85 lines
2.6 KiB
Plaintext
85 lines
2.6 KiB
Plaintext
Todo-List for charon
|
|
--------------------
|
|
|
|
+ = done, / = partial, - = todo, ordered by priority
|
|
|
|
|
|
+ private key loading: der, without passphrase
|
|
+ load all private keys from ipsec.d/private/ in stroke.c
|
|
+ handle leftcert and rightcert in starterstroke.c/stroke.c
|
|
+ load specified certs in stroke.c
|
|
+ extract public keys from certs
|
|
+ public key authentication
|
|
+ release for Andreas
|
|
|
|
+ stroke loglevels
|
|
+ stroke up
|
|
+ ike_sa_manager checkout_by_hosts
|
|
+ stroke down
|
|
+ stroke output redirection
|
|
+ stroke status
|
|
|
|
+ libx509
|
|
+ new charon build - libstrong?
|
|
+ transforms
|
|
+ utils (plus host)
|
|
+ logger_manager instance in lib
|
|
+ leak detective usable for charon and pluto and anything else
|
|
+ integrate asn1 parser/oid (asn1/oid)
|
|
+ integrate basic PEM loading
|
|
+ port x509 stuff
|
|
|
|
+ doxygen cleanup (charon/lib)
|
|
+ new build environment (autotools?)
|
|
|
|
+ useable certificate support
|
|
+ more id types (use atodn from pluto)
|
|
+ rewrite certificate storage the clean way
|
|
+ further subjectAltName support
|
|
+ certificate validation/chaining
|
|
+ certificate exchange
|
|
|
|
+ Apply -W's from Makefile.program to charon
|
|
+ do ipsec status via starter
|
|
|
|
+ stroke status should show configured connections
|
|
+ stroke loglevel update
|
|
+ stroke argument parsing via getopts/gperf?
|
|
|
|
+ ipsec.secrets parsing
|
|
|
|
+ trapping
|
|
+ proper delete messages
|
|
+ notifys on connection setup failure
|
|
+ create child sa message/rekeying
|
|
+ IKE_SA rekeying
|
|
+ handle all simultaneous rekeying/delete/create cases
|
|
|
|
+ replace state machine with something more transaction oriented
|
|
+ find existing IKE_SA on CHILD_SA initiation
|
|
|
|
+ use dpdaction/dpddelay parameters from ipsec.conf
|
|
+ add firewall script support
|
|
+ do not link unneeded libraries in bins
|
|
+ include only a minimum of NATD payloads
|
|
+ implement 3DES to load encrypted pem files
|
|
+ implement a "event bus" mechanism
|
|
+ add more output to to up/down, somehow...
|
|
- detach console after first keyingtry
|
|
- proper handling of CTRL+C console detach (SIG_PIPE)
|
|
- configure flag which allows to ommit vendor id in pluto
|
|
- ikelifetime should optionally enforce reauthentication
|
|
- cookies/DDoS prevention
|
|
- implement a mechanism against thread exhaustion
|
|
when a blocked IKE_SA receives a lot of messages
|
|
- add a crl fetch mechanism which synchronizes equal fetches
|
|
- add support for CERTREQs
|
|
- proper handling of multiple certificate payloads (import order)
|
|
- add a Rekey-Counter for SAs in "statusall"
|
|
- ipsec status:
|
|
+ on one line: ip, id, spi
|
|
+ no key age, rekey for IKE
|
|
- byte count
|
|
- retry transaction on failure while keyingtries > 1
|
|
- reduce printf handlers count to 10, as uClibc does not support more
|