Age | Commit message (Collapse) | Author |
|
over to the website, when necessary (#4373)
Change-Id: I296dd9d3cee1b84bd141cbf63ccaecea24916cc1
|
|
Change-Id: I8caad9b4ac15dcce8ab74ad6d22dd6ad9f6efb14
|
|
deprecation warning:
2014-05-06 18:10:23,594 - INFO - L#826 : leap.openvpn:outReceived() - Tue May 6 18:10:23 2014 Deprecated TLS cipher name 'DHE-RSA-AES128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA'
Change-Id: I159b26604993d38806fcb7c2ed8f6de8138999f7
|
|
Change-Id: I4781f0c3e1c74f5a45217a4d631603fa1a622fd6
|
|
trigger changes, make the default ipv6 firewall subscribe to shorewall6,
if it exists, and finally reject all outgoing IPv6 packets.
All of this will complete the platform-side of route IPv6 through
OpenVPN gateway, and block it. (Feature #4163)
Change-Id: Icf6d582063ed01d304658b740a565057ee4e6810
|
|
some important things to note:
We are hard-coding the pushing of the ipv6 route '2000::/3' and
configuring the server-ipv6 to be 2001:db8:123::/64. This netblock is a
reserved ipv6 prefix that is used for documentation purposes
only (http://www.apnic.net/info/faq/ipv6-documentation-prefix-faq.html),
and the route being pushed redirects all internet-bound traffic.
When LEAP fully supports ipv6, these network values should be turned
into variables, but for now, to make sure we are blocking any clients
that have functional ipv6, this will work.
Change-Id: Icb65f3169264e0178a2e98825b266a779feac6b5
|
|
which will provide us with proper ipv6 support
Change-Id: I0188732aae6cbc64ab57e95bf805d6158fa17e07
|
|
Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d
|
|
Change-Id: Ic7d0f8cc8c0340fdc24cf5ffa4c7018ebac76c7f
|
|
There are many different edge cases where mac and windows clients (and
maybe android too) will revert to using a different DNS server than the
one specified by openvpn.
This is bad news for security reasons. The client is being designed so
it doesn't leak DNS, however we don't want to put all of our eggs in one
basket, so this will block outgoing port 53 (udp and tcp) on the
gateway's firewall from any of the EIP interfaces (thus not blocking DNS
access on the gateway itself).
Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177
|
|
specific, to avoid catching unrelated processes (#5327)
Change-Id: I63ffcd644a85137708712daac671b92898c70b7e
|
|
|
|
including the default_service_level
|
|
that sshd will be listening to in a default setup. This needs to be
allowed so that you can have a different port configured in the
hiera and not get locked out during deployment (#5119)
Change-Id: Ie101eaaf440415ddb276621c369da7f67f409c2b
|
|
the pid file (#5577)
Change-Id: I2144e3d8c0ee18254fe3822098c87b2a8c57c2ce
|
|
"rabbitLKJYW23695JGLKJ" where rabbit is the node name). Stop shipping a
static 'family' and instead provide a comma separated list of node tor
nicknames. (#5220)
Change-Id: I479f460ab230ad440f72c78dc6362983387ce12a
|
|
cert/key. This has the same effect of 'require' because both make sure
that the mentioned resource(s) will be applied before this resource, but
subscribe will cause this resource to refresh anytime the subscribed
resources change (#4342)
Change-Id: I9470bb36f135b821b67a1da70c472d7687b08718
|
|
is run, otherwise the openvpn service is restarted before config files
are deployed (#4154)
Change-Id: Ide38615714c1978bb90237986baea530c54153c3
|
|
Change-Id: Ic0ac3a7e6c9ce0e5f95bab023dbbf890c31d9e1c
|
|
Change-Id: I7d13d9395cd70b4de6fa7c6d5a9e5132d995ade1
|
|
Conflicts:
.gitignore
Change-Id: I778f3e1f1f4832f5894bc149ead67e9a4becf304
|
|
Conflicts in certain situations (#5523)
Change-Id: I1ca67e317a7eb84f64cb7b79daa2e500f0561707
|
|
class to be more visually logical (#5269, #4590, #3712)
Change-Id: I58c28c3bc62e67b25f33da3378e8146110471613
|
|
. make the couchdb service start after the stunnels have been
setup. This may improve the cluster membership coming online
faster
. replace the two Couchdb::Create_db ordering hints (for the
'users' and 'tokens' databases) with a generic
Class['site_config::create_dbs'] hint. This makes it so we get
the ordering hint for all databases, which we were not before,
without having to individually list them
. replace the two Couchdb::Add_user ordering hints (for the
$couchdb_webapp_user and the $couchdb_soledad_user) with a
generic ordering hint for Class['site_couchdb::add_users']
ordering hint. This makes it so we get the ordering hint for all
the users, which we were not before, without having to
individually list them
Change-Id: Ia63e62d68d24e77a49d4ef928a2a8130ab7bccb9
|
|
cluster membership to settle, before attempting any operations
(#5269, #4590, #3712)
Change-Id: Ic9826dda1c242e705ce85ae218766496bdd8ecbd
|
|
--repeat (#5119)
Change-Id: I48b0ae8b3d8ab91c4ca363a2bdece46952cce5a9
|
|
is any problem).
|
|
|
|
|
|
|
|
|
|
|
|
(#5499)
Change-Id: Ia0efb4c129a71504a717c20e2e260a1ed83f2223
|
|
|
|
|
|
|
|
|
|
|
|
https://leap.se/code/issues/5426 Merge branch 'bugfix/buildessential' of https://github.com/elijh/leap_platform into elijh-bugfix/buildessential
|
|
|
|
https://leap.se/code/issues/4127
|
|
https://leap.se/code/issues/5426
|
|
|
|
Conflicts:
provider_base/services/tor.json
Change-Id: I826579945a0d93c43384f0fd12c9833762b084cf
|
|
|
|
|
|
smtp_tls_security_level of 'encrypt', so it is not optional (#1902)
Change-Id: I61ad0823e3eb8df6c224767d63f0911dcba42a16
|
|
. We want to allow for TLS1.2 to be enabled (supported in wheezy)
. Explicitly disable SSLCompression. This aids in protecting
against the BREACH attack: see http://breachattack.com), and SPDY
version 3 is vulnerable to the CRIME attack when compression is
on
. Switch the cipher suites to match
https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for
these reasons:
. Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many
implementations support this, and there are no known attacks).
. Prefer AES128 to AES256 because the key schedule in
AES256 is considered weaker, and maybe AES128 is more
resistant to timing attacks
. Prefer AES to RC4. BEAST attacks on AES are mitigated in
>=TLS1.1, and difficult in TLS1.0. They are not in RC4, and
likely to become more dangerous
. RC4 is on the path to removal, but still present for backward compatibility
Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
|
|
because the DNS lookup is either impossible (.local domain), or
incorrect (certain openstack/amazon/piston cloud configurations create
this setup when the relayhost is in the same cluster as the satellite).
Fixes #5225
Change-Id: Ifbc201678f2c0e97ee0e12bbf1c7f71d035d45c1
|
|
|