Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication. | Guilhem Moulin | 2016-05-24 | 1 |
| | | | | There is no need to bother with X.509 cruft here. | |||
* | genkeypair, gendhparam: use -rand /dev/urandom when generating keys or DH ↵ | Guilhem Moulin | 2016-05-22 | 2 |
| | | | | parameters. | |||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | |||
* | typo | Guilhem Moulin | 2015-12-04 | 1 |
| | ||||
* | genkeypair: use install(1) for atomic file creation with permission mode. | Guilhem Moulin | 2015-10-28 | 2 |
| | ||||
* | genkeypair.sh: Merge privkey and pubkey for identical filekeys. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | Also, set ‘subjectKeyIdentifier = hash’ in the CSR. | |||
* | logjam mitigation. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Key usage 'keyCertSign' is required for self-signed certificates. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | 'default_days' in openssl.cnf doesn't work, use -days instead. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Add ability to add custom OrganizationalUnits in genkeypair. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | Also, it's now possible to reuse an existing private key (with -f). | |||
* | Add ability to chmod, chown and set the key usage in genkeypair. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Install amavisd-new on the outgoing SMTP proxy. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | For DKIM signing and virus checking. | |||
* | Make genkeypair.sh able to display TXT record for DKIM signatures. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Add support for CSR and subjectAltName in genkeypair.sh. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't require a PKI for IPSec. | Guilhem Moulin | 2015-06-07 | 1 |
Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines. |