From: ben edmunds <tigger2014g@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: Re: Certain private keys being mangled by wg on FreeBSD
Date: Mon, 7 Jun 2021 20:17:58 +0100 [thread overview]
Message-ID: <e8baa2e1-78e4-1b02-940a-b8058f86a6cc@gmail.com> (raw)
In-Reply-To: <CAHmME9o6RhPmojbA4nTRA4GqFXVstEsmmfUj8SqmaJSvGsmmWQ@mail.gmail.com>
The issue here for pfSense is that the private key will be viewable just
like it is within native wireguard clients in the peer config options
and needs to be viewable here for admin and debug purposes.
With regards to clamping and hiding this from users its tricky as it
leads to red heroin issues as people debug the tunnels via showcase for
example and will see a different key to which they entered in the UI. So
the only logical option is to:
1) inform the admin that the key has been clamped
2) show the admin the clamped key which they can see whilst debugging.
By not showing this to the user to avoid confusion we actually would
create confusion in this scenario as the kernel module is performing the
clamping but the user would have no knowledge of this and leads to
issues being opened that are a non issue. The aim is not to show the
users anything about clamping unless the key needs to be clamped as it
was not clamped already.
I belive it is key to remember that pfSense is not an end user
application/tool and designed to be used by admins & network engineers
so should be considered power users who are capable of being exposed to
more information.
Regards
Tigger2014
next prev parent reply other threads:[~2021-06-08 10:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-06 14:27 Christian McDonald
2021-06-06 15:09 ` Jason A. Donenfeld
2021-06-06 15:59 ` Christian McDonald
2021-06-06 16:21 ` Jason A. Donenfeld
2021-06-07 11:05 ` Christian McDonald
2021-06-07 12:52 ` Jason A. Donenfeld
2021-06-07 19:17 ` ben edmunds [this message]
2021-06-08 13:20 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e8baa2e1-78e4-1b02-940a-b8058f86a6cc@gmail.com \
--to=tigger2014g@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).