Update the update check logic to be uniform with pfSense-upgrade
This change aligns the update check logic with pfSense-upgrade. This
improves consistency and reduces redundant package checks. The relevant
function has also been updated for better readability.
Change display of cert DN/Subject to be Identity. Implements #16657
Certs may have an empty Subject if they contain SANs, so if the subject is empty, use the SANs to form an Identity to show in the GUI.
Treat config.xml as XML 1 when parsing its contents. Fix #16661
The flag ENT_XML1 was not available when the xmlparser functions were
originally written, nor when the parsing later changed to use
htmlentities() instead of htmlspecialchars(). Over time the default flags
used by this (and related) functions have changed. This commit specifies
the flags for consistency and changes the default-inherited ENT_HTML401
flag to ENT_XML1.
Refresh alias cache before updating static routes. Fix #16407
The code which updates static routes relies on a global alias variable to
determine what changes are needed. Once an alias is updated the global
variable must be refreshed so route changes reflect the latest config.
Also include "network" aliases when detecting static route aliases.
Certificate auto-renewal. Implements #16607
- Option for certificates to auto-renew, only available for certificates using internal CAs and self-signed certificates.
- Auto-renew always uses strict security options to ensure smooth transitions to higher security standards (e.g. lower cert lifetimes, stronger minimum size for keys)
- Indicates auto-renew status in certificate list by the name
- Behavior is opt-in except for new self-signed certificates which have the option forced on
- On upgrade it activates auto-renew for the GUI cert if it is capable of being renewed locally
- Detects weak or expired GUI certs on upgrade and handle them as needed to ensure the GUI will start
DDNS: set appropriate log priority for "no change" message
While there update the message for errors 8 and 9 since they are used by
multiple DDNS services and actually log them.
Correct static route checks when saving. Fix #16625
Fix input validation checks for route overlaps when re-saving routes.
Also add missing checks for pending system route changes when clearing
the staticroutes subsystem. While there also avoid clobbering $route.
Don't send duplicate logs to remote syslog servers. Fix #16376
Move the remote server config lines to their appropriate sections with
the appropriate program/message specifications. This avoids the need to
re-declare the specifications for the remote server config lines. Also
add validation checks to prevent enabling specific remote logging
categories when "Everything" is already selected.
Mitigate config access races during post-upgrade package reinstall
This change avoids false-positive config cache hits while the config is
being written. Additionally the config modification during package
installation is now more precise by targeting the specific package path
rather than overwriting all packages.
Introduce a way for packages to keep RAM disk data. Implement #16624
Packages that maintain their own databases need to recreate the db after
each boot when the RAM Disk feature is enabled. With this change packages
can specify a directory at /var/db/<name> which will be included in the
RAM disk backup and restore scripts.
Update cert expiration warnings. Implements #16605
To accommodate short-lived certificates, change the warning threshold to
be the *lesser* of 1/3 the lifetime (minus one day) or the configured
max warning days. This avoids warning too early/too often for certs with
short lifetimes.
