Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
11 days | fw-addr-lists: spamhaus.org returned to 'GTS Root R4' | Christian Hesse | 1 | -2/+2 | |
2024-10-23 | fw-addr-lists: spamhaus.org requires 'ISRG Root X1' now | Christian Hesse | 1 | -2/+2 | |
2024-09-11 | fw-addr-lists: use lists in JSON format for spamhaus.org | Christian Hesse | 1 | -1/+3 | |
2024-08-28 | fw-addr-lists: drop edrop.txt, which does no longer exist | Christian Hesse | 1 | -2/+0 | |
2024-08-28 | fw-addr-lists: spamhaus.org requires 'GTS Root R4' now | Christian Hesse | 1 | -2/+2 | |
Fixes: https://github.com/eworm-de/routeros-scripts/issues/78 | |||||
2024-06-21 | certs: Cloudflare Inc ECC CA-3 -> Baltimore CyberTrust Root | Christian Hesse | 1 | -2/+2 | |
2024-06-21 | certs: Certum Domain Validation CA SHA2 -> Certum Trusted Network CA | Christian Hesse | 1 | -1/+1 | |
2024-06-21 | certs: GlobalSign Atlas R3 DV TLS CA 2022 Q3 -> GlobalSign | Christian Hesse | 1 | -2/+2 | |
2024-06-21 | certs: R3 / R10 -> ISRG Root X1 | Christian Hesse | 1 | -1/+1 | |
2024-06-21 | certs: E1 / E5 -> ISRG Root X2 | Christian Hesse | 1 | -3/+3 | |
In the beginning of Let's Encrypt their root certificate ISRG Root X1 was not widely trusted, at least some older and/or mobile platforms were missing that certificate in their root certificate store. At that time Let's Encrypt was using an alternative chain of trust, where a certificate was cross-signed with DST Root CA X3. To make sure a valid chain of trust is available under all circumstances a set of all certificates had to be supplied: both root vertificates ISRG Root X1 & DST Root CA X3, and an intermediate certificate. This was still true after DST Root CA X3 expired, as it could still be used as a root anchor and was shipped by Let's Encrypt when requested. 🤪 This time is finally over, and we have a clean chain for trust ending in ISRG Root X1 (or ISRG Root X2). Well, actually it is the other way round... Let's Encrypt signs with different tantamount intermediate certificates. There is not only E5, but also E6 - and we can not know beforehand which one is used on renew. So let's jetzt drop the intermediate certificates now, and rely on root certificates only. We are perfectly fine with this these days. Follow-up commits will do the same for *all* certificates. The certificate is downloaded with: curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem | |||||
2024-06-19 | Let's Encrypt changed their intermediate certificates | Christian Hesse | 1 | -3/+3 | |
https://letsencrypt.org/2024/03/19/new-intermediate-certificates https://letsencrypt.org/certificates/ But let's keep the old ones around for now, as some sites are still using the old intermediate. | |||||
2024-05-23 | backup-partition: support copy before feature update | Christian Hesse | 1 | -0/+2 | |
2024-05-14 | fw-addr-lists: add 'strongips' list from blocklist.dechange-128 | Christian Hesse | 1 | -0/+2 | |
2024-04-15 | mod/notification-ntfy: support basic authchange-127 | Christian Hesse | 1 | -0/+2 | |
Closes #59 | |||||
2024-03-20 | global-config: put example fw-addr-lists into repository | Christian Hesse | 1 | -3/+3 | |
2024-03-18 | global-config: prepare a (commented) address-list for Mikrotik | Christian Hesse | 1 | -0/+4 | |
This is AS51894: https://bgp.he.net/AS51894 | |||||
2024-03-12 | global-config: merge loading overlay and snippets | Christian Hesse | 1 | -10/+4 | |
2024-03-12 | global-config: support loading snippetschange-122 | Christian Hesse | 1 | -0/+10 | |
This adds support for loading snippets, which need a name starting with "global-config-overlay.d/". This allows to split off configuration if desired. | |||||
2024-01-30 | packages-update: support deferred reboot on auto-updatechange-117 | Christian Hesse | 1 | -0/+3 | |
Closes #56 | |||||
2024-01-01 | update copyright for 2024 | Christian Hesse | 1 | -1/+1 | |
2023-11-30 | fw-addr-lists: support timeout per list | Christian Hesse | 1 | -1/+1 | |
This works with something like this: :global FwAddrLists { "allow"={ { url="https://eworm.de/ros/fw-addr-lists/allow"; cert="E1"; timeout=1w }; }; ... } All urls for one named list should have the same timeout! With different timeout values and identical addresses the behavior is besically undefined, depending on order. | |||||
2023-10-26 | global: switch eworm.de to new certificate chain (E1 / ISRG Root X2) | Christian Hesse | 1 | -2/+2 | |
old chain: R3 / ISRG Root X1 new chain: E1 / ISRG Root X2 No user interaction or migration is required for existing installations as we install 'E1' and 'ISRG Root X2' for some time already. | |||||
2023-10-17 | global-functions: $ScriptInstallUpdate: drop support for scripts from storagechange-110 | Christian Hesse | 1 | -2/+1 | |
Nobody ever used that, no? (Well, except me - just before I implemented fetching. 😜) | |||||
2023-10-17 | introduce mod/notification-ntfy...change-109 | Christian Hesse | 1 | -3/+9 | |
... for sending notifications via Ntfy (https://ntfy.sh/). TODO: use proper formatting once supported in Android app: https://github.com/binwiederhier/ntfy/issues/889 | |||||
2023-10-17 | log-forward: add 'packet' in default filter... | Christian Hesse | 1 | -1/+1 | |
... which is used when logging raw packets from dns and ssh, and possibly others. | |||||
2023-10-16 | mod/notification-telegram: drop support for non-fixed width fontchange-107 | Christian Hesse | 1 | -2/+0 | |
2023-10-05 | log-forward: add 'raw' in default filter... | Christian Hesse | 1 | -1/+1 | |
... which is used when logging raw packets or commands. | |||||
2023-08-31 | check-routeros-update: support update from specific neighbor(s)change-105 | Christian Hesse | 1 | -0/+1 | |
... by matching the identity property. | |||||
2023-06-27 | global-config: escaping question mark is no longer required | Christian Hesse | 1 | -1/+1 | |
2023-06-13 | fw-addr-lists: prepare lists from spamhaus.org in config | Christian Hesse | 1 | -0/+4 | |
2023-06-13 | fw-addr-lists: add lists from abuse.ch in config | Christian Hesse | 1 | -0/+4 | |
2023-06-13 | introduce fw-addr-listschange-101 | Christian Hesse | 1 | -0/+15 | |
2023-05-31 | global-config: end all (array) variables with a semicolon | Christian Hesse | 1 | -4/+4 | |
2023-04-26 | global-config: restore variables still used in ipsec-to-dns (for now) | Christian Hesse | 1 | -0/+4 | |
2023-04-26 | global-config: be more verbose about domain | Christian Hesse | 1 | -1/+2 | |
2023-04-24 | dhcp-to-dns: get domain from dhcp server's network definitionchange-99 | Christian Hesse | 1 | -3/+0 | |
2023-03-07 | rename scripts and add file extension ".rsc"change-95 | Christian Hesse | 1 | -0/+220 | |
No functional change for the user... The migration is done automatically. |