Need review of adding X.509 certs to Strongswan

Philip Prindeville philipp_subx at redfish-solutions.com
Fri Jan 22 13:47:13 EST 2021


Hi,

I posted the following PR some time ago (late November) and it's languishing:

https://github.com/openwrt/packages/pull/14028

Can I get some reviews of it?

X.509 authentication is a more attractive alternative to simple PSK authentication (more entropy, less susceptible to dictionary attacks, etc).

It's a short series of commits that do:

* suppress multiple logging in /var/log/messages for authentication messages;
* adds the /etc/swanctl/conf.d/ which is read from /etc/swanctl/swanctl.conf but doesn't exist;
* cleans up some of the UCI and corrects the handling of the "updown" and "firewall" scripts (there is no "left" or "right" version, since it's always local by definition);
* adds new parameters "reauth", "fragmentation", "closeaction", "mobile" for greater completeness;
* the X.509 support, which is the most important part of this PR, but is actually a fairly trivial change;
* add support for a global "setup" config section, which contains the "cachecrls", "charondebug", "strictcrlpolicy", and "uniqueids" parameters;

It's all Shell and UCI changes, and the relevant .conf generation.  Pretty straightforward.

Thanks,

-Philip




More information about the openwrt-devel mailing list