When someone adds an intermediate certificate into the trust store leading either into a missing or expired root, other paths aren't being evaluated anymore, leading into verification errors.
In case someone would like to enforce saving the intermediates, System->Settings->General introduces a new trust section to revert back to the old behaviour.
ca-root-nss should be valid at all times, we shouldn't (ever) try to cleanse whats being shipped as part of the system, but user input can be unsafe leading to dangerous situations.
Eventually we could also consider preventing bundles being imported in the authorities section, but that wouldn't fix issues with already deployed certificates and user input can still lead to broken chains easily.
opnsense-update can read the upgrade hint itself. We may have
to stash an ABI in there to reach to a different location without
the need to publish a symbolic link.
Move the firmware message to a data location for cleanliness.
This way we can get a GUA on a WAN that works anyway due to
IPv6 magic. Also protect the return of addresses with the
actual existence of the interface, because otherwise the
VIP readings are inaccurate. interfaces_addresses() still
works in both modes, but worst case won't map aliases.
This is largely for testing our NAT log patch, but might be
useful for someone.
Inline filterlog restart since it uses syslog() and does not
need to be restarted when syslog settings change.
Second try: retain attribute values as sibling nodes with
a name up front. If the sibling does not exist fail silently
like before. At least from testing this no longer produces
any shift in the config.xml between string nodes with attributes.
Test XML:
<?xml version="1.0"?>
<opnsense>
<staticroutes version="1.0.0"/>
<someotherthing version="1.0.0">
<foo/>
</someotherthing>
<thing version="1.0.0"></thing>
<alias version="1.0.0"/>
<doesthisdoit></doesthisdoit>
</opnsense>
Test PHP:
<?php
require_once 'config.inc';
OPNsense\Core\Config::getInstance()->fromArray(load_config_from_file('foo.xml'));
print_r(OPNsense\Core\Config::getInstance()->__toString());
Result XML:
<?xml version="1.0"?>
<opnsense>
<staticroutes version="1.0.0"/>
<someotherthing version="1.0.0">
<foo/>
</someotherthing>
<thing version="1.0.0"/>
<alias version="1.0.0"/>
<doesthisdoit/>
</opnsense>
We need to make sure both the local and the remote IP belong to
the same CIDR range, which might not be the case if we just
calculate the subnet size required by their direct distance.
Rewrite find_smallest_cidr() to take an array of IPs to calculate
their smallest shared subnet mask. Code is actually pretty simple
and fast. However, we are not going to account for network and
broadcast address reservation unless that turns out to be an issue.
In the IPv6 case assume that /64 is a good approximation of the
result.
Remove code cruft in utilities while at it also replacing a simple
function only called once in setaddr.sh.
