From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] CRL updater: Update script for OpenVPN CRL Date: Fri, 02 Feb 2018 10:51:49 +0000 Message-ID: <1517568709.2804.18.camel@ipfire.org> In-Reply-To: <1517553251-28156-1-git-send-email-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3280307344143805976==" List-Id: --===============3280307344143805976== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, thanks for working on this. On Fri, 2018-02-02 at 07:34 +0100, Erik Kapfer wrote: > Update script for OpenVPNs CRL has been integrated cause OpenVPN refactors = the CRL handling since v.2.4.0 . > Script checks the next update field from the CRL and executes an update= two days before it expires. > Script is placed under fcron.daily for daily checks. > OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn= /commit/160504a2955c4478cd2c0323452929e07016a336 . >=20 > Signed-off-by: Erik Kapfer > --- > config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++= ++++ > lfs/openvpn | 4 ++++ > 2 files changed, 57 insertions(+) > create mode 100644 config/ovpn/ovpn_crl_updater.sh >=20 > diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater= .sh > new file mode 100644 > index 0000000..309edc2 > --- /dev/null > +++ b/config/ovpn/ovpn_crl_updater.sh > @@ -0,0 +1,53 @@ > +#!/bin/bash The file needs a GPL header here or what ever license you choose this will be. > + > +# > +# Script Name: ovpn_crl_updater.sh > +# Description: This script checks the "Next Update:" field of the CRL and = renews it if needed, > +# which prevents the expiration of OpenVPNs CRL. > +# With OpenVPN 2.4.x the CRL handling has been refactored, > +# whereby the verification logic has been removed from ssl_verify_.c . > +# See for more infos: > +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c032345= 2929e07016a336 > +# > +# Run Information: If OpenVPNs CRL is presant,=20 > +# this script provides a cronjob which checks daily if an update of th= e CRL is needed. > +# If the expiring date reaches the value (defined in the 'UPDATE' vari= able in days) > +# before the CRL expiration, an openssl command will be executed to re= new the CRL. > +# The renewing of the CRL will be logged into /var/log/messages. > +#=20 > +# Author: Erik Kapfer > +# > +# Date: 17.01.2018 > +# > +##########################################################################= ##################### > + > +# Check if OpenVPN is active or if the CRL is presant > +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then > + exit 0; > +fi > + > +## Paths > +OVPN=3D"/var/ipfire/ovpn"; > +CRL=3D"${OVPN}/crls/cacrl.pem"; > +CAKEY=3D"${OVPN}/ca/cakey.pem"; > +CACERT=3D"${OVPN}/ca/cacert.pem"; > +OPENSSLCONF=3D"${OVPN}/openssl/ovpn.cnf"; You may use some empty lines here to make the coder easier to read. > +## Values > +# CRL check for the the 'Next Update:' in seconds > +EXPIRINGDATEINSEC=3D"$(( $(date -d "$(openssl crl -in "${CRL}" -text | gre= p -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))"; Complicated command. Can we break this down a little bit? Code doesn't necessarily run faster when everything is just one line, but it will be way easier to understand. > +# Day in seconds to calculate > +DAYINSEC=3D"86400"; No ; needed here and everywhere else... It's shell, not C. > +# Convert seconds to days > +NEXTUPDATE=3D"$((EXPIRINGDATEINSEC / DAYINSEC))"; > +# Update of the CRL in days before CRL expiring date > +UPDATE=3D"2"; I think we should update every 14 days if the usual expiry time is 30. Therefore we will never get too close by accident. > +# Check if OpenVPNs CRL needs to be renewed > +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then > + openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -c= onfig "${OPENSSLCONF}"; > + logger -t openssl "OpenVPN CRL has been renewed"; > +fi You don't need the quotes around the integer comparison. Should we catch any errors of the openssl command? I think the logging tag should rather be openvpn instead of openssl. > + > +exit 0 > + > +# EOF > diff --git a/lfs/openvpn b/lfs/openvpn > index a925f78..1e1ddc2 100644 > --- a/lfs/openvpn > +++ b/lfs/openvpn > @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify > chown root:root /usr/lib/openvpn/verify > chmod 755 /usr/lib/openvpn/verify > + # Add crl updater > + mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily > + chown root:root /etc/fcron.daily/ovpn_crl_updater.sh > + chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh Can we rename the script to openvpn-crl-updater? > =20 > @rm -rf $(DIR_APP) > @$(POSTBUILD) Apart from that this looks good. Just minor stuff. Best, -Michael --===============3280307344143805976== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxwMFFzVUFDZ2tRZ0hudy8yK1EKQ1FkS29nLy9jVHRVR0FURzhX U2FDUGtydEVNaUFGZEsyQ1JaTXd1T2FaNzNyMkU0cGh6Qkx0dUJGUUxoNEs3QQpKYWpsTEhwcmt1 OHRKYjFFaGZlSmRUUFIwS3ZJZzYwZmU0RWVmV0NMSHlHU0ZaaW1KTVBlNXJwRVZmU0pLMmU3ClJv NlY0cFBtd01NVnp0eFFrMmNyQTZoTXdRMnVQK3JtdFpRSkpXWms1VHhtMU9wOGhNUDMyTDdtYW0y WUZiZzUKRzZhRWRKa091Szc3aVIyakNVYlliM25rODZOdXNzMWVVaHhlb1ZqeE9jaFVTVG1zNUV6 TEpPaGdtUVU2ZStkYgp2cHZoQmFHZUFJd2F2Q1I2QmY4ZjZkOGo0dE5IVTFJUURaWW1LRXNtT25X dThyYnRmWG56N0NvZ3BYcW4wclByCllhTHVSaGVmQXRrSUxwN1JhZnRrRjBsM3RYYmtCWlFpQnVU RlJPTG5VS0RyMnl5S2lMZmI4MXdHMHR6Zis0OFAKY3A3a0N5Q1p4VG5VTW0xT0M2eWd6endYS3VG dVVBRXROSVVaMW5sUXVxdWR4OTBuTTdKNi9uTmJ5aUVxWVhRbwp3TWZUMXJTRFhwazFrOFg3VUV3 ZXphenVPUEtpSWlHL25nWUJmYXBZVWZRc0FHdTY2SnlvbGUzdmtZVnY1QnkrCklaSGhsQXNiT3NI WHBtVk80T1FwSjFkMi8yRXM3cHZPaHJvU2JRcU81d24rMFRxck5yREF6QVJ1anh0UWIrTmoKY1Jv eWJUZ3IwRHlCUWJBR0dKQlZaeVc2M2g2Ykdhek5LSzBrKysxTm05WGRzUGVJTUtLOVYwbi85R2tu TnczagoyTTRsc3B4OEpFdVdPbXlsc0ZOenhjcG44RzhpUE8xNHF5VG9LZHlrSlAzZnFZbmF0QnM9 Cj1FWFJpCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============3280307344143805976==--