Instead of opening the database again for each lookup,
we will read it into memory on first use and every lookup
after that will be coming from cache.
Reviewed-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
in function network_equal and network2bin a check for undefined variables were missing.
added them.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The network_equal function only tested the subnet addresses of two given networks which lead to
errormessages saying "This is the green network"
The fix tests netwok and subnet IP's to fix this
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
* bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
* Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Do not allow credentials being submitted in plaintext to Apache.
Instead, redirect the user with a 301 to the TLS version of IPFire's
web interface.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is required since Apache crashes if any of the key/certificate files
does not exist.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Note: Apache crashes if any of these files does not exist. Thereof it
is necessary to generate missing keys on existing installations.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Priorize ECDSA before RSA and remove unused cipher suites.
Remove redundant OpenSSL directives to make SSL configuration more readable.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Added extended key usage based on RFC3280 TLS rules for OpenVPNs OpenSSL configuration,
so '--remote-cert-tls' can be used instead of the old and deprecated '--ns-cert-type'
if the host certificate are newely generated with this options.
Nevertheless both directives (old and new) will work also with old CAs.
- Automatic detection if the host certificate uses the new options.
If it does, '--remote-cert-tls server' will be automatically set into the client
configuration files for Net-to-Net and Roadwarriors connections.
If it does NOT, the old '--ns-cert-type server' directive will be set in the client
configuration file.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Remove configuration lines in Apache vhosts files which
are not used anymore (old dial.cgi stuff).
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
