Add ipv6 address to subjectAltName if supported (trailofbits#881)

CHANGELOG Some changes Some changes
xshhhm · Apr 23, 2018 · ed6e2d9 · ed6e2d9
1 parent f585a41
commit ed6e2d9
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,9 @@
+## 19 Apr 2018
+### Added
+- IPv6 in subjectAltName of the certificates. This allows connecting to the Algo instance via the main IPv6 address
+
+### Fixed
+- IPv6 DNS addresses were not passing to the client
+
+### Release notes
+- In order to use the IPv6 address as the connection endpoint you need to [reinit](https://github.com/trailofbits/algo/blob/master/config.cfg#L14) the PKI and [reconfigure](https://github.com/trailofbits/algo#configure-the-vpn-clients) your devices with new certificates.
diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
+ipv6_support: false
+domain: false
+subjectAltName_IP: "IP:{{ IP_subject_alt_name }}"
 openssl_bin: openssl
 strongswan_enabled_plugins:
   - aes

diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml
@@ -1,11 +1,15 @@
 ---
-
 - block:
+  - name: Set subjectAltName as a fact
+    set_fact:
+      subjectAltName: "{{ subjectAltName_IP }}{% if ipv6_support and ansible_default_ipv6 %},IP:{{ ansible_default_ipv6['address'] }}{% endif %}{% if domain and subjectAltName_DNS %},DNS:{{ subjectAltName_DNS }}{% endif %}"
+    tags: always
+
   - name: Ensure the pki directory does not exist
     file:
       dest: configs/{{ IP_subject_alt_name }}/pki
       state: absent
-    when: easyrsa_reinit_existent == True
+    when: easyrsa_reinit_existent|bool == True
 
   - name: Ensure the pki directories exist
     file:
@@ -41,7 +45,7 @@
       {{ openssl_bin }} ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
       {{ openssl_bin }} req -utf8 -new
       -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
       -keyout private/cakey.pem
       -out cacert.pem -x509 -days 3650
       -batch
@@ -68,15 +72,15 @@
     shell: >
       {{ openssl_bin }} req -utf8 -new
       -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }}
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
       -keyout private/{{ IP_subject_alt_name }}.key
       -out reqs/{{ IP_subject_alt_name }}.req -nodes
       -passin pass:"{{ easyrsa_CA_password }}"
       -subj "/CN={{ IP_subject_alt_name }}" -batch &&
       {{ openssl_bin }} ca -utf8
       -in reqs/{{ IP_subject_alt_name }}.req
       -out certs/{{ IP_subject_alt_name }}.crt
-      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"))
+      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
       -days 3650 -batch
       -passin pass:"{{ easyrsa_CA_password }}"
       -subj "/CN={{ IP_subject_alt_name }}" &&

diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2
@@ -31,7 +31,7 @@ conn %default
 {% if local_dns is defined and local_dns == "Y" %}
     rightdns={{ local_service_ip }}
 {% else %}
-    rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
+    rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
 {% endif %}
 
 conn ikev2-pubkey