From: Tobias Brunner Date: Thu, 29 Jun 2017 12:52:28 +0000 (+0200) Subject: android: Make sending certificate requests configurable in the GUI X-Git-Tag: 5.6.0dr1~22^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8ae7f8b7a2ef67bc9b56b52398d93907cf95c67d;p=thirdparty%2Fstrongswan.git android: Make sending certificate requests configurable in the GUI --- diff --git a/src/frontends/android/app/src/main/java/org/strongswan/android/ui/VpnProfileDetailActivity.java b/src/frontends/android/app/src/main/java/org/strongswan/android/ui/VpnProfileDetailActivity.java index 1b1494be8f..8bf5fd2b21 100644 --- a/src/frontends/android/app/src/main/java/org/strongswan/android/ui/VpnProfileDetailActivity.java +++ b/src/frontends/android/app/src/main/java/org/strongswan/android/ui/VpnProfileDetailActivity.java @@ -53,6 +53,7 @@ import android.widget.EditText; import android.widget.MultiAutoCompleteTextView; import android.widget.RelativeLayout; import android.widget.Spinner; +import android.widget.Switch; import android.widget.TextView; import org.strongswan.android.R; @@ -113,6 +114,7 @@ public class VpnProfileDetailActivity extends AppCompatActivity private TextInputLayoutHelper mMTUWrap; private EditText mPort; private TextInputLayoutHelper mPortWrap; + private Switch mCertReq; private EditText mNATKeepalive; private TextInputLayoutHelper mNATKeepaliveWrap; private EditText mIncludedSubnets; @@ -167,6 +169,7 @@ public class VpnProfileDetailActivity extends AppCompatActivity mPortWrap = (TextInputLayoutHelper) findViewById(R.id.port_wrap); mNATKeepalive = (EditText)findViewById(R.id.nat_keepalive); mNATKeepaliveWrap = (TextInputLayoutHelper) findViewById(R.id.nat_keepalive_wrap); + mCertReq = (Switch)findViewById(R.id.cert_req); mIncludedSubnets = (EditText)findViewById(R.id.included_subnets); mIncludedSubnetsWrap = (TextInputLayoutHelper)findViewById(R.id.included_subnets_wrap); mExcludedSubnets = (EditText)findViewById(R.id.excluded_subnets); @@ -530,9 +533,10 @@ public class VpnProfileDetailActivity extends AppCompatActivity boolean show = mShowAdvanced.isChecked(); if (!show && mProfile != null) { - Integer st = mProfile.getSplitTunneling(); + Integer st = mProfile.getSplitTunneling(), flags = mProfile.getFlags(); show = mProfile.getRemoteId() != null || mProfile.getMTU() != null || - mProfile.getPort() != null || mProfile.getNATKeepAlive() != null || (st != null && st != 0) || + mProfile.getPort() != null || mProfile.getNATKeepAlive() != null || + (flags != null && flags != 0) || (st != null && st != 0) || mProfile.getIncludedSubnets() != null || mProfile.getExcludedSubnets() != null || mProfile.getSelectedAppsHandling() != SelectedAppsHandling.SELECTED_APPS_DISABLE; } @@ -661,6 +665,9 @@ public class VpnProfileDetailActivity extends AppCompatActivity mProfile.setMTU(getInteger(mMTU)); mProfile.setPort(getInteger(mPort)); mProfile.setNATKeepAlive(getInteger(mNATKeepalive)); + int flags = 0; + flags |= !mCertReq.isChecked() ? VpnProfile.FLAGS_SUPPRESS_CERT_REQS : 0; + mProfile.setFlags(flags); String included = mIncludedSubnets.getText().toString().trim(); mProfile.setIncludedSubnets(included.isEmpty() ? null : included); String excluded = mExcludedSubnets.getText().toString().trim(); @@ -681,6 +688,7 @@ public class VpnProfileDetailActivity extends AppCompatActivity private void loadProfileData(Bundle savedInstanceState) { String useralias = null, local_id = null, alias = null; + Integer flags = null; getSupportActionBar().setTitle(R.string.add_profile); if (mId != null && mId != 0) @@ -703,6 +711,7 @@ public class VpnProfileDetailActivity extends AppCompatActivity mBlockIPv6.setChecked(mProfile.getSplitTunneling() != null && (mProfile.getSplitTunneling() & VpnProfile.SPLIT_TUNNELING_BLOCK_IPV6) != 0); mSelectedAppsHandling = mProfile.getSelectedAppsHandling(); mSelectedApps = mProfile.getSelectedAppsSet(); + flags = mProfile.getFlags(); useralias = mProfile.getUserCertificateAlias(); local_id = mProfile.getLocalId(); alias = mProfile.getCertificateAlias(); @@ -717,6 +726,7 @@ public class VpnProfileDetailActivity extends AppCompatActivity } mSelectVpnType.setSelection(mVpnType.ordinal()); + mCertReq.setChecked(flags == null || (flags & VpnProfile.FLAGS_SUPPRESS_CERT_REQS) == 0); /* check if the user selected a user certificate previously */ useralias = savedInstanceState == null ? useralias : savedInstanceState.getString(VpnProfileDataSource.KEY_USER_CERTIFICATE); diff --git a/src/frontends/android/app/src/main/res/layout/profile_detail_view.xml b/src/frontends/android/app/src/main/res/layout/profile_detail_view.xml index 472efbc83a..199a7dfeeb 100644 --- a/src/frontends/android/app/src/main/res/layout/profile_detail_view.xml +++ b/src/frontends/android/app/src/main/res/layout/profile_detail_view.xml @@ -260,6 +260,23 @@ + + + + UDP-Port zu dem verbunden wird, falls dieser vom Standard-Port abweicht NAT-T Keepalive Intervall Kleine Pakete werden gesendet, um Mappings auf NAT-Routern am Leben zu erhalten, wenn sonst nichts gesendet wird. Um Energie zu sparen, ist das Standardintervall auf 45 Sekunden gesetzt. Hinter NAT-Routern die Mappings früh entfernen, ist dies möglicherweise zu hoch. 20 Sekunden oder weniger können in diesem Fall helfen. + Zertifikatsanforderungen senden + Zertifikatsanforderungen werden für alle oder ausgewählte CA-Zertifikate gesendet. Um die Grösse der IKE_AUTH Nachricht zu reduzieren, kann dies deaktiviert werden. Allerdings funktioniert dies nur, falls der Server sein Zertifikat auch sendet, wenn er zuvor keine Zertifikatsanforderungen erhalten hat. Split-Tunneling Standardmässig leitet der Client allen Netzwerkverkehr durch den VPN Tunnel, ausser der Server schränkt die Subnetze beim Verbindungsaufbau ein, in welchem Fall nur der Verkehr via VPN geleitet wird, den der Server erlaubt (der Rest wird standardmässig behandelt, als ob kein VPN vorhanden wäre). Blockiere IPv4 Verkehr der nicht für das VPN bestimmt ist diff --git a/src/frontends/android/app/src/main/res/values-pl/strings.xml b/src/frontends/android/app/src/main/res/values-pl/strings.xml index d551909945..a87381aa1e 100644 --- a/src/frontends/android/app/src/main/res/values-pl/strings.xml +++ b/src/frontends/android/app/src/main/res/values-pl/strings.xml @@ -81,6 +81,8 @@ UDP port to connect to, if different from the default NAT-T keepalive interval Small packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case. + Send certificate requests + Certificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests. Split tunneling By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN). Block IPv4 traffic not destined for the VPN diff --git a/src/frontends/android/app/src/main/res/values-ru/strings.xml b/src/frontends/android/app/src/main/res/values-ru/strings.xml index 666e5be083..0ce54e56e2 100644 --- a/src/frontends/android/app/src/main/res/values-ru/strings.xml +++ b/src/frontends/android/app/src/main/res/values-ru/strings.xml @@ -78,6 +78,8 @@ UDP port to connect to, if different from the default NAT-T keepalive interval Small packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case. + Send certificate requests + Certificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests. Split tunneling By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN). Block IPv4 traffic not destined for the VPN diff --git a/src/frontends/android/app/src/main/res/values-ua/strings.xml b/src/frontends/android/app/src/main/res/values-ua/strings.xml index 2ba7ef8641..5b769b7870 100644 --- a/src/frontends/android/app/src/main/res/values-ua/strings.xml +++ b/src/frontends/android/app/src/main/res/values-ua/strings.xml @@ -79,6 +79,8 @@ UDP port to connect to, if different from the default NAT-T keepalive interval Small packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case. + Send certificate requests + Certificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests. Split tunneling By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN). Block IPv4 traffic not destined for the VPN diff --git a/src/frontends/android/app/src/main/res/values-zh-rCN/strings.xml b/src/frontends/android/app/src/main/res/values-zh-rCN/strings.xml index b8fccadadf..4202c5f846 100644 --- a/src/frontends/android/app/src/main/res/values-zh-rCN/strings.xml +++ b/src/frontends/android/app/src/main/res/values-zh-rCN/strings.xml @@ -78,6 +78,8 @@ 如不同于默认值,则所需连接的UDP端口 NAT-T keepalive interval Small packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case. + Send certificate requests + Certificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests. 拆分隧道 By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN). 屏蔽不通过VPN的IPV4流量 diff --git a/src/frontends/android/app/src/main/res/values-zh-rTW/strings.xml b/src/frontends/android/app/src/main/res/values-zh-rTW/strings.xml index 2108a8b304..6c0e104b53 100644 --- a/src/frontends/android/app/src/main/res/values-zh-rTW/strings.xml +++ b/src/frontends/android/app/src/main/res/values-zh-rTW/strings.xml @@ -78,6 +78,8 @@ 如果和預設值不同,則需要連接的UDP Port NAT-T keepalive interval Small packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case. + Send certificate requests + Certificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests. 拆分隧道 By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN). 屏蔽不通过VPN的IPV4流量 diff --git a/src/frontends/android/app/src/main/res/values/strings.xml b/src/frontends/android/app/src/main/res/values/strings.xml index 0f22cc8cf9..f99f7dea5a 100644 --- a/src/frontends/android/app/src/main/res/values/strings.xml +++ b/src/frontends/android/app/src/main/res/values/strings.xml @@ -81,6 +81,8 @@ UDP port to connect to, if different from the default NAT-T keepalive interval Small packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case. + Send certificate requests + Certificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests. Split tunneling By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN). Block IPv4 traffic not destined for the VPN