From mboxrd@z Thu Jan 1 00:00:00 1970 From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH] CRL updater: Update script for OpenVPN CRL Date: Fri, 02 Feb 2018 07:34:11 +0100 Message-ID: <1517553251-28156-1-git-send-email-erik.kapfer@ipfire.org> In-Reply-To: <1517330336-18550-1-git-send-email-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3686841499981401767==" List-Id: --===============3686841499981401767== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Update script for OpenVPNs CRL has been integrated cause OpenVPN refactors th= e CRL handling since v.2.4.0 . Script checks the next update field from the CRL and executes an update t= wo days before it expires. Script is placed under fcron.daily for daily checks. OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/c= ommit/160504a2955c4478cd2c0323452929e07016a336 . Signed-off-by: Erik Kapfer --- config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++++= ++ lfs/openvpn | 4 ++++ 2 files changed, 57 insertions(+) create mode 100644 config/ovpn/ovpn_crl_updater.sh diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh new file mode 100644 index 0000000..309edc2 --- /dev/null +++ b/config/ovpn/ovpn_crl_updater.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# +# Script Name: ovpn_crl_updater.sh +# Description: This script checks the "Next Update:" field of the CRL and re= news it if needed, +# which prevents the expiration of OpenVPNs CRL. +# With OpenVPN 2.4.x the CRL handling has been refactored, +# whereby the verification logic has been removed from ssl_verify_.c . +# See for more infos: +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c03234529= 29e07016a336 +# +# Run Information: If OpenVPNs CRL is presant,=20 +# this script provides a cronjob which checks daily if an update of the = CRL is needed. +# If the expiring date reaches the value (defined in the 'UPDATE' variab= le in days) +# before the CRL expiration, an openssl command will be executed to rene= w the CRL. +# The renewing of the CRL will be logged into /var/log/messages. +#=20 +# Author: Erik Kapfer +# +# Date: 17.01.2018 +# +############################################################################= ################### + +# Check if OpenVPN is active or if the CRL is presant +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then + exit 0; +fi + +## Paths +OVPN=3D"/var/ipfire/ovpn"; +CRL=3D"${OVPN}/crls/cacrl.pem"; +CAKEY=3D"${OVPN}/ca/cakey.pem"; +CACERT=3D"${OVPN}/ca/cacert.pem"; +OPENSSLCONF=3D"${OVPN}/openssl/ovpn.cnf"; +## Values +# CRL check for the the 'Next Update:' in seconds +EXPIRINGDATEINSEC=3D"$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep = -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))"; +# Day in seconds to calculate +DAYINSEC=3D"86400"; +# Convert seconds to days +NEXTUPDATE=3D"$((EXPIRINGDATEINSEC / DAYINSEC))"; +# Update of the CRL in days before CRL expiring date +UPDATE=3D"2"; + +# Check if OpenVPNs CRL needs to be renewed +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then + openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -con= fig "${OPENSSLCONF}"; + logger -t openssl "OpenVPN CRL has been renewed"; +fi + +exit 0 + +# EOF diff --git a/lfs/openvpn b/lfs/openvpn index a925f78..1e1ddc2 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify + # Add crl updater + mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily + chown root:root /etc/fcron.daily/ovpn_crl_updater.sh + chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh =20 @rm -rf $(DIR_APP) @$(POSTBUILD) --=20 2.7.4 --===============3686841499981401767==--