We use cryptography verification, but it's relatively new.
For compatibility, we fall back to fingerprint only.
This is pretty bad when inflicted on
unsuspecting users on autosign,
so skip autosign if cert validation
would break.
Rather than treat both as the same, since untethered has everything up front anyway, go ahead and extract the filesystem.
This makes the mount look more straightforward and makes it so deletion of files from
the image also frees ram.
For one, apply more rules from CA/B forum. This includes including KU and EKU extensions, marking basicConstraints critical, and
randomized serial numbers.
Also make the backdate and end date configurable, to allow
for the BMC certs to have a more palatable validity interval.
Begin expanding certutil to sign other certificates from external CSRs more easily.
Have certutil make the CA constraint critical.
Have the fingerprint based validator have a mechanism to check for properly signed certificate in lieu of exact match,
and update the stored fingerprint
on match.
Provide a means to request a custom subject when evaluating a
target.
Change redfish plugin to set that subject in the verifier.
The changes for getinstalldisk assumed functionality
in ESXi9. Target older
functional level for our purposes.
Also expand the fallback to cover cases where the disk interrogation fails.
Surprisingly frequently, the firmware stacks split right after the \x1b byte in
sending data down. Defer a dangling partial sequence until more data
comes in that should make it complete.
In the interest of interfering with terminal behavior as little as possible,
only apply the forced intensity if the background and foreground color are
identical and would make it otherwise literally impossible to read
when working as designed.
Terminals seem to expect 'bold or intensity' to imply intense color.
There are certain terminals that steadfastly refuse to do bold and intense. So implement the logic on behalf of
the remote terminal.
Commonly, UEFI setup menus request bold white text on white background. This fixes such menus to be readable by explicitly requesting intense white foreground rather than normal background. For example, the kitty terminal has no 'intense on bold feature.
For nodemedia, nodelicense, and nodefirmware, support
for expressions in filenames was
fouled when pass by
filehandle was added.
Restore this by adding all the files matching an expression.
The stock Ubuntu approach was inadequate. It would DHCP out every nic and take the fastest result, and no going back.
Now the CDC nic can frequently win that race.
First, rmmod cdc_ether, as a scenario that is completely right out.
But beyond that, let Ubuntu have one shot at multi-nic bringup. Beyond that, maintain a list of all link-up devices.
If the check should fail, then start doing one nic at a time, cycling through them.
Also, the openssl s_client timeout is painfully slow, use subshell and kill to speed up things.
When network configuration is applied, wait until we
can reach the deployment server again before exiting.
This should make us more robust against various potential delays after
changing the nature of network interfaces.
