public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2] CRL updater: Update script for OpenVPNs CRL
Date: Tue, 06 Feb 2018 21:09:36 +0100	[thread overview]
Message-ID: <1517947776-23744-1-git-send-email-erik.kapfer@ipfire.org> (raw)
In-Reply-To: <1517553251-28156-1-git-send-email-erik.kapfer@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 4993 bytes --]

Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 .
    Script checks the next update field from the CRL and executes an update before it expires.
    Script is placed under fcron.daily for daily checks.

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
 config/ovpn/openvpn-crl-updater | 88 +++++++++++++++++++++++++++++++++++++++++
 config/rootfiles/common/openvpn |  1 +
 lfs/openvpn                     |  6 +++
 3 files changed, 95 insertions(+)
 create mode 100644 config/ovpn/openvpn-crl-updater

diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater
new file mode 100644
index 0000000..9063b04
--- /dev/null
+++ b/config/ovpn/openvpn-crl-updater
@@ -0,0 +1,88 @@
+#!/bin/bash
+
+#########################################################################################
+#											#
+# This file is part of the IPFire Firewall.						#
+#											#
+# IPFire is free software: you can redistribute it and/or modify			#
+# it under the terms of the GNU General Public License as published by			#
+# the Free Software Foundation, either version 3 of the License, or 			#
+# (at your option) any later version.							#
+#											#
+# IPFire is distributed in the hope that it will be useful,				#
+# but WITHOUT ANY WARRANTY; without even the implied warranty of 			#
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 			#
+# GNU General Public License for more details. 						#
+#											#
+# You should have received a copy of the GNU General Public License 			#
+# along with IPFire.  If not, see <http://www.gnu.org/licenses/>. 			#
+#											#
+# Copyright (C) 2007 IPFire-Team <info(a)ipfire.org>.					#
+#											#
+#########################################################################################
+#											#
+# Script Name: openvpn-crl-updater 							#
+# Description: This script checks the "Next Update:" field of the CRL			#
+#   and renews it if needed, which prevents the expiration of OpenVPNs CRL.		#
+#   With OpenVPN 2.4.x the CRL handling has been refactored, 				#
+#   whereby the verification logic has been removed from ssl_verify_<backend>.c . 	#
+#   For more infos:									#
+#   https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 	#
+#											#
+# Run Information: If OpenVPNs CRL is presant, 						#
+#   this script provides a cronjob which checks daily if an update of the CRL 		#
+#   is needed.	If the expiring date reaches the value					#
+#   (defined in the 'UPDATE' variable in days) before the CRL expiration, an openssl	# 
+#   command will be executed to renew the CRL.						#
+#   Script execution will be logged into /var/log/messages.				#
+# 											#
+# Author: Erik Kapfer 									#
+#											#
+# Date: 06.02.2018									#
+#											#
+#########################################################################################
+
+# Check if OpenVPN is active or if the CRL is presant
+if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
+	exit 0;
+fi
+
+## Paths
+OVPN="/var/ipfire/ovpn"
+CRL="${OVPN}/crls/cacrl.pem"
+CAKEY="${OVPN}/ca/cakey.pem"
+CACERT="${OVPN}/ca/cacert.pem"
+OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
+
+## Values
+# CRL check for the 'Next Update:' in seconds
+EXPIRINGDATEINSEC="$((
+$(/bin/date -d "$(/usr/bin/openssl crl -in "${CRL}" -text | \
+    /bin/grep -oP 'Next Update: *\K.*')" +%s) - \
+    $(/bin/date +%s) \
+))"
+
+# Day in seconds to calculate
+DAYINSEC="86400"
+
+# Convert seconds to days
+NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"
+
+# Update of the CRL in days before CRL expiring date
+UPDATE="14"
+
+
+# Check if OpenVPNs CRL needs to be renewed
+if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
+    if /usr/bin/openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
+	logger -t openvpn "CRL has been updated"
+    else
+	logger -t openvpn "error: Could not update CRL"
+    fi
+fi
+
+exit 0
+
+
+# EOF
+
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index 2b63424..131d798 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -1,3 +1,4 @@
+etc/fcron.daily/openvpn-crl-updater
 #usr/include/openvpn-msg.h
 #usr/include/openvpn-plugin.h
 #usr/lib/openvpn
diff --git a/lfs/openvpn b/lfs/openvpn
index 3913f02..1ecc18c 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -96,5 +96,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
 	chown root:root /usr/lib/openvpn/verify
 	chmod 755 /usr/lib/openvpn/verify
+	# Add crl updater
+	mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily
+	chown root:root /etc/fcron.daily/openvpn-crl-updater
+	chmod 750 /etc/fcron.daily/openvpn-crl-updater
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
+
-- 
2.7.4


  parent reply	other threads:[~2018-02-06 20:09 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-30 16:38 [PATCH] OpenVPN: Update to version 2.4.4 Erik Kapfer
2018-01-30 20:00 ` Michael Tremer
2018-02-02  6:34 ` [PATCH] CRL updater: Update script for OpenVPN CRL Erik Kapfer
2018-02-02 10:51   ` Michael Tremer
2018-02-02 19:19     ` ummeegge
2018-02-03 20:20       ` ummeegge
2018-02-06  0:44         ` Michael Tremer
2018-02-06  9:24           ` ummeegge
2018-02-06 16:34             ` Michael Tremer
2018-02-06 20:09   ` Erik Kapfer [this message]
2018-02-06 21:45     ` [PATCH v2] CRL updater: Update script for OpenVPNs CRL Michael Tremer
2018-02-07 17:31   ` Erik Kapfer
2018-02-11 22:25     ` Michael Tremer
2018-02-13  6:02       ` ummeegge
2018-02-13  6:07         ` Horace Michael
2018-02-13 10:00           ` ummeegge
2018-02-13 14:21             ` Horace Michael
2018-02-14 14:09               ` ummeegge
2018-02-13 13:13         ` ummeegge
2018-02-14 12:22         ` Michael Tremer
2018-02-14 13:24           ` ummeegge
2018-02-14 20:27             ` Michael Tremer
2018-02-15  6:18               ` ummeegge
2018-02-15 11:05                 ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1517947776-23744-1-git-send-email-erik.kapfer@ipfire.org \
    --to=erik.kapfer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox