Page MenuHomeVyOS Platform

chenxiaolong (Andrew Gunnerson)
User

Projects

User does not belong to any projects.

User Details

User Since
Nov 11 2017, 8:13 PM (368 w, 2 d)

Recent Activity

Apr 13 2024

chenxiaolong added a comment to T6163: kea-dhcp4-server crashes due to incorrect lease file permissions after 1.5-rolling-202403120022 -> 1.5-rolling-202403230018 upgrade.

Thanks for the quick fix! I intentionally messed with the file ownership and can confirm that VyOS 1.5-rolling-202404130016 will correct them to the proper values.

Apr 13 2024, 6:06 PM · VyOS 1.5 Circinus

Mar 23 2024

chenxiaolong updated the task description for T6163: kea-dhcp4-server crashes due to incorrect lease file permissions after 1.5-rolling-202403120022 -> 1.5-rolling-202403230018 upgrade.
Mar 23 2024, 5:30 PM · VyOS 1.5 Circinus
chenxiaolong created T6163: kea-dhcp4-server crashes due to incorrect lease file permissions after 1.5-rolling-202403120022 -> 1.5-rolling-202403230018 upgrade.
Mar 23 2024, 5:28 PM · VyOS 1.5 Circinus

Jan 20 2024

chenxiaolong added a comment to T5948: pdns-recursor crashes on restart if hostfile-update is enabled and dhcp client sends hostname with trailing dot.

Tested https://github.com/vyos/vyos-1x/pull/2857 and confirmed that it works properly now. Thanks for the quick fix!

Jan 20 2024, 4:27 AM · VyOS 1.5 Circinus

Jan 17 2024

chenxiaolong added a comment to T5948: pdns-recursor crashes on restart if hostfile-update is enabled and dhcp client sends hostname with trailing dot.

Sure. I did some further testing and it looks like this is triggered if the client sends DHCP option 81 (FQDN). To reproduce:

Jan 17 2024, 4:15 PM · VyOS 1.5 Circinus

Jan 16 2024

chenxiaolong updated the task description for T5948: pdns-recursor crashes on restart if hostfile-update is enabled and dhcp client sends hostname with trailing dot.
Jan 16 2024, 3:49 AM · VyOS 1.5 Circinus
chenxiaolong created T5948: pdns-recursor crashes on restart if hostfile-update is enabled and dhcp client sends hostname with trailing dot.
Jan 16 2024, 3:46 AM · VyOS 1.5 Circinus

Jan 8 2024

chenxiaolong added a comment to T3316: Use Kea DHCP(v6) instead of ISC DHCP(v6).

The issue with the missing domain name in /etc/hosts with hostfile-update, as mentioned above, seems to trigger another problem. The hostname requested by the client seems to be added to /etc/hosts verbatim and some clients (eg. some Windows machines and printers) request a fully qualified name with a trailing dot. Since pdns-recursor unconditionally appends a dot, there are now two trailing dots, causing pdns-recursor to crash if it restarts.

Jan 8 2024, 12:38 AM · VyOS 1.5 Circinus

Apr 10 2023

chenxiaolong closed T5151: EAP-TLS TLSv1.0/1.1 regression after T5003 as Resolved.
Apr 10 2023, 8:46 PM · VyOS 1.4 Sagitta
chenxiaolong committed rVYOSONEX8eb85739c965: hostapd: T5151: Override ConditionFileNotEmpty.
Apr 10 2023, 7:34 PM
chenxiaolong added a comment to T5151: EAP-TLS TLSv1.0/1.1 regression after T5003.

I found the issue. This was caused by bumping the debian packaging scripts from debian/2%2.10-10 to debian/2%2.10-12, which includes https://salsa.debian.org/debian/wpa/-/commit/d204ceb5a2dc33db888eb55b5fee542a1005e69c. This is not compatible with vyos because vyos uses a config path in /run.

Apr 10 2023, 5:10 PM · VyOS 1.4 Sagitta
chenxiaolong added a comment to T5151: EAP-TLS TLSv1.0/1.1 regression after T5003.

Thanks, I ran the ethernet smoke tests, but not the wireless ones. I'll investigate right away.

Apr 10 2023, 3:52 PM · VyOS 1.4 Sagitta
chenxiaolong closed T5151: EAP-TLS TLSv1.0/1.1 regression after T5003 as Resolved.

Closing as resolved because the PRs were merged (thanks for the quick review!)

Apr 10 2023, 12:48 AM · VyOS 1.4 Sagitta

Apr 9 2023

chenxiaolong committed rVYOSONEXc53d73cd8958: eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLS.
Apr 9 2023, 7:13 PM
chenxiaolong added a comment to T4782: Allow multiple CA certificates (on e.g. EAPoL).

For eapol specifically, if your use case involves only a single chain (1 root CA + 1 or more intermediate CAs), then my fix from T4245 should do the trick. You can add each root/intermediate CA to the PKI and then set eapol to the leaf intermediate CA. When the wpa_supplicant configuration is generated, vyos will add the intermediate CA and all of its parents to the .crt file.

Apr 9 2023, 5:02 PM · VyOS 1.4 Sagitta
chenxiaolong added a comment to T5151: EAP-TLS TLSv1.0/1.1 regression after T5003.

Submitted PRs:

Apr 9 2023, 4:55 PM · VyOS 1.4 Sagitta
chenxiaolong created T5151: EAP-TLS TLSv1.0/1.1 regression after T5003.
Apr 9 2023, 4:41 PM · VyOS 1.4 Sagitta

Sep 2 2022

chenxiaolong added a comment to T4127: Upgrading from pre-certstore image to certstore image does not handle CA files with multiple certs.

In case anyone comes across this bug report, I submitted a couple PRs to fix this earlier this year: https://phabricator.vyos.net/T4245

Sep 2 2022, 10:52 PM · Bugs, VyOS 1.4 Sagitta (1.4.0-GA)
chenxiaolong added a project to T4666: EAP-TLS no longer allows TLSv1.0 after T4537, T4584: VyOS 1.4 Sagitta.
Sep 2 2022, 10:36 PM · VyOS 1.3 Equuleus (1.3.2), VyOS 1.4 Sagitta, wpa
chenxiaolong added a comment to T4666: EAP-TLS no longer allows TLSv1.0 after T4537, T4584.

I've submitted a PR to reintroduce the patch: https://github.com/vyos/vyos-build/pull/259

Sep 2 2022, 10:35 PM · VyOS 1.3 Equuleus (1.3.2), VyOS 1.4 Sagitta, wpa

Sep 1 2022

chenxiaolong created T4666: EAP-TLS no longer allows TLSv1.0 after T4537, T4584.
Sep 1 2022, 2:58 PM · VyOS 1.3 Equuleus (1.3.2), VyOS 1.4 Sagitta, wpa

Feb 20 2022

chenxiaolong closed T4245: eapol: Support for specifying the full CA chain of trust for both client and server as Resolved.

Closing this as resolved since both PRs have been merged.

Feb 20 2022, 9:20 PM

Feb 19 2022

chenxiaolong committed rVYOSONEX3d1b34bf715e: pki: eapol: T4245: Add full CA and client cert chains to wpa_supplicant PEM….
Feb 19 2022, 9:36 AM

Feb 18 2022

chenxiaolong closed T4244: eapol: commit fails with KeyError when PKI certificate name differs from the CA name as Resolved.
Feb 18 2022, 8:21 PM
chenxiaolong added a comment to T4245: eapol: Support for specifying the full CA chain of trust for both client and server.

PR for documentation: https://github.com/vyos/vyos-documentation/pull/719

Feb 18 2022, 12:33 AM
chenxiaolong added a comment to T4245: eapol: Support for specifying the full CA chain of trust for both client and server.

I've submitted a PR here: https://github.com/vyos/vyos-1x/pull/1227

Feb 18 2022, 12:03 AM

Feb 17 2022

chenxiaolong renamed T4245: eapol: Support for specifying the full CA chain of trust for both client and server from eapol: Support for multiple CA certificates (eg. intermediate + root) to eapol: Support for specifying the full CA chain of trust for both client and server.
Feb 17 2022, 7:38 AM
chenxiaolong added a comment to T4245: eapol: Support for specifying the full CA chain of trust for both client and server.

After further testing, it looks like it's not necessary to have <iface>_ca.pem contain both the server and client chains of trust.

Feb 17 2022, 7:32 AM
chenxiaolong added a comment to T4245: eapol: Support for specifying the full CA chain of trust for both client and server.

I started working on implementing my "alternative" idea. It's a little bit more complicated than I first thought because we have to consider both the server and client chain of trust.

Feb 17 2022, 7:16 AM
chenxiaolong created T4252: `show configuration json` (op mode) and `show | json` (conf mode) represent multi-value nodes differently.
Feb 17 2022, 5:39 AM · VyOS Rolling, Restricted Project

Feb 15 2022

chenxiaolong committed rVYOSONEXe00edb0072ce: pki: eapol: T4244: Fix KeyError when CA cert name differs from client cert name.
Feb 15 2022, 5:14 AM

Feb 14 2022

chenxiaolong added a comment to T4245: eapol: Support for specifying the full CA chain of trust for both client and server.

Alternatively, since the pki code seems to already recognize parents/issuers:

Feb 14 2022, 10:35 PM
chenxiaolong created T4245: eapol: Support for specifying the full CA chain of trust for both client and server.
Feb 14 2022, 10:31 PM
chenxiaolong added a comment to T4244: eapol: commit fails with KeyError when PKI certificate name differs from the CA name.

I've submitted a PR to fix this here: https://github.com/vyos/vyos-1x/pull/1220

Feb 14 2022, 10:11 PM
chenxiaolong created T4244: eapol: commit fails with KeyError when PKI certificate name differs from the CA name.
Feb 14 2022, 10:06 PM