1 <!DOCTYPE html> 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 <link rel="stylesheet" href="onc_spec.css" > 6 <script src="onc_spec.js"></script> 7 <title>Open Network Configuration Format</title> 8 </head> 9 <body> 10 11 <section id="root" class="not_in_toc"> 12 <h1>Open Network Configuration Format</h1> 13 14 <section class="not_in_toc"> 15 <h1>Outline</h1> 16 <div id="outline"></div> 17 </section> 18 19 <section> 20 <h1>Objective</h1> 21 <p> 22 We would like to create a simple, open, but complete format to describe 23 multiple network configurations for Wi-Fi, Ethernet, Cellular, 24 Bluetooth/WiFi-Direct, and VPN connections in a single file format, in order 25 to simplify and automate network configuration for users. 26 </p> 27 </section> 28 29 <section> 30 <h1>Background</h1> 31 <p> 32 Configuring networks is a painful and error-prone experience for users. It 33 is a problem shared across desktop, laptop, tablet, and phone users of all 34 operating system types. It is exacerbated in business and schools which 35 often have complex network configurations (VPNs and 802.1X networking) that 36 change often and have many connected devices. Configuration of Wi-Fi is 37 still done manually, often by administrators physically standing next to 38 users working on devices. Certificate distribution is particularly painful 39 which often results in admins instead using passphrases to protect networks 40 or using protocols without client certificates that instead use LDAP 41 passwords for authentication. Even after networks are configured, updates to 42 the network configuration require another round of manual changes, and 43 accidental changes by a user or malicious changes by an attacker can break 44 connectivity or make connections less private or secure. 45 </p> 46 47 <section> 48 <h1>Overview</h1> 49 <p> 50 We propose a single-file format for network configuration that is 51 human-readable, can describe all of the common kinds of network 52 configurations, supports integrity checking, certificate and key 53 provisioning, and updating. The file can be encrypted with a single 54 passphrase so that upon entering the passphrase the entire configuration is 55 loaded. The format can be described as an open format to enable multiple OS 56 vendors to interoperate and share configuration editors. 57 </p> 58 59 <p> 60 This format neither supports configuring browser settings nor allows setting 61 other types of system policies. 62 </p> 63 </section> 64 65 <section> 66 <h1>Infrastructure</h1> 67 <p> 68 A standalone configuration editor will be created, downloadable as a Chrome 69 app. This editor will allow creating, modifying, and encrypting an open 70 network configuration file in a way that is intuitive for a system 71 administrator. 72 </p> 73 74 <p> 75 This file format may be delivered to a user and manually imported into a 76 device. 77 </p> 78 79 <p> 80 This file format may be created by an administrator, stored in a policy 81 repository, and automatically pushed to a device. 82 </p> 83 </section> 84 85 </section> 86 87 <section> 88 <h1>Detailed Design</h1> 89 <p> 90 We use JSON format for the files. The fields in a JSON file are always 91 case-sensitive, so the exact case of the fields in this section must be 92 matched. In addition, the values that are called out as explicit constants 93 must also match the case specified (e.g. WiFi must not be written as wifi, 94 etc.). This document describes a minimum set of required fields and optional 95 fields. Other fields may be created, however, see the 96 implementation-specific fields for guidelines for these fields. 97 </p> 98 99 <p> 100 The JSON consists of a top level dictionary containing 101 a <span class="field">Type</span> field which must have either the 102 value <span class="value">EncryptedConfiguration</span> 103 or <span class="value">UnencryptedConfiguration</span>. 104 </p> 105 106 <p> 107 For a description of the <span class="type">EncryptedConfiguration</span> 108 type, see the section on Encrypted Configuration 109 below. The <span class="type">EncryptedConfiguration</span> format encrypts 110 an unencrypted JSON object. 111 </p> 112 113 <section> 114 <h1>GUIDs and Updating</h1> 115 <p> 116 This format allows for importing updated network configurations and 117 certificates by providing GUIDs to each network configuration and 118 certificate so they can be modified or even removed in future updates. 119 </p> 120 121 <p> 122 GUIDs are non-empty strings that are meant to be stable and unique. When 123 they refer to the same entity, they should be the same between ONC files. No 124 two different networks or certificates should have the same GUID, similarly 125 a network and certificate should not have the same GUID. A single ONC file 126 should not contain the same entity twice (with the same GUID). Failing any 127 of these tests indicates the ONC file is not valid. 128 </p> 129 130 <p> 131 Any GUID referred to in an ONC file must be present in the same ONC file. In 132 particular, it is an error to create a certificate in one ONC file and refer 133 to it in a NetworkConfiguration in another ONC file and not define it there, 134 even if the previous ONC file has been imported. 135 </p> 136 </section> 137 138 <section> 139 <h1>Implementation-specific fields</h1> 140 <p> 141 As there are many different kinds of connections and some that are not yet 142 anticipated may require new fields. This format allows arbitrary other 143 fields to be added. 144 </p> 145 146 <p> 147 Fields and values should follow these general guidelines: 148 </p> 149 150 <ul> 151 <li> 152 Certificates (with and without keys) should always be placed in the 153 certificate section - specifically certificate contents should not be 154 placed in fields directly. Referring to certificates should be done using 155 a field whose name ends in Ref and whose value is the GUID of the 156 certificate, or if the certificate is not contained in this file, its 157 pattern can be described using a field ending in Pattern of 158 <span class="type">CertificatePattern</span> type. 159 </li> 160 <li> 161 Fields should exist in the most-specific object in the hierarchy and 162 should be named CamelCase style. 163 </li> 164 <li> 165 Booleans and integers should be used directly instead of using a 166 stringified version of the type. 167 </li> 168 </ul> 169 170 <p> 171 Any editor of network configuration information should allows the user to 172 modify any fields that are implementation-specific. It may not be present 173 directly in the UI but it should be able to import files with such settings 174 and leave preserve these settings on export. 175 </p> 176 </section> 177 178 <section> 179 <h1>Unencrypted Configuration</h1> 180 <p> 181 When the top level <span class="field">Type</span> field 182 is <span class="value">UnencryptedConfiguration</span>, the top level JSON 183 has the <span class="type">UnencryptedConfiguration</span> 184 type. <span class="type">UnencryptedConfiguration</span> type contains the 185 following: 186 </p> 187 188 <dl class="field_list"> 189 <dt class="field">Type</dt> 190 <dd> 191 <span class="field_meta"> 192 (required) 193 <span class="type">string</span> 194 </span> 195 Must be <span class="value">UnencryptedConfiguration</span>. 196 </dd> 197 198 <dt class="field">NetworkConfigurations</dt> 199 <dd> 200 <span class="field_meta"> 201 (optional) 202 <span class="type">array of NetworkConfiguration</span> 203 </span> 204 Describes Wi-Fi, Ethernet, VPN, and wireless connections. 205 </dd> 206 207 <dt class="field">Certificates</dt> 208 <dd> 209 <span class="field_meta"> 210 (optional) 211 <span class="type">array of Certificate</span> 212 </span> 213 Contains certificates stored in X.509 or PKCS#12 format. 214 </dd> 215 </dl> 216 217 <p class="rule"> 218 <span class="rule_id"></span> 219 At least one array (either <span class="field">NetworkConfigurations</span> 220 and/or <span class="field">Certificates</span>) must be present. 221 </p> 222 223 <section> 224 <h1>Network Configuration</h1> 225 <p> 226 Field <span class="field">NetworkConfigurations</span> is an array 227 of <span class="type">NetworkConfiguration</span> typed 228 objects. The <span class="type">NetworkConfiguration</span> type contains 229 the following: 230 </p> 231 232 <dl class="field_list"> 233 <dt class="field">Ethernet</dt> 234 <dd> 235 <span class="field_meta"> 236 (required if <span class="field">Type</span> is 237 <span class="value">Ethernet</span>, otherwise ignored) 238 <span class="type">Ethernet</span> 239 </span> 240 Ethernet settings. 241 </dd> 242 243 <dt class="field">GUID</dt> 244 <dd> 245 <span class="field_meta"> 246 (required) 247 <span class="type">string</span> 248 </span> 249 A unique identifier for this network connection, which exists to make it 250 possible to update previously imported configurations. Must be a non-empty 251 string. 252 </dd> 253 254 <dt class="field">IPConfigs</dt> 255 <dd> 256 <span class="field_meta"> 257 (optional if <span class="field">Remove</span> is 258 <span class="value">false</span>, otherwise ignored) 259 <span class="type">array of IPConfig</span> 260 </span> 261 Static IPv4 or IPv6 parameters to associate with this connection. 262 </dd> 263 264 <dt class="field">Name</dt> 265 <dd> 266 <span class="field_meta"> 267 (required if <span class="field">Remove</span> is 268 <span class="value">false</span>, otherwise ignored) 269 <span class="type">string</span> 270 </span> 271 A user-friendly description of this connection. This name will not be used 272 for referencing and may not be unique. Instead it may be used for 273 describing the network to the user. 274 </dd> 275 276 <dt class="field">Remove</dt> 277 <dd> 278 <span class="field_meta"> 279 (optional, defaults to <span class="value">false</span>) 280 <span class="type">boolean</span> 281 </span> 282 If set, remove this network configuration (only GUID should be set). 283 </dd> 284 285 <dt class="field">ProxySettings</dt> 286 <dd> 287 <span class="field_meta"> 288 (optional if <span class="field">Remove</span> is 289 <span class="value">false</span>, otherwise ignored) 290 <span class="type">ProxySettings</span> 291 </span> 292 Proxy settings for this network 293 </dd> 294 295 <dt class="field">NameServers</dt> 296 <dd> 297 <span class="field_meta"> 298 (optional if <span class="field">Remove</span> is 299 <span class="value">false</span>, otherwise ignored) 300 <span class="type">array of string</span> 301 </span> 302 Array of addresses to use for name servers. If not specified, DHCP values 303 will be used. 304 </dd> 305 306 <dt class="field">SearchDomains</dt> 307 <dd> 308 <span class="field_meta"> 309 (optional if <span class="field">Remove</span> is 310 <span class="value">false</span>, otherwise ignored) 311 <span class="type">array of string</span> 312 </span> 313 Array of strings to append to names for resolution. Items in this array 314 should not start with a dot. Example: 315 <span class="snippet">["corp.acme.org", "acme.org"]</span>. If not 316 specified, DHCP values will be used. 317 </dd> 318 319 <dt class="field">VPN</dt> 320 <dd> 321 <span class="field_meta"> 322 (required if <span class="field">Type</span> is 323 <span class="value">VPN</span>, otherwise ignored) 324 <span class="type">VPN</span> 325 </span> 326 VPN settings. 327 </dd> 328 329 <dt class="field">WiFi</dt> 330 <dd> 331 <span class="field_meta"> 332 (required if <span class="field">Type</span> is 333 <span class="value">WiFi</span>, otherwise ignored) 334 <span class="type">WiFi</span> 335 </span> 336 Wi-Fi settings. 337 </dd> 338 339 <dt class="field">Type</dt> 340 <dd> 341 <span class="field_meta"> 342 (required if <span class="field">Remove</span> is 343 <span class="value">false</span>, otherwise ignored) 344 <span class="type">string</span> 345 </span> 346 <span class="rule"> 347 <span class="rule_id"></span> 348 Allowed values are <span class="value">Cellular</span>, 349 <span class="value">Ethernet</span>, <span class="value">WiFi</span>, 350 and <span class="value">VPN</span>. 351 </span> 352 Indicates which kind of connection this is. 353 </dd> 354 </dl> 355 356 <section> 357 <h1>Ethernet networks</h1> 358 <p> 359 For Ethernet connections, <span class="field">Type</span> must be set to 360 <span class="value">Ethernet</span> and the 361 field <span class="field">Ethernet</span> must be set to an object of 362 type <span class="type">Ethernet</span> containing the following fields: 363 </p> 364 365 <dl class="field_list"> 366 <dt class="field">Authentication</dt> 367 <dd> 368 <span class="field_meta"> 369 (optional) 370 <span class="type">string</span> 371 </span> 372 <span class="rule"> 373 <span class="rule_id"></span> 374 Allowed values are <span class="value">None</span> and 375 <span class="value">8021X</span>. 376 </span> 377 </dd> 378 379 <dt class="field">EAP</dt> 380 <dd> 381 <span class="field_meta"> 382 (required if <span class="field">Authentication</span> is 383 <span class="value">8021X</span>, otherwise ignored) 384 <span class="type">EAP</span> 385 </span> 386 EAP settings. 387 </dd> 388 </dl> 389 </section> 390 391 <section> 392 <h1>IP Config</h1> 393 <p> 394 Field <span class="field">IPConfigs</span> is an array 395 of <span class="type">IPConfig</span> 396 objects. Each <span class="type">IPConfig</span> object describes a 397 particular static IP configuration and contains the following fields: 398 </p> 399 400 <dl class="field_list"> 401 <dt class="field">Type</dt> 402 <dd> 403 <span class="field_meta"> 404 (required) 405 <span class="type">string</span> 406 </span> 407 <span class="rule"> 408 <span class="rule_id"></span> 409 Allowed values are <span class="value">IPv4</span> 410 and <span class="value">IPv6</span> 411 </span> 412 Describes the type of configuration this is. 413 </dd> 414 415 <dt class="field">IPAddress</dt> 416 <dd> 417 <span class="field_meta"> 418 (required) 419 <span class="type">string</span> 420 </span> 421 Describes the IPv4 or IPv6 address of a connection, depending on the value 422 of <span class="field">Type</span> field. It should not contain the 423 routing prefix (i.e. should not end in something like /64). 424 </dd> 425 426 <dt class="field">RoutingPrefix</dt> 427 <dd> 428 <span class="field_meta"> 429 (required) 430 <span class="type">integer</span> 431 </span> 432 <span class="rule"> 433 <span class="rule_id"></span> 434 Must be a number in the range [1, 32] for IPv4 and [1, 128] for IPv6 435 addresses. 436 </span> 437 Describes the routing prefix. 438 </dd> 439 440 <dt class="field">Gateway</dt> 441 <dd> 442 <span class="field_meta"> 443 (optional) 444 <span class="type">string</span> 445 </span> 446 Describes the gateway address to use for the configuration. Must match 447 address type specified in <span class="field">Type</span> field. If not 448 specified, DHCP values will be used. 449 </dd> 450 451 <dt class="field">NameServers</dt> 452 <dd> 453 <span class="field_meta"> 454 (optional) 455 <span class="type">array of string</span> 456 </span> 457 Array of addresses to use for name servers. Address format must match that 458 specified in the <span class="field">Type</span> field. Overrides values 459 in the top level NameServers field for this configuration. If not 460 specified, top level values will be used. 461 </dd> 462 463 <dt class="field">SearchDomains</dt> 464 <dd> 465 <span class="field_meta"> 466 (optional) 467 <span class="type">array of string</span> 468 </span> 469 Array of strings to append to names for resolution. Items in this array 470 should not start with a dot. Example: <span class="snippet">[ 471 "corp.acme.org", "acme.org" ]</span>. Overrides values in the top level 472 SearchDomains field for this configuration. If not specified, top level 473 values will be used. 474 </dd> 475 </dl> 476 </section> 477 478 <section> 479 <h1>Wi-Fi networks</h1> 480 <p> 481 For Wi-Fi connections, <span class="field">Type</span> must be set to 482 <span class="value">WiFi</span> and the 483 field <span class="field">WiFi</span> must be set to an object of 484 type <span class="type">WiFi</span> containing the following fields: 485 </p> 486 487 <dl class="field_list"> 488 <dt class="field">AutoConnect</dt> 489 <dd> 490 <span class="field_meta"> 491 (optional, defaults to <span class="value">false</span>) 492 <span class="type">boolean</span> 493 </span> 494 Indicating that the network should be connected to automatically when in 495 range. 496 </dd> 497 498 <dt class="field">EAP</dt> 499 <dd> 500 <span class="field_meta"> 501 (required if <span class="field">Security</span> is 502 <span class="value">WEP-8021X</span> or 503 <span class="value">WPA-EAP</span>, otherwise ignored) 504 <span class="type">EAP</span> 505 </span> 506 EAP settings. 507 </dd> 508 509 <dt class="field">HiddenSSID</dt> 510 <dd> 511 <span class="field_meta"> 512 (optional, defaults to <span class="value">false</span>) 513 <span class="type">boolean</span> 514 </span> 515 Indicating if the SSID will be broadcast. 516 </dd> 517 518 <dt class="field">Passphrase</dt> 519 <dd> 520 <span class="field_meta"> 521 (required if <span class="field">Security</span> is 522 <span class="value">WEP-PSK</span> or 523 <span class="value">WPA-PSK</span>, otherwise ignored) 524 <span class="type">string</span> 525 </span> 526 Describes the passphrase for WEP/WPA/WPA2 527 connections. If <span class="value">WEP-PSK</span> is used, the passphrase 528 must be of the format 0x<hex-number>, where <hex-number> is 529 40, 104, 128, or 232 bits. 530 </dd> 531 532 <dt class="field">Security</dt> 533 <dd> 534 <span class="field_meta"> 535 (required) 536 <span class="type">string</span> 537 </span> 538 <span class="rule"> 539 <span class="rule_id"></span> 540 Allowed values are <span class="value">None</span>, 541 <span class="value">WEP-PSK</span>, 542 <span class="value">WEP-8021X</span>, 543 <span class="value">WPA-PSK</span>, and 544 <span class="value">WPA-EAP</span>. 545 </span> 546 </dd> 547 548 <dt class="field">SSID</dt> 549 <dd> 550 <span class="field_meta"> 551 (required) 552 <span class="type">string</span> 553 </span> 554 SSID of the network. 555 </dd> 556 </dl> 557 </section> 558 559 <section> 560 <h1>VPN networks</h1> 561 <p> 562 There are many kinds of VPNs with widely varying configuration options. We 563 offer standard configuration options for a few common configurations at this 564 time, and may add more later. For all others, implementation specific fields 565 should be used. 566 </p> 567 568 <p> 569 For VPN connections, <span class="field">Type</span> must be set 570 to <span class="value">VPN</span> and the 571 field <span class="field">VPN</span> must be set to an object of 572 type <span class="type">VPN</span> containing the following fields: 573 </p> 574 575 <dl class="field_list"> 576 <dt class="field">AutoConnect</dt> 577 <dd> 578 <span class="field_meta"> 579 (optional, defaults to <span class="value">false</span>) 580 <span class="type">boolean</span> 581 </span> 582 Indicating that the network should be connected to automatically. 583 </dd> 584 585 <dt class="field">Host</dt> 586 <dd> 587 <span class="field_meta"> 588 (optional) 589 <span class="type">string</span> 590 </span> 591 Host name or IP address of server to connect to. The only scenario that 592 does not require a host is a VPN that encrypts but does not tunnel 593 traffic. Standalone IPsec (v1 or v2, cert or PSK based -- this is not the 594 same as L2TP over IPsec) is one such setup. For all other types of VPN, 595 the <span class="field">Host</span> field is required. 596 </dd> 597 598 <dt class="field">IPsec</dt> 599 <dd> 600 <span class="field_meta"> 601 (required if <span class="field">Type</span> is 602 <span class="value">IPsec</span> or 603 <span class="value">L2TP-IPsec</span>, otherwise ignored) 604 <span class="type">IPsec</span> 605 </span> 606 IPsec layer settings. 607 </dd> 608 609 <dt class="field">L2TP</dt> 610 <dd> 611 <span class="field_meta"> 612 (required if <span class="field">Type</span> is 613 <span class="value">L2TP-IPsec</span>, otherwise ignored) 614 <span class="type">L2TP</span> 615 </span> 616 L2TP layer settings. 617 </dd> 618 619 <dt class="field">OpenVPN</dt> 620 <dd> 621 <span class="field_meta"> 622 (required if <span class="field">Type</span> is 623 <span class="value">OpenVPN</span>, otherwise ignored) 624 <span class="type">OpenVPN</span> 625 </span> 626 OpenVPN settings. 627 </dd> 628 629 <dt class="field">Type</dt> 630 <dd> 631 <span class="field_meta"> 632 (required) 633 <span class="type">string</span> 634 </span> 635 <span class="rule"> 636 <span class="rule_id"></span> 637 Allowed values are <span class="value">IPsec</span>, 638 <span class="value">L2TP-IPsec</span>, and 639 <span class="value">OpenVPN</span>. 640 </span> 641 Type of the VPN. 642 </dd> 643 </dl> 644 645 <section> 646 <h1>IPsec-based VPN types</h1> 647 <p> 648 The <span class="type">IPsec</span> type contains the following: 649 </p> 650 651 <dl class="field_list"> 652 <dt class="field">AuthenticationType</dt> 653 <dd> 654 <span class="field_meta"> 655 (required) 656 <span class="type">string</span> 657 </span> 658 <span class="rule"> 659 <span class="rule_id"></span> 660 Allowed values are <span class="value">PSK</span> and 661 <span class="value">Cert</span>. If <span class="value">Cert</span> is used, <span class="field">ClientCertType</span> and <span class="field">ServerCARefs</span> (or the deprecated <span class="field">ServerCARef</span>) must be set. 662 </span> 663 </dd> 664 665 <dt class="field">ClientCertPattern</dt> 666 <dd> 667 <span class="field_meta"> 668 (required if <span class="field">ClientCertType</span> 669 is <span class="value">Pattern</span>, otherwise ignored) 670 <span class="type">CertificatePattern</span> 671 </span> 672 Pattern describing the client certificate. 673 </dd> 674 675 <dt class="field">ClientCertRef</dt> 676 <dd> 677 <span class="field_meta"> 678 (required if <span class="field">ClientCertType</span> 679 is <span class="value">Ref</span>, otherwise ignored) 680 <span class="type">string</span> 681 </span> 682 Reference to client certificate stored in certificate section. 683 </dd> 684 685 <dt class="field">ClientCertType</dt> 686 <dd> 687 <span class="field_meta"> 688 (required if <span class="field">AuthenticationType</span> 689 is <span class="value">Cert</span>, otherwise ignored) 690 <span class="type">string</span> 691 </span> 692 <span class="rule"> 693 <span class="rule_id"></span> 694 Allowed values are <span class="value">Ref</span> and 695 <span class="value">Pattern</span> 696 </span> 697 </dd> 698 699 <dt class="field">EAP</dt> 700 <dd> 701 <span class="field_meta"> 702 (optional if <span class="field">IKEVersion</span> is 2, otherwise 703 ignored) 704 <span class="type">EAP</span> 705 </span> 706 Indicating that EAP authentication should be used with the provided 707 parameters. 708 </dd> 709 710 <dt class="field">Group</dt> 711 <dd> 712 <span class="field_meta"> 713 (optional if <span class="field">IKEVersion</span> is 1, otherwise 714 ignored) 715 <span class="type">string</span> 716 </span> 717 Group name used for machine authentication. 718 </dd> 719 720 <dt class="field">IKEVersion</dt> 721 <dd> 722 <span class="field_meta"> 723 (required) 724 <span class="type">integer</span> 725 </span> 726 Version of IKE protocol to use. 727 </dd> 728 729 <dt class="field">PSK</dt> 730 <dd> 731 <span class="field_meta"> 732 (optional if <span class="field">AuthenticationType</span> 733 is <span class="value">PSK</span>, otherwise ignored) 734 <span class="type">string</span> 735 </span> 736 Pre-Shared Key. If not specified, user is prompted at time of 737 connection. 738 </dd> 739 740 <dt class="field">SaveCredentials</dt> 741 <dd> 742 <span class="field_meta"> 743 (optional if <span class="field">AuthenticationType</span> 744 is <span class="value">PSK</span>, otherwise ignored, defaults 745 to <span class="value">false</span>) 746 <span class="type">boolean</span> 747 </span> 748 If <span class="value">false</span>, require user to enter credentials 749 (PSK) each time they connect. 750 </dd> 751 752 <dt class="field">ServerCARefs</dt> 753 <dd> 754 <span class="field_meta"> 755 (optional if <span class="field">AuthenticationType</span> 756 is <span class="value">Cert</span>, otherwise rejected) 757 <span class="type">array of string</span> 758 </span> 759 Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset. 760 </dd> 761 762 <dt class="field">ServerCARef</dt> 763 <dd> 764 <span class="field_meta"> 765 (optional if <span class="field">AuthenticationType</span> 766 is <span class="value">Cert</span>, otherwise rejected) 767 <span class="type">string</span> 768 </span> 769 DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/> 770 Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset. 771 </dd> 772 773 <dt class="field">XAUTH</dt> 774 <dd> 775 <span class="field_meta"> 776 (optional if <span class="field">IKEVersion</span> is 1, otherwise 777 ignored) 778 <span class="type">XAUTH</span> 779 </span> 780 Describing XAUTH credentials. XAUTH is not used if this object is not 781 present. 782 </dd> 783 </dl> 784 785 <p class="rule"> 786 <span class="rule_id"></span> 787 If <span class="field">AuthenticationType</span> is set to <span class="value">Cert</span>, <span class="field">ServerCARefs</span> or <span class="field">ServerCARef</span> must be set. 788 </p> 789 790 <p class="rule"> 791 <span class="rule_id"></span> 792 At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set. 793 </p> 794 795 <p> 796 <span class="type">L2TP</span> type contains the following: 797 </p> 798 799 <dl class="field_list"> 800 <dt class="field">Password</dt> 801 <dd> 802 <span class="field_meta"> 803 (optional) 804 <span class="type">string</span> 805 </span> 806 User authentication password. If not specified, user is prompted at time 807 of connection. 808 </dd> 809 810 <dt class="field">SaveCredentials</dt> 811 <dd> 812 <span class="field_meta"> 813 (optional, defaults to <span class="value">false</span>) 814 <span class="type">boolean</span> 815 </span> 816 If <span class="value">false</span>, require user to enter credentials 817 each time they connect. 818 </dd> 819 820 <dt class="field">Username</dt> 821 <dd> 822 <span class="field_meta"> 823 (optional) 824 <span class="type">string</span> 825 </span> 826 User identity. This value is subject to string expansions. If not 827 specified, user is prompted at time of connection. 828 </dd> 829 </dl> 830 831 <p> 832 <span class="type">XAUTH</span> type contains the following: 833 </p> 834 835 <dl class="field_list"> 836 <dt class="field">Password</dt> 837 <dd> 838 <span class="field_meta"> 839 (optional) 840 <span class="type">string</span> 841 </span> 842 XAUTH password. If not specified, user is prompted at time of 843 connection. 844 </dd> 845 846 <dt class="field">SaveCredentials</dt> 847 <dd> 848 <span class="field_meta"> 849 (optional, defaults to <span class="value">false</span>) 850 <span class="type">boolean</span> 851 </span> 852 If <span class="value">false</span>, require user to enter credentials 853 each time they connect. 854 </dd> 855 856 <dt class="field">Username</dt> 857 <dd> 858 <span class="field_meta"> 859 (optional) 860 <span class="type">string</span> 861 </span> 862 XAUTH user name. This value is subject to string expansions. If not 863 specified, user is prompted at time of connection. 864 </dd> 865 </dl> 866 867 <section> 868 <h1>IPsec IKE v1 VPN connections</h1> 869 <p> 870 <span class="field">VPN.Type</span> must 871 be <span class="value">IPsec</span>, <span class="field">IKEVersion</span> 872 must be 1. Do not use this for L2TP over IPsec. This may be used for 873 machine-authentication-only IKEv1 or for IKEv1 with XAUTH. See 874 the <span class="type">IPsec</span> type described below. 875 </p> 876 </section> 877 878 <section> 879 <h1>IPsec IKE v2 VPN connections</h1> 880 <p> 881 <span class="field">VPN.Type</span> must 882 be <span class="value">IPsec</span>, <span class="field">IKEVersion</span> 883 must be 2. This may be used with EAP-based user authentication. 884 </p> 885 </section> 886 887 <section> 888 <h1>L2TP over IPsec VPN connections</h1> 889 <p> 890 There are two major configurations L2TP over IPsec which depend on how IPsec 891 is authenticated. In either case <span class="field">Type</span> must be 892 <span class="value">L2TP-IPsec</span>. They are described below. 893 </p> 894 895 <p> 896 L2TP over IPsec with pre-shared key: 897 </p> 898 899 <ul> 900 <li>The field <span class="field">IPsec</span> must be present and have the 901 following settings: 902 <ul> 903 <li><span class="field">IKEVersion</span> must be 1.</li> 904 <li><span class="field">AuthenticationType</span> must be PSK.</li> 905 <li><span class="field">XAUTH</span> must not be set.</li> 906 </ul> 907 </li> 908 <li>The field <span class="field">L2TP</span> must be present.</li> 909 </ul> 910 </section> 911 912 </section> 913 914 <section> 915 <h1>OpenVPN connections and types</h1> 916 <p> 917 <span class="field">VPN.Type</span> must be 918 <span class="value">OpenVPN</span>. 919 </p> 920 921 <p> 922 <span class="type">OpenVPN</span> type contains the following: 923 </p> 924 925 <dl class="field_list"> 926 <dt class="field">Auth</dt> 927 <dd> 928 <span class="field_meta"> 929 (optional, defaults to <span class="value">SHA1</span>) 930 <span class="type">string</span> 931 </span> 932 </dd> 933 934 <dt class="field">AuthRetry</dt> 935 <dd> 936 <span class="field_meta"> 937 (optional, defaults to <span class="value">none</span>) 938 <span class="type">string</span> 939 </span> 940 <span class="rule"> 941 <span class="rule_id"></span> 942 Allowed values are <span class="value">none</span>, 943 <span class="value">nointeract</span>, and 944 <span class="value">interact</span>. 945 </span> 946 Controls how OpenVPN responds to username/password verification 947 errors:<br> Either fail with error on retry 948 (<span class="value">none</span>), retry without asking for authentication 949 (<span class="value">nointeract</span>), or ask again for authentication 950 each time (<span class="value">interact</span>). 951 </dd> 952 953 <dt class="field">AuthNoCache</dt> 954 <dd> 955 <span class="field_meta"> 956 (optional, defaults to <span class="value">false</span>) 957 <span class="type">boolean</span> 958 </span> 959 Disable caching of credentials in memory. 960 </dd> 961 962 <dt class="field">Cipher</dt> 963 <dd> 964 <span class="field_meta"> 965 (optional, defaults to <span class="value">BF-CBC</span>) 966 <span class="type">string</span> 967 </span> 968 Cipher to use. 969 </dd> 970 971 <dt class="field">ClientCertRef</dt> 972 <dd> 973 <span class="field_meta"> 974 (required if <span class="field">ClientCertType</span> is 975 <span class="value">Ref</span>, otherwise ignored) 976 <span class="type">string</span> 977 </span> 978 Reference to client certificate stored in certificate section. 979 </dd> 980 981 <dt class="field">ClientCertPattern</dt> 982 <dd> 983 <span class="field_meta"> 984 (required if <span class="field">ClientCertType</span> is 985 <span class="value">Pattern</span>, otherwise ignored) 986 <span class="type">CertificatePattern</span> 987 </span> 988 Pattern to use to find the client certificate. 989 </dd> 990 991 <dt class="field">ClientCertType</dt> 992 <dd> 993 <span class="field_meta"> 994 (required) 995 <span class="type">string</span> 996 </span> 997 <span class="rule"> 998 <span class="rule_id"></span> 999 Allowed values are <span class="value">Ref</span>, 1000 <span class="value">Pattern</span>, and <span class="value">None</span>. 1001 </span> 1002 <span class="value">None</span> implies that the server is configured to 1003 not require client certificates. 1004 </dd> 1005 1006 <dt class="field">CompLZO</dt> 1007 <dd> 1008 <span class="field_meta"> 1009 (optional, defaults to <span class="value">adaptive</span>) 1010 <span class="type">string</span> 1011 </span> 1012 Decides to fast LZO compression with <span class="value">true</span> 1013 and <span class="value">false</span> as other values. 1014 </dd> 1015 1016 <dt class="field">CompNoAdapt</dt> 1017 <dd> 1018 <span class="field_meta"> 1019 (optional, defaults to <span class="value">false</span>) 1020 <span class="type">boolean</span> 1021 </span> 1022 Disables adaptive compression. 1023 </dd> 1024 1025 <dt class="field">KeyDirection</dt> 1026 <dd> 1027 <span class="field_meta"> 1028 (optional) 1029 <span class="type">string</span> 1030 </span> 1031 Passed as --key-direction. 1032 </dd> 1033 1034 <dt class="field">NsCertType</dt> 1035 <dd> 1036 <span class="field_meta"> 1037 (optional) 1038 <span class="type">string</span> 1039 </span> 1040 If set, checks peer certificate type. Should only be set 1041 to <span class="value">server</span> if set. 1042 </dd> 1043 1044 <dt class="field">Password</dt> 1045 <dd> 1046 <span class="field_meta"> 1047 (optional) 1048 <span class="type">string</span> 1049 </span> 1050 XAUTH password. If not specified, user is prompted at time of connection. 1051 </dd> 1052 1053 <dt class="field">Port</dt> 1054 <dd> 1055 <span class="field_meta"> 1056 (optional, defaults to <span class="value">1194</span>) 1057 <span class="type">integer</span> 1058 </span> 1059 Port for connecting to server. 1060 </dd> 1061 1062 <dt class="field">Proto</dt> 1063 <dd> 1064 <span class="field_meta"> 1065 (optional, defaults to <span class="value">udp</span>) 1066 <span class="type">string</span> 1067 </span> 1068 Protocol for communicating with server. 1069 </dd> 1070 1071 <dt class="field">PushPeerInfo</dt> 1072 <dd> 1073 <span class="field_meta"> 1074 (optional, defaults to <span class="value">false</span>) 1075 <span class="type">boolean</span> 1076 </span> 1077 </dd> 1078 1079 <dt class="field">RemoteCertEKU</dt> 1080 <dd> 1081 <span class="field_meta"> 1082 (optional) 1083 <span class="type">string</span> 1084 </span> 1085 Require that the peer certificate was signed with this explicit extended 1086 key usage in oid notation. 1087 </dd> 1088 1089 <dt class="field">RemoteCertKU</dt> 1090 <dd> 1091 <span class="field_meta"> 1092 (optional, defaults to []) 1093 <span class="type">array of string</span> 1094 </span> 1095 Require the given array of key usage numbers. These are strings that are 1096 hex encoded numbers. 1097 </dd> 1098 1099 <dt class="field">RemoteCertTLS</dt> 1100 <dd> 1101 <span class="field_meta"> 1102 (optional, defaults to <span class="value">server</span>) 1103 <span class="type">string</span> 1104 </span> 1105 <span class="rule"> 1106 <span class="rule_id"></span> 1107 Allowed values are <span class="value">none</span> and 1108 <span class="value">server</span>. 1109 </span> 1110 Require peer certificate signing based on RFC3280 TLS rules. 1111 </dd> 1112 1113 <dt class="field">RenegSec</dt> 1114 <dd> 1115 <span class="field_meta"> 1116 (optional, defaults to <span class="value">3600</span>) 1117 <span class="type">integer</span> 1118 </span> 1119 Renegotiate data channel key after this number of seconds. 1120 </dd> 1121 1122 <dt class="field">SaveCredentials</dt> 1123 <dd> 1124 <span class="field_meta"> 1125 (optional, defaults to <span class="value">false</span>) 1126 <span class="type">boolean</span> 1127 </span> 1128 If <span class="value">false</span>, require user to enter credentials 1129 each time they connect. 1130 </dd> 1131 1132 <dt class="field">ServerCARefs</dt> 1133 <dd> 1134 <span class="field_meta"> 1135 (optional) 1136 <span class="type">array of string</span> 1137 </span> 1138 Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. See also OpenVPN's command line option "--ca". If this field is set, <span class="field">ServerCARef</span> must be unset. 1139 </dd> 1140 1141 <dt class="field">ServerCARef</dt> 1142 <dd> 1143 <span class="field_meta"> 1144 (optional) 1145 <span class="type">string</span> 1146 </span> 1147 DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/> 1148 Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset. 1149 </dd> 1150 1151 <dt class="field">ServerCertRef</dt> 1152 <dd> 1153 <span class="field_meta"> 1154 (optional) 1155 <span class="type">string</span> 1156 </span> 1157 Reference to a certificate. Peer's signed certificate. 1158 </dd> 1159 1160 <dt class="field">ServerPollTimeout</dt> 1161 <dd> 1162 <span class="field_meta"> 1163 (optional) 1164 <span class="type">integer</span> 1165 </span> 1166 Spend no more than this number of seconds before trying the next server. 1167 </dd> 1168 1169 <dt class="field">Shaper</dt> 1170 <dd> 1171 <span class="field_meta"> 1172 (optional) 1173 <span class="type">integer</span> 1174 </span> 1175 If not specified no bandwidth limiting, otherwise limit bandwidth of 1176 outgoing tunnel data to this number of bytes per second. 1177 </dd> 1178 1179 <dt class="field">StaticChallenge</dt> 1180 <dd> 1181 <span class="field_meta"> 1182 (optional) 1183 <span class="type">string</span> 1184 </span> 1185 String is used in static challenge response. Note that echoing is always 1186 done. 1187 </dd> 1188 1189 <dt class="field">TLSAuthContents</dt> 1190 <dd> 1191 <span class="field_meta"> 1192 (optional) 1193 <span class="type">string</span> 1194 </span> 1195 If not set, tls auth is not used. If set, this is the TLS Auth key 1196 contents (usually starts with "-----BEGIN OpenVPN Static Key..." 1197 </dd> 1198 1199 <dt class="field">TLSRemote</dt> 1200 <dd> 1201 <span class="field_meta"> 1202 (optional) 1203 <span class="type">string</span> 1204 </span> 1205 If set, only allow connections to server hosts with X509 name or common 1206 name equal to this string. 1207 </dd> 1208 1209 <dt class="field">Username</dt> 1210 <dd> 1211 <span class="field_meta"> 1212 (optional) 1213 <span class="type">string</span> 1214 </span> 1215 OpenVPN user name. This value is subject to string expansions. If not 1216 specified, user is prompted at time of connection. 1217 </dd> 1218 1219 <dt class="field">Verb</dt> 1220 <dd> 1221 <span class="field_meta"> 1222 (optional) 1223 <span class="type">string</span> 1224 </span> 1225 Verbosity level, defaults to OpenVpn's default if not specified. 1226 </dd> 1227 1228 <dt class="field">VerifyHash</dt> 1229 <dd> 1230 <span class="field_meta"> 1231 (optional) 1232 <span class="type">string</span> 1233 </span> 1234 If set, this value is passed as the "--verify-hash" argument to OpenVPN, 1235 which specifies the SHA1 fingerprint for the level-1 certificate. 1236 </dd> 1237 1238 <dt class="field">VerifyX509</dt> 1239 <dd> 1240 <span class="field_meta"> 1241 (optional) 1242 <span class="type">VerifyX509</span> 1243 </span> 1244 If set, the "--verify-x509-name" argument is passed to OpenVPN with the values of this object and only connections will be accepted if a host's X.509 name is equal to the given name. 1245 </dd> 1246 </dl> 1247 1248 <p class="rule"> 1249 <span class="rule_id"></span> 1250 At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set. 1251 </p> 1252 1253 <p> 1254 <span class="type">VerifyX509</span> type contains the following: 1255 </p> 1256 <dl class="field_list"> 1257 <dt class="field">Name</dt> 1258 <dd> 1259 <span class="field_meta"> 1260 (required) 1261 <span class="type">string</span> 1262 </span> 1263 The name that the host's X.509 name is compared to. Which host name is compared depends on the value of <span class="field">Type</span>. 1264 </dd> 1265 1266 <dt class="field">Type</dt> 1267 <dd> 1268 <span class="field_meta"> 1269 (optional) 1270 <span class="type">string</span> 1271 </span> 1272 Determines which of the host's X.509 names will be verified. Allowed values are <span class="value">name</span>, <span class="value">name-prefix</span> and <span class="value">subject</span>. See OpenVPN's documentation for "--verify-x509-name" for the meaning of each value. Defaults to OpenVPN's default if not specified. 1273 </dd> 1274 </dl> 1275 1276 </section> 1277 1278 </section> 1279 1280 <section> 1281 <h1>Client certificate patterns</h1> 1282 <p> 1283 In order to allow clients to securely key their private keys and request 1284 certificates through PKCS#10 format or through a web flow, we provide 1285 alternative CertificatePattern types. The 1286 <span class="type">CertificatePattern</span> type contains the following: 1287 </p> 1288 1289 <dl class="field_list"> 1290 <dt class="field">IssuerCARef</dt> 1291 <dd> 1292 <span class="field_meta"> 1293 (optional) 1294 <span class="type">array of string</span> 1295 </span> 1296 Array of references to certificates. At least one must have signed the 1297 client certificate. 1298 </dd> 1299 1300 <dt class="field">Issuer</dt> 1301 <dd> 1302 <span class="field_meta"> 1303 (optional) 1304 <span class="type">IssuerSubjectPattern</span> 1305 </span> 1306 Pattern to match the issuer X.509 settings against. If not specified, the 1307 only checks done will be a signature check against 1308 the <span class="field">IssuerCARef</span> field. Issuer of the 1309 certificate must match this field exactly to match the pattern. 1310 </dd> 1311 1312 <dt class="field">Subject</dt> 1313 <dd> 1314 <span class="field_meta"> 1315 (optional) 1316 <span class="type">IssuerSubjectPattern</span> 1317 </span> 1318 Pattern to match the subject X.509 settings against. If not specified, the 1319 subject settings are not checked and any certificate matches. Subject of 1320 the certificate must match this field exactly to match the pattern. 1321 </dd> 1322 1323 <dt class="field">EnrollmentURI</dt> 1324 <dd> 1325 <span class="field_meta"> 1326 (optional) 1327 <span class="type">array of string</span> 1328 </span> 1329 If no certificate matches this CertificatePattern, the first URI from this 1330 array with a recognized scheme is navigated to, with the intention this 1331 informs the user how to either get the certificate or gets the certificate 1332 for the user. For instance, the array may be [ 1333 "chrome-extension://asakgksjssjwwkeielsjs/fetch-client-cert.html", 1334 "http://intra/connecting-to-wireless.html" ] so that for Chrome browsers a 1335 Chrome app or extension is shown to the user, but for other browsers, a 1336 web URL is shown. 1337 </dd> 1338 </dl> 1339 1340 <p> 1341 The <span class="type">IssuerSubjectPattern</span> type contains the 1342 following: 1343 </p> 1344 1345 <dl class="field_list"> 1346 <dt class="field">CommonName</dt> 1347 <dd> 1348 <span class="field_meta"> 1349 (optional) 1350 <span class="type">string</span> 1351 </span> 1352 Certificate subject's commonName must match this string if present. 1353 </dd> 1354 1355 <dt class="field">Locality</dt> 1356 <dd> 1357 <span class="field_meta"> 1358 (optional) 1359 <span class="type">string</span> 1360 </span> 1361 Certificate subject's location must match this string if present. 1362 </dd> 1363 1364 <dt class="field">Organization</dt> 1365 <dd> 1366 <span class="field_meta"> 1367 (optional) 1368 <span class="type">string</span> 1369 </span> 1370 At least one of certificate subject's organizations must match this string 1371 if present. 1372 </dd> 1373 1374 <dt class="field">OrganizationalUnit</dt> 1375 <dd> 1376 <span class="field_meta"> 1377 (optional) 1378 <span class="type">string</span> 1379 </span> 1380 At least one of certificate subject's organizational units must match this 1381 string if present. 1382 </dd> 1383 </dl> 1384 1385 <p class="rule"> 1386 <span class="rule_id"></span> 1387 One field in <span class="field">Subject</span>, 1388 <span class="field">Issuer</span>, or <span class="field">IssuerCARef</span> 1389 must be given for a <span class="type">CertificatePattern</span> typed field 1390 to be valid. 1391 </p> 1392 1393 <p> 1394 For a certificate to be considered matching, it must match all 1395 the fields in the certificate pattern. If multiple certificates match, the 1396 certificate with the latest issue date that is still in the past, and hence 1397 valid, will be used. 1398 </p> 1399 1400 <p> 1401 If <span class="field">EnrollmentURI</span> is not given and no match is 1402 found to this pattern, the importing tool may show an error to the user. 1403 </p> 1404 </section> 1405 1406 <section> 1407 <h1>Proxy settings</h1> 1408 <p> 1409 Every network can be configured to use a 1410 proxy. The <span class="type">ProxySettings</span> type contains the 1411 following: 1412 </p> 1413 1414 <dl class="field_list"> 1415 <dt class="field">Type</dt> 1416 <dd> 1417 <span class="field_meta"> 1418 (required) 1419 <span class="type">string</span> 1420 </span> 1421 <span class="rule"> 1422 <span class="rule_id"></span> 1423 Allowed values are <span class="value">Direct</span>, 1424 <span class="value">Manual</span>, <span class="value">PAC</span>, and 1425 <span class="value">WPAD</span>. 1426 </span> 1427 <span class="value">PAC</span> indicates Proxy Auto-Configuration. 1428 <span class="value">WPAD</span> indicates Web Proxy Autodiscovery. 1429 </dd> 1430 1431 <dt class="field">Manual</dt> 1432 <dd> 1433 <span class="field_meta"> 1434 (required if <span class="field">Type</span> 1435 is <span class="value">Manual</span>, otherwise ignored) 1436 <span class="type">ManualProxySettings</span> 1437 </span> 1438 Manual proxy settings. 1439 </dd> 1440 1441 <dt class="field">ExcludeDomains</dt> 1442 <dd> 1443 <span class="field_meta"> 1444 (optional if <span class="field">Type</span> 1445 is <span class="value">Manual</span>, otherwise ignored) 1446 <span class="type">array of string</span> 1447 </span> 1448 Domains and hosts for which to exclude proxy settings. 1449 </dd> 1450 1451 <dt class="field">PAC</dt> 1452 <dd> 1453 <span class="field_meta"> 1454 (required if <span class="field">Type</span> is 1455 <span class="value">PAC</span>, otherwise ignored) 1456 <span class="type">string</span> 1457 </span> 1458 URL of proxy auto-config file. 1459 </dd> 1460 </dl> 1461 1462 <p> 1463 The <span class="type">ManualProxySettings</span> type contains the 1464 following: 1465 </p> 1466 1467 <dl class="field_list"> 1468 <dt class="field">HTTPProxy</dt> 1469 <dd> 1470 <span class="field_meta"> 1471 (optional) 1472 <span class="type">ProxyLocation</span> 1473 </span> 1474 settings for HTTP proxy. 1475 </dd> 1476 1477 <dt class="field">SecureHTTPProxy</dt> 1478 <dd> 1479 <span class="field_meta"> 1480 (optional) 1481 <span class="type">ProxyLocation</span> 1482 </span> 1483 settings for secure HTTP proxy. 1484 </dd> 1485 1486 <dt class="field">FTPProxy</dt> 1487 <dd> 1488 <span class="field_meta"> 1489 (optional) 1490 <span class="type">ProxyLocation</span> 1491 </span> 1492 settings for FTP proxy 1493 </dd> 1494 1495 <dt class="field">SOCKS</dt> 1496 <dd> 1497 <span class="field_meta"> 1498 (optional) 1499 <span class="type">ProxyLocation</span> 1500 </span> 1501 settings for SOCKS proxy. 1502 </dd> 1503 </dl> 1504 1505 <p> 1506 The <span class="type">ProxyLocation</span> type contains the following: 1507 </p> 1508 1509 <dl class="field_list"> 1510 <dt class="field">Host</dt> 1511 <dd> 1512 <span class="field_meta"> 1513 (required) 1514 <span class="type">string</span> 1515 </span> 1516 Host (or IP address) to use for proxy 1517 </dd> 1518 1519 <dt class="field">Port</dt> 1520 <dd> 1521 <span class="field_meta"> 1522 (required) 1523 <span class="type">integer</span> 1524 </span> 1525 Port to use for proxy 1526 </dd> 1527 </dl> 1528 </section> 1529 1530 <section> 1531 <h1>EAP configurations</h1> 1532 <p> 1533 For networks with 802.1X authentication, an <span class="type">EAP</span> 1534 type exists to configure the 1535 authentication. The <span class="type">EAP</span> type contains the 1536 following: 1537 </p> 1538 1539 <dl class="field_list"> 1540 <dt class="field">AnonymousIdentity</dt> 1541 <dd> 1542 <span class="field_meta"> 1543 (optional if <span class="field">Outer</span> is 1544 <span class="value">PEAP</span> or <span class="value">EAP-TTLS</span>, 1545 otherwise ignored) 1546 <span class="type">string</span> 1547 </span> 1548 For tunnelling protocols only, this indicates the identity of the user 1549 presented to the outer protocol. This value is subject to string 1550 expansions. If not specified, use empty string. 1551 </dd> 1552 1553 <dt class="field">ClientCertPattern</dt> 1554 <dd> 1555 <span class="field_meta"> 1556 (required if <span class="field">ClientCertType</span> is 1557 <span class="value">Pattern</span>, otherwise ignored) 1558 <span class="type">CertificatePattern</span> 1559 </span> 1560 Pattern to use to find the client certificate. 1561 </dd> 1562 1563 <dt class="field">ClientCertRef</dt> 1564 <dd> 1565 <span class="field_meta"> 1566 (required if <span class="field">ClientCertType</span> is 1567 <span class="value">Ref</span>, otherwise ignored) 1568 <span class="type">string</span> 1569 </span> 1570 Reference to client certificate stored in certificate section. 1571 </dd> 1572 1573 <dt class="field">ClientCertType</dt> 1574 <dd> 1575 <span class="field_meta"> 1576 (optional) <span class="type">string</span> 1577 </span> 1578 <span class="rule"> 1579 <span class="rule_id"></span> 1580 Allowed values are <span class="value">Ref</span>, and 1581 <span class="value">Pattern</span>. 1582 </span> 1583 </dd> 1584 1585 <dt class="field">Identity</dt> 1586 <dd> 1587 <span class="field_meta"> 1588 (optional) 1589 <span class="type">string</span> 1590 </span> 1591 Identity of user. For tunneling outer protocols 1592 (<span class="value">PEAP</span>, <span class="value">EAP-TTLS</span>, and 1593 <span class="value">EAP-FAST</span>), this is used to authenticate inside 1594 the tunnel, and <span class="field">AnonymousIdentity</span> is used for 1595 the EAP identity outside the tunnel. For non-tunneling outer protocols, 1596 this is used for the EAP identity. This value is subject to string 1597 expansions. 1598 </dd> 1599 1600 <dt class="field">Inner</dt> 1601 <dd> 1602 <span class="field_meta"> 1603 (optional if <span class="field">Outer</span> is 1604 <span class="value">EAP-FAST</span>, <span class="value">EAP-TTLS</span> 1605 or <span class="value">PEAP</span>, otherwise ignored, defaults to 1606 <span class="value">Automatic</span>) 1607 <span class="type">string</span> 1608 </span> 1609 <span class="rule"> 1610 <span class="rule_id"></span> 1611 Allowed values are <span class="value">Automatic</span>, 1612 <span class="value">MD5</span>, <span class="value">MSCHAPv2</span>, 1613 <span class="value">EAP-MSCHAPv2</span>, and 1614 <span class="value">PAP</span>. 1615 </span> 1616 For tunneling outer protocols. 1617 </dd> 1618 1619 <dt class="field">Outer</dt> 1620 <dd> 1621 <span class="field_meta"> 1622 (required) 1623 <span class="type">string</span> 1624 </span> 1625 <span class="rule"> 1626 <span class="rule_id"></span> 1627 Allowed values are <span class="value">LEAP</span>, 1628 <span class="value">EAP-AKA</span>, <span class="value">EAP-FAST</span>, 1629 <span class="value">EAP-TLS</span>, <span class="value">EAP-TTLS</span>, 1630 <span class="value">EAP-SIM</span> and <span class="value">PEAP</span>. 1631 </span> 1632 </dd> 1633 1634 <dt class="field">Password</dt> 1635 <dd> 1636 <span class="field_meta"> 1637 (optional) 1638 <span class="type">string</span> 1639 </span> 1640 Password of user. If not specified, defaults to prompting the user. 1641 </dd> 1642 1643 <dt class="field">SaveCredentials</dt> 1644 <dd> 1645 <span class="field_meta"> 1646 (optional, defaults to <span class="value">false</span>) 1647 <span class="type">boolean</span> 1648 </span> 1649 If <span class="value">false</span>, require user to enter credentials 1650 each time they connect. Specifying <span class="field">Identity</span> 1651 and/or <span class="field">Password</span> when 1652 <span class="field">SaveCredentials</span> is 1653 <span class="value">false</span> is not allowed. 1654 </dd> 1655 1656 <dt class="field">ServerCARefs</dt> 1657 <dd> 1658 <span class="field_meta"> 1659 (optional) 1660 <span class="type">array of string</span> 1661 </span> 1662 Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this. 1663 </dd> 1664 1665 <dt class="field">ServerCARef</dt> 1666 <dd> 1667 <span class="field_meta"> 1668 (optional) 1669 <span class="type">string</span> 1670 </span> 1671 DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/> 1672 Reference to a CA certificate in <span class="field">Certificates</span>. If this field is set, <span class="field">ServerCARefs</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this. 1673 </dd> 1674 1675 <dt class="field">UseSystemCAs</dt> 1676 <dd> 1677 <span class="field_meta"> 1678 (optional, defaults to <span class="value">true</span>) 1679 <span class="type">boolean</span> 1680 </span> 1681 Required server certificate to be signed by "system default certificate 1682 authorities". If both <span class="field">ServerCARefs</span> (or <span class="field">ServerCARef</span>) 1683 and <span class="field">UseSystemCAs</span> are supplied, a server 1684 certificate will be allowed if it either has a chain of trust to a system 1685 CA or to one of the given CA certificates. If <span class="field">UseSystemCAs</span> 1686 is <span class="value">false</span>, and no <span class="field">ServerCARef</span> is set, the certificate 1687 must be a self signed certificate, and no CA signature is required. 1688 </dd> 1689 </dl> 1690 1691 <p class="rule"> 1692 <span class="rule_id"></span> 1693 At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set. 1694 </p> 1695 </section> 1696 1697 <section> 1698 <h1>Cellular Networks</h1> 1699 <p> 1700 This format will eventually also cover configuration of cellular network 1701 technologies, however they are currently not supported. 1702 </p> 1703 </section> 1704 1705 <section> 1706 <h1>Bluetooth / WiFi Direct Networks</h1> 1707 <p> 1708 This format will eventually also cover configuration of Bluetooth and Wi-Fi 1709 Direct network technologies, however they are currently not supported. 1710 </p> 1711 </section> 1712 1713 </section> 1714 1715 <section> 1716 <h1>Certificates</h1> 1717 <p> 1718 Certificate data is stored in a separate section. Each certificate may be 1719 referenced from within the NetworkConfigurations array using a certificate 1720 reference. A certificate reference is its GUID. 1721 </p> 1722 1723 <p> 1724 The top-level field <span class="field">Certificates</span> is an array of 1725 objects of <span class="type">Certificate</span> type. 1726 </p> 1727 1728 <p> 1729 The <span class="type">Certificate</span> type contains the following: 1730 </p> 1731 1732 <dl class="field_list"> 1733 <dt class="field">GUID</dt> 1734 <dd> 1735 <span class="field_meta"> 1736 (required) 1737 <span class="type">string</span> 1738 </span> 1739 A unique identifier for this certificate. Must be a non-empty string. 1740 </dd> 1741 1742 <dt class="field">PKCS12</dt> 1743 <dd> 1744 <span class="field_meta"> 1745 (required if <span class="field">Type</span> is 1746 <span class="value">Client</span>, otherwise ignored) 1747 <span class="type">string</span> 1748 </span> For certificates with 1749 private keys, this is the base64 encoding of the a PKCS#12 file. 1750 </dd> 1751 1752 <dt class="field">Remove</dt> 1753 <dd> 1754 <span class="field_meta"> 1755 (optional, defaults to <span class="value">false</span>) 1756 <span class="type">boolean</span> 1757 </span> 1758 If <span class="value">true</span>, remove this certificate (only GUID 1759 should be set). 1760 </dd> 1761 1762 <dt class="field">TrustBits</dt> 1763 <dd> 1764 <span class="field_meta"> 1765 (optional if <span class="field">Type</span> 1766 is <span class="value">Server</span> 1767 or <span class="value">Authority</span>, otherwise ignored, defaults to 1768 []) 1769 <span class="type">array of string</span> 1770 </span> 1771 An array of trust flags. Clients should ignore unknown flags. For 1772 backwards compatibility, each flag should only increase the trust and 1773 never restrict. The trust flag <span class="value">Web</span> implies that 1774 the certificate is to be trusted for HTTPS SSL identification. A typical 1775 web certificate authority would have <span class="field">Type</span> set 1776 to <span class="value">Authority</span> and 1777 <span class="field">TrustBits</span> set to 1778 <span class="snippet">["Web"]</span>. 1779 </dd> 1780 1781 <dt class="field">Type</dt> 1782 <dd> 1783 <span class="field_meta"> 1784 (required if <span class="field">Remove</span> is 1785 <span class="value">false</span>, otherwise ignored) 1786 <span class="type">string</span> 1787 </span> 1788 <span class="rule"> 1789 <span class="rule_id"></span> 1790 Allowed values are <span class="value">Client</span>, 1791 <span class="value">Server</span>, and 1792 <span class="value">Authority</span>. 1793 </span> 1794 <span class="value">Client</span> indicates the certificate is for 1795 identifying the user or device over HTTPS or for 1796 VPN/802.1X. <span class="value">Server</span> indicates the certificate 1797 identifies an HTTPS or VPN/802.1X peer. 1798 <span class="value">Authority</span> indicates the certificate is a 1799 certificate authority and any certificates it issues should be 1800 trusted. Note that if <span class="field">Type</span> disagrees with the 1801 x509 v3 basic constraints or key usage attributes, the 1802 <span class="field">Type</span> field should be honored. 1803 </dd> 1804 1805 <dt class="field">X509</dt> 1806 <dd> 1807 <span class="field_meta"> 1808 (required if <span class="field">Type</span> is 1809 <span class="value">Server</span> or 1810 <span class="value">Authority</span>, otherwise ignored) 1811 <span class="type">string</span> 1812 </span> For certificate 1813 without private keys, this is the X509 certificate in PEM format. 1814 </dd> 1815 </dl> 1816 1817 <p> 1818 The passphrase of the PKCS#12 encoding must be empty. Encryption of key data 1819 should be handled at the level of the entire file, or the transport of the 1820 file. 1821 </p> 1822 1823 <p> 1824 If a global-scoped network connection refers to a user-scoped certificate, 1825 results are undefined, so this configuration should be prohibited by the 1826 configuration editor. 1827 </p> 1828 </section> 1829 1830 </section> 1831 1832 <section> 1833 <h1>Encrypted Configuration</h1> 1834 <p> 1835 We assume that when this format is imported as part of policy that 1836 file-level encryption will not be necessary because the policy transport is 1837 already encrypted, but when it is imported as a standalone file, it is 1838 desirable to encrypt it. Since this file has private information (user 1839 names) and secrets (passphrases and private keys) in it, and we want it to 1840 be usable as a manual way to distribute network configuration, we must 1841 support encryption. 1842 </p> 1843 1844 <p> 1845 For this standalone export, the entire file will be encrypted in a symmetric 1846 fashion with a passphrase stretched using salted PBKDF2 using at least 20000 1847 iterations, and encrypted using an AES-256 CBC mode cipher with an SHA-1 1848 HMAC on the ciphertext. 1849 </p> 1850 1851 <p> 1852 An encrypted ONC file's top level object will have the 1853 <span class="type">EncryptedConfiguration</span> 1854 type. <span class="type">EncryptedConfiguration</span> type contains the 1855 following: 1856 </p> 1857 1858 <dl class="field_list"> 1859 <dt class="field">Cipher</dt> 1860 <dd> 1861 <span class="field_meta"> 1862 (required) 1863 <span class="type">string</span> 1864 </span> 1865 The type of cipher used. Currently only <span class="value">AES256</span> 1866 is supported. 1867 </dd> 1868 1869 <dt class="field">Ciphertext</dt> 1870 <dd> 1871 <span class="field_meta"> 1872 (required) 1873 <span class="type">string</span> 1874 </span> 1875 The raw ciphertext of the encrypted ONC file, base64 encoded. 1876 </dd> 1877 1878 <dt class="field">HMAC</dt> 1879 <dd> 1880 <span class="field_meta"> 1881 (required) 1882 <span class="type">string</span> 1883 </span> 1884 The HMAC for the ciphertext, base64 encoded. 1885 </dd> 1886 1887 <dt class="field">HMACMethod</dt> 1888 <dd> 1889 <span class="field_meta"> 1890 (required) 1891 <span class="type">string</span> 1892 </span> 1893 The method used to compute the Hash-based Message Authentication Code 1894 (HMAC). Currently only <span class="value">SHA1</span> is supported. 1895 </dd> 1896 1897 <dt class="field">Salt</dt> 1898 <dd> 1899 <span class="field_meta"> 1900 (required) 1901 <span class="type">string</span> 1902 </span> 1903 The salt value used during key stretching. 1904 </dd> 1905 1906 <dt class="field">Stretch</dt> 1907 <dd> 1908 <span class="field_meta"> 1909 (required) 1910 <span class="type">string</span> 1911 </span> 1912 The key stretching algorithm used. Currently 1913 only <span class="value">PBKDF2</span> is supported. 1914 </dd> 1915 1916 <dt class="field">Iterations</dt> 1917 <dd> 1918 <span class="field_meta"> 1919 (required) 1920 <span class="type">integer</span> 1921 </span> 1922 The number of iterations to use during key stretching. 1923 </dd> 1924 1925 <dt class="field">IV</dt> 1926 <dd> 1927 <span class="field_meta"> 1928 (required) 1929 <span class="type">string</span> 1930 </span> 1931 The initial vector (IV) used for Cyclic Block Cipher (CBC) mode, base64 1932 encoded. 1933 </dd> 1934 1935 <dt class="field">Type</dt> 1936 <dd> 1937 <span class="field_meta"> 1938 (required) 1939 <span class="type">string</span> 1940 </span> 1941 The type of the ONC file, which must be set 1942 to <span class="value">EncryptedConfiguration</span>. 1943 </dd> 1944 </dl> 1945 1946 <p class="rule"> 1947 <span class="rule_id"></span> 1948 When decrypted, the ciphertext must contain a JSON object of 1949 type <span class="type">UnencryptedConfiguration</span>. 1950 </p> 1951 </section> 1952 1953 <section> 1954 <h1>String Expansions</h1> 1955 <p> 1956 The values of some fields, such 1957 as <span class="field">WiFi.EAP.Identity</span> 1958 and <span class="field">VPN.*.Username</span>, are subject to string 1959 expansions. These allow one ONC to have basic user-specific variations. 1960 </p> 1961 1962 <p> 1963 The expansions are: 1964 </p> 1965 1966 <ul> 1967 <li> 1968 ${LOGIN_ID} - expands to the email address of the user, but before the 1969 '@'. 1970 </li> 1971 <li> 1972 ${LOGIN_EMAIL} - expands to the email address of the user. 1973 </li> 1974 </ul> 1975 1976 <p> 1977 The following SED would properly handle resolution. 1978 </p> 1979 1980 <ul> 1981 <li> 1982 s/\$\{LOGIN_ID\}/bobquail$1/g 1983 </li> 1984 <li> 1985 s/\$\{LOGIN_EMAIL\}/bobquail (a] example.com$1/g 1986 </li> 1987 </ul> 1988 1989 <p> 1990 Example expansions, assuming the user was bobquail (a] example.com: 1991 </p> 1992 1993 <ul> 1994 <li> 1995 "${LOGIN_ID}" -> "bobquail" 1996 </li> 1997 <li> 1998 "${LOGIN_ID}@corp.example.com" -> "bobquail (a] corp.example.com" 1999 </li> 2000 <li> 2001 "${LOGIN_EMAIL}" -> "bobquail (a] example.com" 2002 </li> 2003 <li> 2004 "${LOGIN_ID}X" -> "bobquailX" 2005 </li> 2006 <li> 2007 "${LOGIN_IDX}" -> "${LOGIN_IDX}" 2008 </li> 2009 <li> 2010 "X${LOGIN_ID}" -> "Xbobquail" 2011 </li> 2012 </ul> 2013 </section> 2014 2015 <section> 2016 <h1>Detection</h1> 2017 <p> 2018 This format should be sent in files ending in the .onc extension. When 2019 transmitted with a MIME type, the MIME type should be 2020 application/x-onc. These two methods make detection of data to be handled in 2021 this format, especially when encryption is used and the payload itself is 2022 not detectable. 2023 </p> 2024 </section> 2025 2026 </section> 2027 2028 <section> 2029 <h1>Alternatives considered</h1> 2030 <p> 2031 For the overall format, we considered XML, ASN.1, and protobufs. JSON and 2032 ASN.1 seem more widely known than protobufs. Since administrators are 2033 likely to want to tweak settings that will not exist in common UIs, we 2034 should provide a format that is well known and human modifiable. ASN.1 is 2035 not human modifiable. Protobufs formats are known by open source developers 2036 but seem less likely to be known by administrators. JSON serialization 2037 seems to have good support across languages. 2038 </p> 2039 2040 <p> 2041 We considered sending the exact connection manager configuration format of 2042 an open source connection manager like connman. There are a few issues 2043 here, for instance, referencing certificates by identifiers not tied to a 2044 particular PKCS#11 token, and tying to one OS's connection manager. 2045 </p> 2046 </section> 2047 2048 <section> 2049 <h1>Detection</h1> 2050 <p> 2051 This format should be sent in files ending in the .onc extension. When 2052 transmitted with a MIME type, the MIME type should be 2053 application/x-onc. These two methods make detection of data to be handled in 2054 this format, especially when encryption is used and the payload itself is 2055 not detectable. 2056 </p> 2057 </section> 2058 2059 <section> 2060 <h1>Mocks</h1> 2061 2062 <section> 2063 <h1>Simple format example: PEAP/MSCHAPv2 network (per device)</h1> 2064 2065 <pre> 2066 { 2067 "Type": "UnencryptedConfiguration", 2068 "NetworkConfigurations": [ 2069 { 2070 "GUID": "{f2c17903-b0e1-8593-b3ca74f977236bd7}", 2071 "Name": "MySSID", 2072 "Type": "WiFi", 2073 "WiFi": { 2074 "AutoConnect": true, 2075 "EAP": { 2076 "Outer": "PEAP", 2077 "UseSystemCAs": true 2078 }, 2079 "HiddenSSID": false, 2080 "SSID": "MySSID", 2081 "Security": "WPA-EAP" 2082 } 2083 } 2084 ], 2085 "Certificates": [] 2086 } 2087 </pre> 2088 2089 <p> 2090 Notice that in this case, we do not provide a username and password - we set 2091 SaveCredentials to <span class="value">false</span> so we are prompted every 2092 time. We could have passed in username and password - but such a file should 2093 be encrypted. 2094 </p> 2095 </section> 2096 2097 <section> 2098 <h1>Complex format example: TLS network with client certs (per device)</h1> 2099 2100 <pre> 2101 { 2102 "Type": "UnencryptedConfiguration", 2103 "NetworkConfigurations": [ 2104 { 2105 "GUID": "{00f79111-51e0-e6e0-76b3b55450d80a1b}", 2106 "Name": "MyTTLSNetwork", 2107 "Type": "WiFi", 2108 "WiFi": { 2109 "AutoConnect": false, 2110 "EAP": { 2111 "ClientCertPattern": { 2112 "EnrollmentURI": [ 2113 "http://fetch-my-certificate.com" 2114 ], 2115 "IssuerCARef": [ 2116 "{6ed8dce9-64c8-d568-d225d7e467e37828}" 2117 ] 2118 }, 2119 "ClientCertType": "Pattern", 2120 "Outer": "EAP-TLS", 2121 "ServerCARef": "{6ed8dce9-64c8-d568-d225d7e467e37828}", 2122 "UseSystemCAs": true 2123 }, 2124 "HiddenSSID": false, 2125 "SSID": "MyTTLSNetwork", 2126 "Security": "WPA-EAP" 2127 } 2128 } 2129 ], 2130 "Certificates": [ 2131 { 2132 "GUID": "{6ed8dce9-64c8-d568-d225d7e467e37828}", 2133 "Type": "Authority", 2134 "X509": "MIIEpzCCA4+gAwIBAgIJAMueiWq5WEIAMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyODA2MjA0MFoXDTEyMDEyODA2MjA0MFowgZMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZSYWRpdXMxEjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEmMCQGA1UEAxMdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9EDplhyrVNJIoy1OsVqvD/K67B5PW2bDKKxGznodrzCu8jHsP1Ne3mgrK20vbzQUUBdmxTCWO6x3a3//r4ZuPOuZd1ViycWjt6mRfRbBzNrHzP7NiyFuXjdlz74beHQQLcHwvZ3qFAWZK37uweiLiDPaMaEQlka2Bztqx4PsogmSdoVPSCxi5Cl1XlJmITA03LlKpO79+0rEPRamWO/DMCwvffn2/UUjJLog4/lYe16HQ6iq/6bjhffm2rLXDFKOGZmBVbLNMCfANRMtdFWHYdBXERoUo2zpM9tduOOUNLy7E7kRKVm/wy38s51ChFPlpORrhimN2j1caar+KAv2tAgMBAAGjgfswgfgwHQYDVR0OBBYEFBTIImiXp+57jjgn2N5wq93GgAAtMIHIBgNVHSMEgcAwgb2AFBTIImiXp+57jjgn2N5wq93GgAAtoYGZpIGWMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAy56JarlYQgAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnNd0YY7s2YVYPsgEgDS+rBNjcQloTFWgc9Hv4RWBjwcdJdSPIrpBp7LSjC96wH5U4eWpQjlWbOYQ9RBq9Z/RpuAPEjzRV78rIrQrCWQ3lxwywWEb5Th1EVJSN68eNv7Ke5BlZ2l9kfLRKFm5MEBXX9YoHMX0U8I8dPIXfTyevmKOT1PuEta5cQOM6/zH86XWn6WYx3EXkyjpeIbVOw49AqaEY8u70yBmut4MO03zz/pwLjV1BWyIkXhsrtuJyA+ZImvgLK2oAMZtGGFo7b0GW/sWY/P3R6Un3RFy35k6U3kXCDYYhgZEcS36lIqcj5y6vYUUVM732/etCsuOLz6ppw==" 2135 } 2136 ] 2137 } 2138 </pre> 2139 2140 <p> 2141 In this example, the client certificate is not sent in the ONC format, but 2142 rather we send a certificate authority which we know will have signed the 2143 client certificate that is needed, along with an enrollment URI to navigate 2144 to if the required certificate is not yet available on the client. 2145 </p> 2146 </section> 2147 2148 <section> 2149 <h1>Simple format example: HTTPS Certificate Authority</h1> 2150 2151 <p> 2152 In this example a new certificate authority is added to be trusted for HTTPS 2153 server authentication. 2154 </p> 2155 2156 <pre> 2157 { 2158 "Type": "UnencryptedConfiguration", 2159 "NetworkConfigurations": [], 2160 "Certificates": [ 2161 { 2162 "GUID": "{f31f2110-9f5f-61a7-a8bd7c00b94237af}", 2163 "TrustBits": [ "Web" ], 2164 "Type": "Authority", 2165 "X509": "MIIEpzCCA4+gAwIBAgIJAMueiWq5WEIAMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyODA2MjA0MFoXDTEyMDEyODA2MjA0MFowgZMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZSYWRpdXMxEjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEmMCQGA1UEAxMdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9EDplhyrVNJIoy1OsVqvD/K67B5PW2bDKKxGznodrzCu8jHsP1Ne3mgrK20vbzQUUBdmxTCWO6x3a3//r4ZuPOuZd1ViycWjt6mRfRbBzNrHzP7NiyFuXjdlz74beHQQLcHwvZ3qFAWZK37uweiLiDPaMaEQlka2Bztqx4PsogmSdoVPSCxi5Cl1XlJmITA03LlKpO79+0rEPRamWO/DMCwvffn2/UUjJLog4/lYe16HQ6iq/6bjhffm2rLXDFKOGZmBVbLNMCfANRMtdFWHYdBXERoUo2zpM9tduOOUNLy7E7kRKVm/wy38s51ChFPlpORrhimN2j1caar+KAv2tAgMBAAGjgfswgfgwHQYDVR0OBBYEFBTIImiXp+57jjgn2N5wq93GgAAtMIHIBgNVHSMEgcAwgb2AFBTIImiXp+57jjgn2N5wq93GgAAtoYGZpIGWMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAy56JarlYQgAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnNd0YY7s2YVYPsgEgDS+rBNjcQloTFWgc9Hv4RWBjwcdJdSPIrpBp7LSjC96wH5U4eWpQjlWbOYQ9RBq9Z/RpuAPEjzRV78rIrQrCWQ3lxwywWEb5Th1EVJSN68eNv7Ke5BlZ2l9kfLRKFm5MEBXX9YoHMX0U8I8dPIXfTyevmKOT1PuEta5cQOM6/zH86XWn6WYx3EXkyjpeIbVOw49AqaEY8u70yBmut4MO03zz/pwLjV1BWyIkXhsrtuJyA+ZImvgLK2oAMZtGGFo7b0GW/sWY/P3R6Un3RFy35k6U3kXCDYYhgZEcS36lIqcj5y6vYUUVM732/etCsuOLz6ppw==" 2166 } 2167 ] 2168 } 2169 </pre> 2170 </section> 2171 2172 <section> 2173 <h1>Encrypted format example</h1> 2174 2175 <p> 2176 In this example a simple wireless network is added, but the file is encrypted 2177 with the passphrase "test0000". 2178 </p> 2179 2180 <pre> 2181 { 2182 "Cipher": "AES256", 2183 "Ciphertext": "eQ9/r6v29/83M745aa0JllEj4lklt3Nfy4kPPvXgjBt1eTByxXB+FnsdvL6Uca5JBU5aROxfiol2+ZZOkxPmUNNIFZj70pkdqOGVe09ncf0aVBDsAa27veGIG8rG/VQTTbAo7d8QaxdNNbZvwQVkdsAXawzPCu7zSh4NF/hDnDbYjbN/JEm1NzvWgEjeOfqnnw3PnGUYCArIaRsKq9uD0a1NccU+16ZSzyDhX724JNrJjsuxohotk5YXsCK0lP7ZXuXj+nSR0aRIETSQ+eqGhrew2octLXq8cXK05s6ZuVAc0mFKPkntSI/fzBACuPi4ZaGd3YEYiKzNOgKJ+qEwgoE39xp0EXMZOZyjMOAtA6e1ZZDQGWG7vKdTLmLKNztHGrXvlZkyEf1RDs10YgkwwLgUhm0yBJ+eqbxO/RiBXz7O2/UVOkkkVcmeI6yh3BdL6HIYsMMygnZa5WRkd/2/EudoqEnjcqUyGsL+YUqV6KRTC0PH+z7zSwvFs2KygrSM7SIAZM2yiQHTQACkA/YCJDwACkkQOBFnRWTWiX0xmN55WMbgrs/wqJ4zGC9LgdAInOBlc3P+76+i7QLaNjMovQ==", 2184 "HMAC": "3ylRy5InlhVzFGakJ/9lvGSyVH0=", 2185 "HMACMethod": "SHA1", 2186 "Iterations": 20000, 2187 "IV": "hcm6OENfqG6C/TVO6p5a8g==", 2188 "Salt": "/3O73QadCzA=", 2189 "Stretch": "PBKDF2", 2190 "Type": "EncryptedConfiguration" 2191 } 2192 </pre> 2193 </section> 2194 2195 </section> 2196 2197 <section> 2198 <h1>Standalone editor</h1> 2199 2200 <p> 2201 The source code for a Chrome packaged app to generate ONC configuration can 2202 be found here: 2203 <a href="https://gerrit.chromium.org/gitweb/?p=chromiumos/platform/spigots.git;a=tree">"https://gerrit.chromium.org/gitweb/?p=chromiumos/platform/spigots.git;a=tree"</a> 2204 </p> 2205 </section> 2206 2207 <section> 2208 <h1>Internationalization and Localization</h1> 2209 2210 <p> 2211 UIs will need to have internationalization and localizations - the file 2212 format will remain in English. 2213 </p> 2214 </section> 2215 2216 <section> 2217 <h1>Security Considerations</h1> 2218 2219 <p> 2220 Data stored inside of open network configuration files is highly sensitive 2221 to users and enterprises. The file format itself provides adequate 2222 encryption options to allow standalone use-cases to be secure. For automatic 2223 updates sent by policy, the policy transport should be made secure. The file 2224 should not be stored unencrypted on disk as part of policy fetching and 2225 should be cleared from memory after use. 2226 </p> 2227 </section> 2228 2229 <section> 2230 <h1>Privacy Considerations</h1> 2231 2232 <p> 2233 Similarly to the security considerations, user names will be present in 2234 these files for certain kinds of connections, so any places where the file 2235 is transmitted or saved to disk should be secure. On client device, when 2236 user names for connections that are user-specific are persisted to disk, 2237 they should be stored in a location that is encrypted. Users can also opt in 2238 these cases to not save their user credentials in the config file and will 2239 instead be prompted when they are needed. 2240 </p> 2241 </section> 2242 </section> 2243 </body> 2244 </html> 2245
