeaction", "mobile" for greater completeness;
> * the X.509 support, which is the most important part of this PR, but is actually a fairly trivial change;
> * add support for a global "setup" config section, which contains the "cachecrls", "charondebug", "strictcrlpolicy", and "uniqueids" parameters;
>
> It's all Shell and UCI changes, and the relevant .conf generation. Pretty straightforward.
>
> Thanks,
>
> -Philip
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list