Since php-openssl still has no implementation for CRLs, phpseclib is now used to provide this.
To test this commit:
- Create a CA
- Create a certificate signed by the CA
- Create a CRL and revoke the above certificate
openssl verify -crl_check_all -CRLfile <crl>.crl -CAfile <ca>.crt <certificate>.crt
While here remove a couple of references from loops and
improve coding style while at it.
While openvpn_prepare() is not the same as reconfiguring
a device (pluginctl -d ovpns1 vs. pluginctl -s openvpn 1)
we can get away with it as used before. It might be the
subject of later work but for the sake of clearing the
scope of interfaces_configure() this is more than enough.
Even though the server responds with proper cache headers to avoid
browser caching, it seems that Safari (and maybe others) may still cache
repeated calls to `/api/core/firmware/upgradestatus`. This change adds
in the time-old tradition of appending the current timestamp in
milliseconds to each request which should force the browser to fetch the
resource.
Ref: https://www.reddit.com/r/opnsense/comments/umhx04/opnsense_2217_released/i83bp36/?context=5
Since gateways support VIPs we need dpinger to support it too.
The implementation is a little different asking for runtime address
of the interface and trying to match a subnet before falling back
to the standard address.
IPv4 slightly adjusted to follow the same pattern, but without the
pin to an explict VIP address.
o add caching in alias model for aliasIterator() to prevent duplicate parsing.
o since 'content' is exploded multiple times, we do have an opportunity here to move that operation inside the class method for consistency
o pass list of known aliases into filter_core_get_port_alias() to prevent excessive is_alias() calls
* Unbound blocklists / OPNsense UI: strengthen error handling
Also changes the OPNsense UI error handling routine to display a 'status_msg' if provided. Otherwise just display 'status' to preserve backwards compatibility.
* unbound: make blocklist additions/removals dynamic to prevent a restart
This commit contains an optimization for the way unbound can be updated in its' configuration
without the need for restarting Unbound and by extension a loss of internet connectivity.
Hopefully this will pave the way for optimizations on other aspects of Unbounds' configuration as well.
We could for example look into making the provided wrapper function more generic.
The GUI has also been modified slightly to inform the user of the amount of RRs added/removed.
* Services: Unbound DNS: Blocklist, review comments for https://github.com/opnsense/core/pull/5747
Changed the following minor items:
o gettext() for human readable reponse message
o simplify comparison loop (only new or diff are actually the same operation)
o replace one-liner split into a loop with validation in case an empty record exists (or something that doesn't fit the pattern)
o remove optional (but always) set -f option
* unbound: blocklists: minor style fix and strip more agressively
Co-authored-by: Ad Schellevis <ad@opnsense.org>
Adds pluginctl -d mode to list device types supported, their device
names and finally allows calling a device reconfiguration by name.
This is only the beginning of vlxan refactor.
This was surfaced in 22.1.1 when CARP was treated as an alias as well
leaving setups with "none" IPv4 configuration stranded when calling
get_interface_ip() if the service does not support any explicit listening
on a CARP address (which the function actually does support). Caveats
apply as to which VIP will win as with the code before. Best used with
just one CARP address. IP alias doesn't as much sense since that would
be a static IPv4 configuration.
The latter is the reason why we cannot make a similar change to IPv6
where the primary concept is not equal to "first address in ifconfig"
for (sad) reasons.
