Add an SPKI pin for Cloudflare to help prevent MITM and downgrade attacks,
as described in RFC7858 (DNS over TLS). The setup of SPKI and the specific
SHA256 certificate hash are taken from Cloudflare's DoT configuration guide
published at https://developers.cloudflare.com/1.1.1.1/dns-over-tls/.
Note that the certificate is valid to March 25th 2020, 13:00 CET, which
provides ample time for issuance of a backup pin to support future key
rollover.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Retain the upstream value since privacy is usually the key user motivation
for using DNS-over-TLS, and simply note that those encountering sub-optimal
routing may consider disabling the setting.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The config file /etc/stubby/stubby.yml is not registered properly and any
local changes are being overwritten on upgrade or reinstall.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
- The original copy process is to delete all routing tables first,
then add new routing table. This process is too slow and very dirty.
- We use grep to identify the changes and apply them.
- ignore ipv6 unreachable routes
- update version number
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
This adds a metapakcge for acme luci ap without uhttpd dependency and adds entities and check to stop handle nginx server and modify the certificate set automatically.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Should be faster.
Rearranged Makefile slightly for consistency with other packages.
Version 3.5.6 and above are relicensed to GPL-2.0.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fix the init script to allow access from IPv6 subnets of the interface
specified in allow section in /etc/config/chrony.
Fixes issue #7039.
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
- adjust a few UCI translations to coordinate with upstream defaults
- remove OpenSSL < 1.1.0 API log error patch which is included upstream
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
* if <keyutils.h> is found krb5 pulls in the lib, which than fails to link because of a missing -fPic in libkeyutils.so
* keyutils 1.5.11 will depend on krb5, so we disable it in krb5 to avoid circular dependency
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
* update to 4.9.0
* move vfs_xattr_tdb to defaults
* add vfs_audit, vfs_extd_audit, vfs_full_audit to AD-DC variant
* disable jansson, libarchive by default, enabled for AD-DC variant
* update waf answers
Noteable smb.conf changes:
* store dos attributes Default changed yes
* ea support Default changed yes
Fixes: Timemachine "The identity of the Backup disk ... has changed since the previous backup."
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
Commit 6cd8fcabe added ipsec hotplug script support by calling "exec
/sbin/hotplug-call ipsec".
Using the exec call breaks the insertion of iptables rules by the _updown.in
script as hotplug-call just replaces the current shell meaning the commands
following exec do not run since the shell is replaced and as a result lead to
connectivity issues.
Fix this by removing the exec command in front of /sbin/hotplug-call.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
libbsd may compile before nfs-kernel-server, it will make
nfs-kernel-server depends libbsd.so.0, that is not we want to see. so
gave option to 'configure' to disable libbsd detect and tell it we have
no libbsd
Signed-off-by: Guo Li <uxgood.org@gmail.com>
* enable avahi by default, so Linux/Mac Clients can see samba shares
* enable timemachine config support
* fix invalid --builtin-libraries
* default to 'mdns name = mdns' in template
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
Tony Ambardar