summaryrefslogtreecommitdiff
path: root/usr.sbin/ikectl
AgeCommit message (Collapse)Author
2015-11-10With ikectl now requiring ca specific sections not present in theJonathan Gray
general openssl cnf files install the ikeca.cnf file. ok sthen@ requested by reyk@
2015-11-06Use pledge in ikectl. For now one request for sending imsgs to ikedJonathan Gray
another request for the ca portion. ok deraadt@
2015-11-02switch from using sha1 to sha256Jonathan Gray
As the ca section of the cnf file requires a default_md line (unlike req) this change also requires updating the installed ikeca.cnf or equivalent files. Requested by and ok reyk@ who also tested this against ios9 with iked.
2015-11-02sign csrs with openssl ca instead of x509 -reqJonathan Gray
This way openssl will add valid signed certs to the index file which is required to use the builtin openssl OCSP server. This change requires installing a new ikeca.cnf or updating the default cnf files with equivalent sections. Requested by and ok reyk@
2015-11-02sign csrs with openssl ca instead of x509 -reqJonathan Gray
This way openssl will add valid signed certs to the index file which is required to use the builtin openssl OCSP server. This change requires installing a new ikeca.cnf or updating the default cnf files with equivalent sections. Requested by and ok reyk@
2015-11-02Accept an ocsp option when creating certificates to set the extendedJonathan Gray
key usage for OCSP signing. Requested by and ok reyk@
2015-09-07append a slash immediately after a file system path that is a directory;Igor Sobrado
uppercase the description of /var/run/iked.sock (found by jmc@); add missing full stop. ok jmc@
2015-08-19ca_hier() und ca_newpass() abort on failure, return void instead of int.Reyk Floeter
Based on previous observation by semarie@
2015-08-19spacingReyk Floeter
2015-08-19fcopy_env() should return void as it aborts on failure.Reyk Floeter
Pointed out by semarie@
2015-08-19Use C99 integer types in ikectl(8).Reyk Floeter
OK jsg@
2015-08-19Support for overwriting $ENV:: variables in OpenSSL .cnf files fromReyk Floeter
the environment has been removed in LibreSSL. This was a good step but it unintentionally broke the "ikectl ca" commands. Rework the implementation for copying the .cnf files and expanding the $ENV:: variables ourselves before passing the generated .cnf file to the "openssl" command. Reported and tested by Jona Joachim (thanks!) OK jsg@
2015-08-15correct mode_t 644 to 0644Sebastien Marie
ok sthen@
2015-08-15corrects three err() to errx() callsSebastien Marie
- a if condition don't set errno - strlcpy(3) don't set errno (no mention is man page) - ca_readpass() already manage errno error message with warn(3) ok sthen@
2015-07-27use file system path (.Pa) semantic markup macros where appropriate.Igor Sobrado
ok jmc@
2015-06-11Use "compliant" header guards by avoiding the reserved '_' namespace.Reyk Floeter
Pointed out by Markus Elfring OK mikeb@ millert@
2015-02-28Reduce usage of predefined strings in manpages.Anthony J. Bentley
Predefined strings are not very portable across troff implementations, and they make the source much harder to read. Usually the intended character can be written directly. No output changes, except for two instances where the incorrect escape was used in the first place. tweaks + ok schwarze@
2015-01-16Replace <sys/param.h> with <limits.h> and other less dirty headers whereTheo de Raadt
possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
2014-11-22/dev/random has created the same effect as /dev/arandom (and /dev/urandom)Theo de Raadt
for quite some time. Mop up the last few, by using /dev/random where we actually want it, or not even mentioning arandom where it is irrelevant.
2014-08-26Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is notJoel Sing
a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl. ok deraadt@ miod@
2014-08-25Delete secret or secret-derived data with explicit_bzero.Doug Hogan
concept ok deraadt@ diff looks ok tedu@
2014-07-20Make sure the correct errno is reported by warn* or err* and notPhilip Guenther
the errno of an intervening cleanup operation like close/unlink/etc. Diff from Doug Hogan (doug (at) acyclic.org)
2014-04-18round up some enemy sympathizers found calling RAND_seed().Ted Unangst
ok beck reyk
2014-01-18Remove -Wbounded: it is now the compiler default.Martynas Venckus
2013-11-14cope with the EAGAIN API change for msgbuf_write()Theo de Raadt
ok benno
2013-08-16Use %lld and cast to (long long) when printing time_t valuesPhilip Guenther
otto@ millert@ lteo@ mikeb@ deraadt@
2013-07-16use .Mt for email addresses; from Jan Stary <hans at stare dot cz>; ok jmc@Ingo Schwarze
2013-01-08Remove private CVS tag from an obsolete repository and bump copyrightReyk Floeter
to 2013 while I'm here... this is my way of saying "happy new year!".
2012-12-08don't forget to include a path separator after an SSLDIR;Mike Belopuhov
reported by david hill
2012-11-01Remove dead code that was a leftover from the initial code which wasReyk Floeter
based on snmpctl. Found and committed from the plane in 10km (35.000 feet). No functional change and this diff doesn't touch any crypto code so the current country below me cannot blame me for importing / exporting any crypto. ok benno@
2012-10-25Remove support email address from the example that is intended forReyk Floeter
customers for an existing company.
2012-10-23Allow to overwrite a few more definitions like file paths from theReyk Floeter
Makefile. No functional change.
2012-09-18update email addresses to match reality.Reyk Floeter
sure jsg@ mikeb@
2012-07-08if you use nitems() in userland, you must define it yourselfTheo de Raadt
discussed with guenther
2012-05-02s/snmpd/iked/ in commentGleydson Soares
ok henning@
2011-05-27spacingReyk Floeter
2011-01-20more double word removal;Jason McIntyre
2010-10-11and another one... s/10.4.5.6/10.3.4.5/, also from jy-p.Stuart Henderson
2010-10-11typo, s/10.1.2.3/10.2.3.4/, from jy-pStuart Henderson
2010-10-08set the client/server certificate options with all the common keyusageReyk Floeter
and extendedkeyusage and nscerttype flags. the ikectl CA can now be used with all kinds of other vpn tools in addition to iked and isakmpd. ok phessler@
2010-10-08check if a directory exists before trying to create it in the exportJonathan Gray
case as well, spotted by mikeb
2010-10-08tweak for nroffJonathan Gray
2010-10-08if non absolute paths are specified in install commands assume theyJonathan Gray
are relative to /etc
2010-10-08allow optional paths for the install commands so we canJonathan Gray
install into the isakmpd directory hierarchy for example.
2010-10-08Allow to show certificate details (show ca x cert [y]).Reyk Floeter
2010-10-07only try to setup a passfile when creating a CAJonathan Gray
2010-10-07Allow to specify the export password on the command line (optionally, forReyk Floeter
scripting). The "peer" argument now needs to be preceded with the "peer" keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.
2010-10-07sync usage();Jason McIntyre
2010-10-07nroff doesn't like long argument lists that work fine with mandoc.Reyk Floeter
split them into Xo/Xc blocks to make nroff happy again.
2010-10-07- add a -q (quiet) command line option that will be used by ikeca toReyk Floeter
set openssl batch mode: don't ask for x509 options, use the defaults. - allow to specify the initial ca password on the command line to also make it scriptable. - allow to create certificates for clientAuth or serverAuth only (eg. ikectl ca foo certificate bar server). - cosmetics: move double declarations of ca_*() functions to parser.h. ok phessler@
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-30 07:37:06 +0000