Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
735 Commits
5 Branches
2 Tags
10 MiB
fix/14704
dependabot/pip/ansible-9.4.0
master
dependabot/github_actions/actions/setup-python-5.1.0
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a8b4a47a88'
${ noResults }
Commit Graph

120 Commits (a8b4a47a884cc0c357205f80ae790d7613218a5d)

Author SHA1 Message Date
Micah R Ledbetter e944ee993a Embed certs into Windows deployment scripts (#840) 
- Obviate need to copy separate script and certificate files
- Allow execution from any directory, not just the script's parent
  directory (no assumption of any particular working directory)
- Fix docs that neglected to mention copying cacert.pem
- Fix docs that incorrectly referred to the user cert store

As part of this work, rewrite the windows_client.ps1.j2 deployment
script template

- Add comment-based help
- Require admin privileges
- Use a Param() block
- Use parameter sets with -Add and -Remove switches
- Add the -GetInstalledCerts switch, to list any Algo certificates
  installed the machine's cert store
- Add the -SaveCerts switch, to save the embedded certificates to files
- Put Jinja2 variables inside Powershell variables,
- Use native Powershell cmdlets rather than shell out to certutil.exe
- Add a playbook to regenerate the windows_USER.ps1 scripts
 7 years ago
Micah R Ledbetter 4b0aea8f5a Document iptables rules (#854) 
* Remove firewall rule related to the old proxy role

* Remove proxy conditionals from mobileconfig template

* Add comments explaining firewall rules
 7 years ago
Jack Ivanov 78830d96aa Android: add the CA and set the ciphers explicitly (#837) 7 years ago
Jack Ivanov 4e4440a318 Exclude CA from P12 (#835) 7 years ago
adamluk b30f6db079 Update rules.v6.j2 (#818) 
Updated to use -m conntrack for consistency as per the other IPv6 rules.
 7 years ago
Jack Ivanov 02427910de Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration (#804) 
* Move to ansible-2.4.3

* Add Lightsail support #623

* Fixing the EC2 deployment

* Scaleway integration #623

* OpenStack cloud provider (DreamCompute optimised) #623

* Remove the security role

* Enable unattended-upgrades for clouds

* New requirements to make Azure and GCE work
 7 years ago
Jack Ivanov f18c1a0d67 Certificate revocation fix (#719) 7 years ago
Julie Bernosky dc4dff040e Add StrongSwan log level config option to ipsec.conf template (#700) 7 years ago
Jack Ivanov ee7264f26e Ask users to enter the p12 password manually (#697) 7 years ago
Jack Ivanov 6b803e069f LibreSSL fix #625 (#685) 7 years ago
Jack Ivanov 9d8e39f63d Move back to the Xenial repo (#606) 7 years ago
Jack Ivanov f0283856ad fix revocation (#586) 7 years ago
Jack Ivanov 26c202ded5 Generate p12 each deployment. Generate ps1 scripts if windows supported. Define `become` for all the section. (#580) 7 years ago
Jack Ivanov ba7859ba5f Revoke non-existing users fix 7 years ago
Jack Ivanov 0131505195 Enhance PS1 script (#510) 
update docs

Update README.md

update readme
 7 years ago
Jack Ivanov ee6db37428 Change the P12 and SSH passwords only for new users (#550) 7 years ago
Jack Ivanov 40e0363b18 Add html helper for Android (#554) 
* add html helper #280

move to the new local schema

fix a typo

* Update client-android.md
 7 years ago
Ruben Jongejan e9e6c6e383 cleaner syntax for local actions (#536) 
* refactored local actions to cleaner syntax

* openssl commands folded

* removed unnecessary local_action's
 7 years ago
tetov ac6db06a19 grammar edit (#540) 
* grammar edit

* Update openssl.yml
 8 years ago
Jack Ivanov 58d5a06e87 delete tasks and move to roles (#519) 8 years ago
Ruben Jongejan 07ddb5863b improved readability with native yaml (#530) 8 years ago
Jack Ivanov 9f698fdd68 Get strongswan from the Zesty repo on Xenial (#515) 8 years ago
Jack Ivanov bd348af9c2 Implementing blocks and additional fail hints #487 (#497) 
change the troubleshooting url
 8 years ago
Jack Ivanov 2f5c050fd2 dpdaction to clear (#498) 8 years ago
Jack Ivanov 0ed68b6c30 Properly configure ICMP restrictions (#492) 8 years ago
Ryan Kasper 0cb43650cb Windows 10 -PfsGroup None --> -PfsGroup ECP256 (#493) 
* Windows 10 -PfsGroup None --> -PfsGroup ECP256

Fixes broken tunnel when rekey (CREATE_CHILD_SA request [ N(REKEY_SA) SA No TSi TSr KE ]) occurs (on my Windows 10 1703 build 15063.138 Creator's Update system this is ~every 57 minutes)

* Update Windows Client PfsGroup Commandline
 8 years ago
Jack Ivanov 540c761d3b Disable RSA in the mobileconfigs. Fixes #486 8 years ago
Jack Ivanov 451394100d Some enhances in the compat ciphers (#464) 
raise the IntegrityCheckMethod to SHA384

Move Windows to ECDSA

Increase IntegrityCheckMethod
 8 years ago
Jack Ivanov c3fcfe5d0d Let users choose the distro version #449 (#466) 
Make dpdaction great again

add 1704 to travis

Make EC2 image name more convenient

modify apparmor profile
 8 years ago
Andy Boutte 76cdc69548 CF tested and working for EC2 deployment (#431) 
* AWS CloudFormation #132

* IPv6 EC2 draft

* CF tested and working for EC2 deployment

* IPv6 Implementation, EC2, Cloudformation

* Fixed ipv6 networking

* adding ip6tables rule for DHCP on AWS
 8 years ago
Jack Ivanov a7b06058cb remove the proxy role #440 (#457) 
* remove the proxy role #440

* Separate facts. Make roles more independent from each other

move openssl to local tasks

move unneeded tasks
 8 years ago
Dan Guido 0b05ea19bc Windows needs SHA2-256. Closes #453. (#456) 8 years ago
Dan Guido 8173b84ff8 Change uniqueids back to never (#448) 
We need this to allow multiple connections with the same id/certificate
 8 years ago
Dan Guido f9f7be7b0d Fix a typo from #439 8 years ago
Dan Guido 1778cb1f45 disable dpd #430 (#437) 
Closes #430
 8 years ago
Dan Guido 8e5e6d5088 remove extraneous integrity algos from AEAD ciphers (#439) 
In reference to
https://github.com/trailofbits/algo/issues/9#issuecomment-294370560
 8 years ago
Jack Ivanov fa5a956193 Add URLStringProbe (#428) 
* Add URLStringProbe

* switch to Apple's hotspot-detect.html
 8 years ago
Jack Ivanov ea5976f49b write logs to file if BSD only 8 years ago
MiWCryptAnalytics 04b61ca3d2 Increase CA key entropy to 128bit (#415) 
Changes the default CA key size from 48 bit to 128bit with OpenSSL usermode CSPRNG with hex encoding
 8 years ago
Jack Ivanov 02f363d825 change the order of ciphers 8 years ago
mathew19 ae43ed6f81 Update client_ipsec.secrets.j2 (#414) 
Fix filename in client ipsec_user.secrets
 8 years ago
mathew19 5e56996f5c Fix name (#411) 8 years ago
Jack Ivanov c61a07fb60 Escaping Special Characters #388 (#403) 8 years ago
Jack Ivanov 56a72e5af2 New ciphers implementing #247 (#352) 
Switches to SHA2_512_256 HMAC integrity algorithm and adds cipher compatibility for other platforms.
 8 years ago
Dan Guido e55ce03906 URLStringProbe with this URL does not work as intended 8 years ago
Dan Guido 5e22b79033 Add configuration for URL probes to Apple profile 
Chrome and Android both request a known URL that generates HTTP 204 No Content responses to determine if they have internet connectivity. In Apple profiles, we can use the same URL to determine whether the VPN needs to connect. Using this feature will help save battery life for lots of users.
 8 years ago
Jack Ivanov 47515154bb add mtu in the sswan profile 8 years ago
brad2014 09e5d87c7b Minor name and documentation edits (#327) 8 years ago
Dan Guido 655a917dd2 iptables filter table fix (#285) 8 years ago
Jack Ivanov 6facb6cb4f FreeBSD / HardenedBSD (#262) 
* FreeBSD draft

ifconfig fix

Pre-tasks fixes

fix hardcoded IP

some refactoring

disable system-based tags

disable freebsd tags

FreeBSD vpn role

add defaults

ssh role freebsd

default fix

dns_adblocking freebsd

ubuntu dict fix

* HardenedBSD

update-users BSD

* Rebuild the kernel

docs changing
 8 years ago