freeradius: show ECDSA CAs and certs only with correct curves #710
Conversation
There was a problem hiding this comment.
This seems OK but do we really know it has this limitation? Is there anything documented saying it wouldn't work, or that it has problems? For example, OpenVPN can apparently work with any curve so long as both sides agree on it and it's supported by their local SSL libraries. I'm hesitant to merge this unless we know it's necessary.
And it seems like since both FreeRADIUS and IPsec are using it for EAP/TLS, that using the IPsec list is a better fit, but again, even that might not be necessary.
|
Yes, it seems that using the IPsec list is safe See https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=57 about Windows Suite-B support |
| $ecdsagood = cert_build_list('ca', 'IPsec'); | ||
| } else { | ||
| $ecdsagood = cert_build_list('cert', 'IPsec'); | ||
| $c_arr[] = array('refid' => 'none', 'descr' => 'none (auto)'); |
There was a problem hiding this comment.
Why is this only added to the certificate array? Before it was added to both.
| } | ||
| function freeradius_get_ca_or_certs($type) { | ||
| $c_arr = array(); | ||
| if ($type == 'ca') { |
There was a problem hiding this comment.
This can be simplified a bit since you are passing the same string as $type on to cert_build_list(), so the whole if block can be changed to something like:
$c_arr = array();
$c_arr[] = array('refid' => 'none', 'descr' => 'none (auto)');
$ecdsagood = cert_build_list($type, 'IPsec');
Changelog: * Fixed: Version `Qt_5.15' not found (required by /usr/bin/ksnip). (#712) * Fixed: CI packages show continuous suffix for tagged build. (#710) * Fixed: kImageAnnotator not translated with deb package. (#359) * Fixed: Windows packages increased in size. (#713) * Fixed: The string 'Actions' is not available for translation. (#729) * Fixed: HiDPI issue with multiple screen on Windows. (#668) * Fixed: Snipping Area not closing when pressing ESC. (#735) * Fixed: Sometimes "Snipping Area Rulers" not shown after starting rectangular selection. (#684) * Fixed: Cursor not positioned correctly when snipping area opens. (#736) * Fixed: Mouse cursor not captured when triggered via global shortcut. (#737) * Fixed: Dual 4K screens get scrambled on X11. (#734) * Fixed: VCRUNTIME140_1.dll was not found. (#743) * Fixed: Screenshot area issue when monitor count changes on Windows. (#722) * Fixed: Wayland does not support QWindow::requestActivate(). (#656) * Fixed: Wrong area is captured on a Wayland screen scaling. (#691) * Changed: Enforce xdg-desktop-portal screenshots for Gnome >= 41. (#727) * Fixed kImageAnnotator: Crash while typing text on wayland. (#256) * Changed kImageAnnotator: Show scrollbar when not all tools visible. (#258)
Redmine Issue: https://redmine.pfsense.org/issues/9906
Ready for review
Do not show incompatible ECDSA CAs or certs for FreeRADIUS
same as https://redmine.pfsense.org/issues/9897