Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stunnel plugin #1829

Closed
11 tasks done
AdSchellevis opened this issue May 12, 2020 · 0 comments
Closed
11 tasks done

stunnel plugin #1829

AdSchellevis opened this issue May 12, 2020 · 0 comments
Assignees
@AdSchellevis
Labels
feature Adding new functionality

Comments

@AdSchellevis
Copy link
Member

AdSchellevis commented May 12, 2020
edited

Add new stunnel plugin for mutual authenticated tunnel connections.

The initial version should incorporate the following features:

  • configure listen host and port
  • configure connect to endpoint (address + port)
  • CA to validate agains
  • tls server certificate to use for the tunnel
  • Certificate revocation list
  • cipher selection
  • syslog target
  • patch tls session identity (opnsense/ports@1b9d7b1)
  • local "ident" server to request connected session
  • log viewer
  • basic documentation

- [] very likely related to stunnel + chroot, but if syslog-ng restarts, stunnel stops logging. maybe we should use an additional log socket.

Stunnel doesn't seem to support additional log sockets, made a note and support non-chroot environments.

- [ ] our python Daemonize doesn't support chroot, which would be practical to use for our ident daemon.

Maybe we should add another wrapper some day or extend the existing one, choices seem to be limited at the moment.
@AdSchellevis AdSchellevis added the feature Adding new functionality label May 12, 2020
@AdSchellevis AdSchellevis self-assigned this May 12, 2020
AdSchellevis added a commit to opnsense/core that referenced this issue May 13, 2020
@AdSchellevis
ssl_ciphers.py: add option to return a key value list, needed for opn…
52999e3 
…sense/plugins#1829
AdSchellevis added a commit that referenced this issue May 13, 2020
@AdSchellevis
stunnel: boilerplate for #1829
337409e
AdSchellevis added a commit that referenced this issue May 14, 2020
@AdSchellevis
stunnel: work in progress for #1829
47344d0
AdSchellevis added a commit that referenced this issue May 15, 2020
@AdSchellevis
stunnel: add service control and acl for #1829
39cd9e0
AdSchellevis added a commit that referenced this issue May 15, 2020
@AdSchellevis
stunnel: add cipher selection for #1829
eed4ef4 
Since stunnel uses different parameter pairs for TLSv1.[1,2] and TLSv1.3, we'll try to sort them out in our config template.
When no TLSv1.3 ciphers are allowed, we should limit the sslVersionMax parameter as well as it seems.
AdSchellevis added a commit that referenced this issue May 15, 2020
@AdSchellevis
stunnel: disable rc conf when no services are active #1829
40aef59
AdSchellevis added a commit that referenced this issue May 15, 2020
@AdSchellevis
stunnel: CRL support for #1829
b83296c
AdSchellevis added a commit that referenced this issue May 17, 2020
@AdSchellevis
stunnel: simplify cert creation, combine cert+key in one file. for #1829
e44bd1c
AdSchellevis added a commit to opnsense/docs that referenced this issue May 17, 2020
@AdSchellevis
stunnel: add initial documentation for opnsense/plugins#1829
13c51d2
AdSchellevis added a commit that referenced this issue May 18, 2020
@AdSchellevis
stunnel: syslog and log viewer for #1829
4c6303e
AdSchellevis added a commit to opnsense/docs that referenced this issue May 18, 2020
@AdSchellevis
stunnel: update doc for opnsense/plugins#1829
fd9872b
AdSchellevis added a commit that referenced this issue May 18, 2020
@AdSchellevis
stunnel: add hasync anchor, for #1829
9325772
@AdSchellevis AdSchellevis mentioned this issue May 18, 2020
Merged
AdSchellevis added a commit that referenced this issue May 18, 2020
@AdSchellevis
stunnel: initial release (#1840)
2a8b0a5 
* stunnel: boilerplate for #1829

* stunnel: work in progress for #1829

* stunnel: add service control and acl for #1829

* stunnel: add cipher selection for #1829

Since stunnel uses different parameter pairs for TLSv1.[1,2] and TLSv1.3, we'll try to sort them out in our config template.
When no TLSv1.3 ciphers are allowed, we should limit the sslVersionMax parameter as well as it seems.

* stunnel: set TLS1.2 as minimum

* stunnel: disable rc conf when no services are active #1829

* stunnel: CRL support for #1829

* stunnel: simplify cert creation, combine cert+key in one file. for #1829

* stunnel: syslog and log viewer for #1829

* stunnel: add hasync anchor, for #1829
AdSchellevis added a commit to opnsense/docs that referenced this issue May 18, 2020
@AdSchellevis
stunnel: caption to Stunnel (remove plugin) for opnsense/plugins#1829
79dd353
AdSchellevis added a commit to opnsense/docs that referenced this issue May 18, 2020
@AdSchellevis
stunnel: add note where to find the plugin itself. for opnsense/plugi…
5a31194 
…ns#1829
fichtner pushed a commit to opnsense/core that referenced this issue May 19, 2020
@AdSchellevis @fichtner
ssl_ciphers.py: add option to return a key value list, needed for opn…
7dcacb9 
…sense/plugins#1829

(cherry picked from commit 52999e3)
AdSchellevis added a commit that referenced this issue May 19, 2020
@AdSchellevis
stunnel: work in progress local ident server, for #1829
0151827
AdSchellevis added a commit that referenced this issue May 20, 2020
@AdSchellevis
stunnel: add settings / template work
19876e4 
* add general tab for generic stunnel settings
* add chroot, changing default to use a non chroot version, since syslog messages can get lost when syslog-ng is restarted (when in chroot mode)

for #1829
AdSchellevis added a commit that referenced this issue May 20, 2020
@AdSchellevis
stunnel: daemon code for ident service, for #1829
cf96fc0 
needs some more testing, rc wrappers, startup hooks and template adjustments
AdSchellevis added a commit that referenced this issue May 22, 2020
@AdSchellevis
stunnel: add identd service plumbing, for #1829
62ac4bf
AdSchellevis added a commit that referenced this issue May 22, 2020
@AdSchellevis
stunnel: minor bug fixes
e845256 
- used wrong pid for ident status
- reload syslog on service start
- missing condition in syslog template (hence the service reload)

for #1829
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
feature Adding new functionality
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AdSchellevis