[PATCH] OpenVPN: Update to version 2.4.4

[PATCH] OpenVPN: Update to version 2.4.4

[Erik Kapfer]

[-- Attachment #1: Type: text/plain, Size: 2741 bytes --]

Changed LFS and ROOTFILE for OpenVPN 2.4.4 update.

Added CRL updater script to LFS.

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
 config/rootfiles/common/openvpn |  5 ++++-
 lfs/openvpn                     | 11 ++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index b58e30c..cbfd03e 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -1,3 +1,5 @@
+etc/fcron.daily/ovpn_crl_updater.sh
+#usr/include/openvpn-msg.h
 #usr/include/openvpn-plugin.h
 #usr/lib/openvpn
 #usr/lib/openvpn/plugins
@@ -10,11 +12,12 @@ usr/sbin/openvpn
 #usr/share/doc/openvpn
 #usr/share/doc/openvpn/COPYING
 #usr/share/doc/openvpn/COPYRIGHT.GPL
+#usr/share/doc/openvpn/Changes.rst
 #usr/share/doc/openvpn/README
 #usr/share/doc/openvpn/README.IPv6
 #usr/share/doc/openvpn/README.auth-pam
 #usr/share/doc/openvpn/README.down-root
-#usr/share/doc/openvpn/README.polarssl
+#usr/share/doc/openvpn/README.mbedtls
 #usr/share/doc/openvpn/management-notes.txt
 #usr/share/man/man8/openvpn.8
 var/ipfire/ovpn/ca
diff --git a/lfs/openvpn b/lfs/openvpn
index 8307d01..e7f9bc2 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2017  IPFire Team  <info(a)ipfire.org>                          #
+# Copyright (C) 2018  IPFire Team  <info(a)ipfire.org>                          #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 2.3.18
+VER        = 2.4.4
 
 THISAPP    = openvpn-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881
+$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
 
 install : $(TARGET)
 
@@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
 	chown root:root /usr/lib/openvpn/verify
 	chmod 755 /usr/lib/openvpn/verify
+	mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
+	chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
+	chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
+
-- 
2.7.4

Re: [PATCH] OpenVPN: Update to version 2.4.4

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3326 bytes --]

Hello,

this patch is much better because it is smaller, but the script is actually
missing.

Could you modify the patch so that it doesn't appear in the LFS file and
rootfile and we just have the plain update of the package? Then I could merge
that into the OpenSSL branch which will then build and then we can move on to
the rest.

Best,
-Michael

On Tue, 2018-01-30 at 17:38 +0100, Erik Kapfer wrote:
> Changed LFS and ROOTFILE for OpenVPN 2.4.4 update.
> 
> Added CRL updater script to LFS.
> 
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
>  config/rootfiles/common/openvpn |  5 ++++-
>  lfs/openvpn                     | 11 ++++++++---
>  2 files changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
> index b58e30c..cbfd03e 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -1,3 +1,5 @@
> +etc/fcron.daily/ovpn_crl_updater.sh
> +#usr/include/openvpn-msg.h
>  #usr/include/openvpn-plugin.h
>  #usr/lib/openvpn
>  #usr/lib/openvpn/plugins
> @@ -10,11 +12,12 @@ usr/sbin/openvpn
>  #usr/share/doc/openvpn
>  #usr/share/doc/openvpn/COPYING
>  #usr/share/doc/openvpn/COPYRIGHT.GPL
> +#usr/share/doc/openvpn/Changes.rst
>  #usr/share/doc/openvpn/README
>  #usr/share/doc/openvpn/README.IPv6
>  #usr/share/doc/openvpn/README.auth-pam
>  #usr/share/doc/openvpn/README.down-root
> -#usr/share/doc/openvpn/README.polarssl
> +#usr/share/doc/openvpn/README.mbedtls
>  #usr/share/doc/openvpn/management-notes.txt
>  #usr/share/man/man8/openvpn.8
>  var/ipfire/ovpn/ca
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 8307d01..e7f9bc2 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -1,7 +1,7 @@
>  #############################################################################
> ##
>  #                                                                            
>  #
>  # IPFire.org - A linux based
> firewall                                         #
> -# Copyright (C) 2017  IPFire Team  <info(a)ipfire.org>                         
>  #
> +# Copyright (C) 2018  IPFire Team  <info(a)ipfire.org>                         
>  #
>  #                                                                            
>  #
>  # This program is free software: you can redistribute it and/or
> modify        #
>  # it under the terms of the GNU General Public License as published
> by        #
> @@ -24,7 +24,7 @@
>  
>  include Config
>  
> -VER        = 2.3.18
> +VER        = 2.4.4
>  
>  THISAPP    = openvpn-$(VER)
>  DL_FILE    = $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881
> +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
>  
>  install : $(TARGET)
>  
> @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
>  	chown root:root /usr/lib/openvpn/verify
>  	chmod 755 /usr/lib/openvpn/verify
> +	mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
> +	chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
> +	chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
> +
>  	@rm -rf $(DIR_APP)
>  	@$(POSTBUILD)
> +

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[PATCH] CRL updater: Update script for OpenVPN CRL

[Erik Kapfer]

[-- Attachment #1: Type: text/plain, Size: 3446 bytes --]

Update script for OpenVPNs CRL has been integrated cause OpenVPN refactors the CRL handling since v.2.4.0 .
    Script checks the next update field from the CRL and executes an update two days before it expires.
    Script is placed under fcron.daily for daily checks.
    OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 .

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
 config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++++++
 lfs/openvpn                     |  4 ++++
 2 files changed, 57 insertions(+)
 create mode 100644 config/ovpn/ovpn_crl_updater.sh

diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh
new file mode 100644
index 0000000..309edc2
--- /dev/null
+++ b/config/ovpn/ovpn_crl_updater.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+#
+# Script Name: ovpn_crl_updater.sh
+# Description: This script checks the "Next Update:" field of the CRL and renews it if needed,
+#     which prevents the expiration of OpenVPNs CRL.
+#     With OpenVPN 2.4.x the CRL handling has been refactored,
+#     whereby the verification logic has been removed from ssl_verify_<backend>.c .
+#     See for more infos:
+#     https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336
+#
+# Run Information: If OpenVPNs CRL is presant, 
+#     this script provides a cronjob which checks daily if an update of the CRL is needed.
+#     If the expiring date reaches the value (defined in the 'UPDATE' variable in days)
+#     before the CRL expiration, an openssl command will be executed to renew the CRL.
+#     The renewing of the CRL will be logged into /var/log/messages.
+# 
+# Author: Erik Kapfer
+#
+# Date: 17.01.2018
+#
+###############################################################################################
+
+# Check if OpenVPN is active or if the CRL is presant
+if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
+	exit 0;
+fi
+
+## Paths
+OVPN="/var/ipfire/ovpn";
+CRL="${OVPN}/crls/cacrl.pem";
+CAKEY="${OVPN}/ca/cakey.pem";
+CACERT="${OVPN}/ca/cacert.pem";
+OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";
+## Values
+# CRL check for the the 'Next Update:' in seconds
+EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
+# Day in seconds to calculate
+DAYINSEC="86400";
+# Convert seconds to days
+NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
+# Update of the CRL in days before CRL expiring date
+UPDATE="2";
+
+# Check if OpenVPNs CRL needs to be renewed
+if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
+	openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}";
+	logger -t openssl "OpenVPN CRL has been renewed";
+fi
+
+exit 0
+
+# EOF
diff --git a/lfs/openvpn b/lfs/openvpn
index a925f78..1e1ddc2 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
 	chown root:root /usr/lib/openvpn/verify
 	chmod 755 /usr/lib/openvpn/verify
+	# Add crl updater
+	mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
+	chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
+	chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
 
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
-- 
2.7.4

Re: [PATCH] CRL updater: Update script for OpenVPN CRL

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 4534 bytes --]

Hi,

thanks for working on this.

On Fri, 2018-02-02 at 07:34 +0100, Erik Kapfer wrote:
> Update script for OpenVPNs CRL has been integrated cause OpenVPN refactors the CRL handling since v.2.4.0 .
>     Script checks the next update field from the CRL and executes an update two days before it expires.
>     Script is placed under fcron.daily for daily checks.
>     OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 .
> 
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
>  config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++++++
>  lfs/openvpn                     |  4 ++++
>  2 files changed, 57 insertions(+)
>  create mode 100644 config/ovpn/ovpn_crl_updater.sh
> 
> diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh
> new file mode 100644
> index 0000000..309edc2
> --- /dev/null
> +++ b/config/ovpn/ovpn_crl_updater.sh
> @@ -0,0 +1,53 @@
> +#!/bin/bash

The file needs a GPL header here or what ever license you choose this
will be.

> +
> +#
> +# Script Name: ovpn_crl_updater.sh
> +# Description: This script checks the "Next Update:" field of the CRL and renews it if needed,
> +#     which prevents the expiration of OpenVPNs CRL.
> +#     With OpenVPN 2.4.x the CRL handling has been refactored,
> +#     whereby the verification logic has been removed from ssl_verify_<backend>.c .
> +#     See for more infos:
> +#     https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336
> +#
> +# Run Information: If OpenVPNs CRL is presant, 
> +#     this script provides a cronjob which checks daily if an update of the CRL is needed.
> +#     If the expiring date reaches the value (defined in the 'UPDATE' variable in days)
> +#     before the CRL expiration, an openssl command will be executed to renew the CRL.
> +#     The renewing of the CRL will be logged into /var/log/messages.
> +# 
> +# Author: Erik Kapfer
> +#
> +# Date: 17.01.2018
> +#
> +###############################################################################################
> +
> +# Check if OpenVPN is active or if the CRL is presant
> +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
> +	exit 0;
> +fi
> +
> +## Paths
> +OVPN="/var/ipfire/ovpn";
> +CRL="${OVPN}/crls/cacrl.pem";
> +CAKEY="${OVPN}/ca/cakey.pem";
> +CACERT="${OVPN}/ca/cacert.pem";
> +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";

You may use some empty lines here to make the coder easier to read.

> +## Values
> +# CRL check for the the 'Next Update:' in seconds
> +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))";

Complicated command. Can we break this down a little bit? Code doesn't
necessarily run faster when everything is just one line, but it will be
way easier to understand.

> +# Day in seconds to calculate
> +DAYINSEC="86400";

No ; needed here and everywhere else...

It's shell, not C.

> +# Convert seconds to days
> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
> +# Update of the CRL in days before CRL expiring date
> +UPDATE="2";

I think we should update every 14 days if the usual expiry time is 30.
Therefore we will never get too close by accident.

> +# Check if OpenVPNs CRL needs to be renewed
> +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
> +	openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}";
> +	logger -t openssl "OpenVPN CRL has been renewed";
> +fi

You don't need the quotes around the integer comparison.

Should we catch any errors of the openssl command?

I think the logging tag should rather be openvpn instead of openssl.

> +
> +exit 0
> +
> +# EOF
> diff --git a/lfs/openvpn b/lfs/openvpn
> index a925f78..1e1ddc2 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
>  	chown root:root /usr/lib/openvpn/verify
>  	chmod 755 /usr/lib/openvpn/verify
> +	# Add crl updater
> +	mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
> +	chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
> +	chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh

Can we rename the script to openvpn-crl-updater?
>  
>  	@rm -rf $(DIR_APP)
>  	@$(POSTBUILD)

Apart from that this looks good. Just minor stuff.

Best,
-Michael

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH] CRL updater: Update script for OpenVPN CRL

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 5342 bytes --]

Hi Michael,
thanks for your feedback.

Am 02.02.2018 um 11:51 schrieb Michael Tremer:

> Hi,
> 
> thanks for working on this.
> 
> On Fri, 2018-02-02 at 07:34 +0100, Erik Kapfer wrote:
>> Update script for OpenVPNs CRL has been integrated cause OpenVPN refactors the CRL handling since v.2.4.0 .
>>    Script checks the next update field from the CRL and executes an update two days before it expires.
>>    Script is placed under fcron.daily for daily checks.
>>    OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 .
>> 
>> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
>> ---
>> config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++++++
>> lfs/openvpn                     |  4 ++++
>> 2 files changed, 57 insertions(+)
>> create mode 100644 config/ovpn/ovpn_crl_updater.sh
>> 
>> diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh
>> new file mode 100644
>> index 0000000..309edc2
>> --- /dev/null
>> +++ b/config/ovpn/ovpn_crl_updater.sh
>> @@ -0,0 +1,53 @@
>> +#!/bin/bash
> 
> The file needs a GPL header here or what ever license you choose this
> will be.

OK, I think i would use then GPL 3 like IPFire.

> 
>> +
>> +#
>> +# Script Name: ovpn_crl_updater.sh
>> +# Description: This script checks the "Next Update:" field of the CRL and renews it if needed,
>> +#     which prevents the expiration of OpenVPNs CRL.
>> +#     With OpenVPN 2.4.x the CRL handling has been refactored,
>> +#     whereby the verification logic has been removed from ssl_verify_<backend>.c .
>> +#     See for more infos:
>> +#     https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336
>> +#
>> +# Run Information: If OpenVPNs CRL is presant, 
>> +#     this script provides a cronjob which checks daily if an update of the CRL is needed.
>> +#     If the expiring date reaches the value (defined in the 'UPDATE' variable in days)
>> +#     before the CRL expiration, an openssl command will be executed to renew the CRL.
>> +#     The renewing of the CRL will be logged into /var/log/messages.
>> +# 
>> +# Author: Erik Kapfer
>> +#
>> +# Date: 17.01.2018
>> +#
>> +###############################################################################################
>> +
>> +# Check if OpenVPN is active or if the CRL is presant
>> +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
>> +	exit 0;
>> +fi
>> +
>> +## Paths
>> +OVPN="/var/ipfire/ovpn";
>> +CRL="${OVPN}/crls/cacrl.pem";
>> +CAKEY="${OVPN}/ca/cakey.pem";
>> +CACERT="${OVPN}/ca/cacert.pem";
>> +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";
> 
> You may use some empty lines here to make the coder easier to read.

Done.

> 
>> +## Values
>> +# CRL check for the the 'Next Update:' in seconds
>> +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
> 
> Complicated command. Can we break this down a little bit? Code doesn't
> necessarily run faster when everything is just one line, but it will be
> way easier to understand.

Done.

> 
>> +# Day in seconds to calculate
>> +DAYINSEC="86400";
> 
> No ; needed here and everywhere else...
> 
> It's shell, not C.

OK :-) done 

> 
>> +# Convert seconds to days
>> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
>> +# Update of the CRL in days before CRL expiring date
>> +UPDATE="2";
> 
> I think we should update every 14 days if the usual expiry time is 30.
> Therefore we will never get too close by accident.

So i would need then an frcontab entry and another location for the script since the fcron directories provides only daily, weekly and monthly.
Another possibility might  be a weekly check so we can use the fcron directories ?

> 
>> +# Check if OpenVPNs CRL needs to be renewed
>> +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
>> +	openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}";
>> +	logger -t openssl "OpenVPN CRL has been renewed";
>> +fi
> 
> You don't need the quotes around the integer comparison.

Done

> 
> Should we catch any errors of the openssl command?

OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get an OpenSSL command output in messages if the CRL has been renewed.

> 
> I think the logging tag should rather be openvpn instead of openssl.

Done.

> 
>> +
>> +exit 0
>> +
>> +# EOF
>> diff --git a/lfs/openvpn b/lfs/openvpn
>> index a925f78..1e1ddc2 100644
>> --- a/lfs/openvpn
>> +++ b/lfs/openvpn
>> @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> 	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
>> 	chown root:root /usr/lib/openvpn/verify
>> 	chmod 755 /usr/lib/openvpn/verify
>> +	# Add crl updater
>> +	mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
>> +	chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
>> +	chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
> 
> Can we rename the script to openvpn-crl-updater?

Done.

>> 
>> 	@rm -rf $(DIR_APP)
>> 	@$(POSTBUILD)
> 
> Apart from that this looks good. Just minor stuff.

Great that you looked over it.

> 
> Best,
> -Michael

Greetings,

Erik

Re: [PATCH] CRL updater: Update script for OpenVPN CRL

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 2116 bytes --]

Hello Michael,
some thoughts causing two quested points


>>> +# Convert seconds to days
>>> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
>>> +# Update of the CRL in days before CRL expiring date
>>> +UPDATE="2";
>> 
>> I think we should update every 14 days if the usual expiry time is 30.
>> Therefore we will never get too close by accident.
> 
> So i would need then an frcontab entry and another location for the script since the fcron directories provides only daily, weekly and monthly.
> Another possibility might  be a weekly check so we can use the fcron directories ?

In case machines are off while the script performs his weekly check (no 24/7er) the next check will be made one/two week(s) later which might be a long time if you do not know where the problem is.
I would do make there possibly a daily check and would also set the UPDATE to a week or 5 days instead of the current 2 before expiration date so more days can be grabbed even the check should be a fast one.


>> Should we catch any errors of the openssl command?
> 
> OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get an OpenSSL command output in messages if the CRL has been renewed.

Have here two possibilities. 

1)
in error case:
Feb  3 17:56:03 ipfire-server crl_updater[18986]: /etc/fcron.daily/ovpn_crl_updater.sh: line 56: /usr/bin/opensl: No such file or directory

if successful:
Feb  3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from /var/ipfire/ovpn/openssl/ovpn.cnf

which equals to the OpenSSL command output ( 2>&1 | logger ). 

or 2)

in error case:
Feb  2 19:02:34 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - CRL update failed

if successful:
Feb  2 19:03:19 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - CRL has been updated

if else query echo´s a defined message so search string like failed or updated can also be logged ?


Otherwise all other quested changes has been made and are ready so far, might be nice to push the remaining CGI changes soon i think :-) .

Greetings,

Erik

Re: [PATCH] CRL updater: Update script for OpenVPN CRL

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3054 bytes --]

Hi,

On Sat, 2018-02-03 at 21:20 +0100, ummeegge wrote:
> Hello Michael,
> some thoughts causing two quested points
> 
> 
> > > > +# Convert seconds to days
> > > > +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
> > > > +# Update of the CRL in days before CRL expiring date
> > > > +UPDATE="2";
> > > 
> > > I think we should update every 14 days if the usual expiry time is 30.
> > > Therefore we will never get too close by accident.
> > 
> > So i would need then an frcontab entry and another location for the script
> > since the fcron directories provides only daily, weekly and monthly.
> > Another possibility might  be a weekly check so we can use the fcron
> > directories ?
> 
> In case machines are off while the script performs his weekly check (no
> 24/7er) the next check will be made one/two week(s) later which might be a
> long time if you do not know where the problem is.
> I would do make there possibly a daily check and would also set the UPDATE to
> a week or 5 days instead of the current 2 before expiration date so more days
> can be grabbed even the check should be a fast one.

Cron will take care of this. It will automatically perform the cron jobs a
little while after the system has been booted and when the cron jobs should have
been executed while it was shut down.

https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561f4a2
43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13

It's the "bootrun" argument there.

> 
> 
> > > Should we catch any errors of the openssl command?
> > 
> > OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get an
> > OpenSSL command output in messages if the CRL has been renewed.
> 
> Have here two possibilities. 
> 
> 1)
> in error case:
> Feb  3 17:56:03 ipfire-server crl_updater[18986]:
> /etc/fcron.daily/ovpn_crl_updater.sh: line 56: /usr/bin/opensl: No such file
> or directory

Don't put the path in. Calling "openssl" should be fine.

> if successful:
> Feb  3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from
> /var/ipfire/ovpn/openssl/ovpn.cnf
> 
> which equals to the OpenSSL command output ( 2>&1 | logger ). 

Do we need to log the output of OpenSSL? A line that says something like "Could
not update the OpenVPN CA CRL" should do, shouldn't it? People should run the
script themselves then and see what is going wrong.

> 
> or 2)
> 
> in error case:
> Feb  2 19:02:34 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh -
> CRL update failed
> 
> if successful:
> Feb  2 19:03:19 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh -
> CRL has been updated
> 
> if else query echo´s a defined message so search string like failed or updated
> can also be logged ?
> 
> 
> Otherwise all other quested changes has been made and are ready so far, might
> be nice to push the remaining CGI changes soon i think :-) .

Cool.

Let me know if I can be of any more help.

Best,
-Michael

> 
> Greetings,
> 
> Erik

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH] CRL updater: Update script for OpenVPN CRL

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 2102 bytes --]

Hello,

>> In case machines are off while the script performs his weekly check (no
>> 24/7er) the next check will be made one/two week(s) later which might be a
>> long time if you do not know where the problem is.
>> I would do make there possibly a daily check and would also set the UPDATE to
>> a week or 5 days instead of the current 2 before expiration date so more days
>> can be grabbed even the check should be a fast one.
> 
> Cron will take care of this. It will automatically perform the cron jobs a
> little while after the system has been booted and when the cron jobs should have
> been executed while it was shut down.
> 
> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561f4a2
> 43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13
> 
> It's the "bootrun" argument there.

Thanks for clarification haven´t had that in mind. Will deliver the updater then to 'frcon.weekly'. Will also set the update before expiration interval to 10 days before, 8 might be also OK for a weekly cronjob but possibly better to have 2 days + ?!

>> if successful:
>> Feb  3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from
>> /var/ipfire/ovpn/openssl/ovpn.cnf
>> 
>> which equals to the OpenSSL command output ( 2>&1 | logger ). 
> 
> Do we need to log the output of OpenSSL? A line that says something like "Could
> not update the OpenVPN CA CRL" should do, shouldn't it? People should run the
> script themselves then and see what is going wrong.

No i don´t think so, lines in messages looks even better then. Did that now like you suggested.

>> Otherwise all other quested changes has been made and are ready so far, might
>> be nice to push the remaining CGI changes soon i think :-) .
> 
> Cool.
> 
> Let me know if I can be of any more help.

Great thanks for your offer and your help. If there is no veto for the above changes i will deliver the patch today in the evening.

Have also fetched the actual openssl-11 branch with all needed changes, thanks for keeping this up to date :-) .

All the best,

Erik

Re: [PATCH] CRL updater: Update script for OpenVPN CRL

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2493 bytes --]

Hi,

On Tue, 2018-02-06 at 10:24 +0100, ummeegge wrote:
> Hello,
> 
> > > In case machines are off while the script performs his weekly check (no
> > > 24/7er) the next check will be made one/two week(s) later which might be a
> > > long time if you do not know where the problem is.
> > > I would do make there possibly a daily check and would also set the UPDATE
> > > to
> > > a week or 5 days instead of the current 2 before expiration date so more
> > > days
> > > can be grabbed even the check should be a fast one.
> > 
> > Cron will take care of this. It will automatically perform the cron jobs a
> > little while after the system has been booted and when the cron jobs should
> > have
> > been executed while it was shut down.
> > 
> > https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561
> > f4a2
> > 43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13
> > 
> > It's the "bootrun" argument there.
> 
> Thanks for clarification haven´t had that in mind. Will deliver the updater
> then to 'frcon.weekly'. Will also set the update before expiration interval to
> 10 days before, 8 might be also OK for a weekly cronjob but possibly better to
> have 2 days + ?!

I think daily is better. That makes things more predictable and it does not hurt
to renew every 14 days to never get close to the expiration date.

> 
> > > if successful:
> > > Feb  3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from
> > > /var/ipfire/ovpn/openssl/ovpn.cnf
> > > 
> > > which equals to the OpenSSL command output ( 2>&1 | logger ). 
> > 
> > Do we need to log the output of OpenSSL? A line that says something like
> > "Could
> > not update the OpenVPN CA CRL" should do, shouldn't it? People should run
> > the
> > script themselves then and see what is going wrong.
> 
> No i don´t think so, lines in messages looks even better then. Did that now
> like you suggested.
> 
> > > Otherwise all other quested changes has been made and are ready so far,
> > > might
> > > be nice to push the remaining CGI changes soon i think :-) .
> > 
> > Cool.
> > 
> > Let me know if I can be of any more help.
> 
> Great thanks for your offer and your help. If there is no veto for the above
> changes i will deliver the patch today in the evening.
> 
> Have also fetched the actual openssl-11 branch with all needed changes, thanks
> for keeping this up to date :-) .
> 
> All the best,
> 
> Erik
> 

-Michael

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[PATCH v2] CRL updater: Update script for OpenVPNs CRL

[Erik Kapfer]

[-- Attachment #1: Type: text/plain, Size: 4993 bytes --]

Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 .
    Script checks the next update field from the CRL and executes an update before it expires.
    Script is placed under fcron.daily for daily checks.

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
 config/ovpn/openvpn-crl-updater | 88 +++++++++++++++++++++++++++++++++++++++++
 config/rootfiles/common/openvpn |  1 +
 lfs/openvpn                     |  6 +++
 3 files changed, 95 insertions(+)
 create mode 100644 config/ovpn/openvpn-crl-updater

diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater
new file mode 100644
index 0000000..9063b04
--- /dev/null
+++ b/config/ovpn/openvpn-crl-updater
@@ -0,0 +1,88 @@
+#!/bin/bash
+
+#########################################################################################
+#											#
+# This file is part of the IPFire Firewall.						#
+#											#
+# IPFire is free software: you can redistribute it and/or modify			#
+# it under the terms of the GNU General Public License as published by			#
+# the Free Software Foundation, either version 3 of the License, or 			#
+# (at your option) any later version.							#
+#											#
+# IPFire is distributed in the hope that it will be useful,				#
+# but WITHOUT ANY WARRANTY; without even the implied warranty of 			#
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 			#
+# GNU General Public License for more details. 						#
+#											#
+# You should have received a copy of the GNU General Public License 			#
+# along with IPFire.  If not, see <http://www.gnu.org/licenses/>. 			#
+#											#
+# Copyright (C) 2007 IPFire-Team <info(a)ipfire.org>.					#
+#											#
+#########################################################################################
+#											#
+# Script Name: openvpn-crl-updater 							#
+# Description: This script checks the "Next Update:" field of the CRL			#
+#   and renews it if needed, which prevents the expiration of OpenVPNs CRL.		#
+#   With OpenVPN 2.4.x the CRL handling has been refactored, 				#
+#   whereby the verification logic has been removed from ssl_verify_<backend>.c . 	#
+#   For more infos:									#
+#   https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 	#
+#											#
+# Run Information: If OpenVPNs CRL is presant, 						#
+#   this script provides a cronjob which checks daily if an update of the CRL 		#
+#   is needed.	If the expiring date reaches the value					#
+#   (defined in the 'UPDATE' variable in days) before the CRL expiration, an openssl	# 
+#   command will be executed to renew the CRL.						#
+#   Script execution will be logged into /var/log/messages.				#
+# 											#
+# Author: Erik Kapfer 									#
+#											#
+# Date: 06.02.2018									#
+#											#
+#########################################################################################
+
+# Check if OpenVPN is active or if the CRL is presant
+if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
+	exit 0;
+fi
+
+## Paths
+OVPN="/var/ipfire/ovpn"
+CRL="${OVPN}/crls/cacrl.pem"
+CAKEY="${OVPN}/ca/cakey.pem"
+CACERT="${OVPN}/ca/cacert.pem"
+OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
+
+## Values
+# CRL check for the 'Next Update:' in seconds
+EXPIRINGDATEINSEC="$((
+$(/bin/date -d "$(/usr/bin/openssl crl -in "${CRL}" -text | \
+    /bin/grep -oP 'Next Update: *\K.*')" +%s) - \
+    $(/bin/date +%s) \
+))"
+
+# Day in seconds to calculate
+DAYINSEC="86400"
+
+# Convert seconds to days
+NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"
+
+# Update of the CRL in days before CRL expiring date
+UPDATE="14"
+
+
+# Check if OpenVPNs CRL needs to be renewed
+if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
+    if /usr/bin/openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
+	logger -t openvpn "CRL has been updated"
+    else
+	logger -t openvpn "error: Could not update CRL"
+    fi
+fi
+
+exit 0
+
+
+# EOF
+
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index 2b63424..131d798 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -1,3 +1,4 @@
+etc/fcron.daily/openvpn-crl-updater
 #usr/include/openvpn-msg.h
 #usr/include/openvpn-plugin.h
 #usr/lib/openvpn
diff --git a/lfs/openvpn b/lfs/openvpn
index 3913f02..1ecc18c 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -96,5 +96,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
 	chown root:root /usr/lib/openvpn/verify
 	chmod 755 /usr/lib/openvpn/verify
+	# Add crl updater
+	mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily
+	chown root:root /etc/fcron.daily/openvpn-crl-updater
+	chmod 750 /etc/fcron.daily/openvpn-crl-updater
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
+
-- 
2.7.4

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 6515 bytes --]

Hi,

On Tue, 2018-02-06 at 21:09 +0100, Erik Kapfer wrote:
> Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since
> v.2.4.0 .
>     Script checks the next update field from the CRL and executes an update
> before it expires.
>     Script is placed under fcron.daily for daily checks.
> 
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
>  config/ovpn/openvpn-crl-updater | 88
> +++++++++++++++++++++++++++++++++++++++++
>  config/rootfiles/common/openvpn |  1 +
>  lfs/openvpn                     |  6 +++
>  3 files changed, 95 insertions(+)
>  create mode 100644 config/ovpn/openvpn-crl-updater
> 
> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater
> new file mode 100644
> index 0000000..9063b04
> --- /dev/null
> +++ b/config/ovpn/openvpn-crl-updater
> @@ -0,0 +1,88 @@
> +#!/bin/bash
> +
> +#############################################################################
> ############

There is an extra empty line before the header and an extra hash in the first
line of the header.

> +#										
> 	#
> +# This file is part of the IPFire Firewall.					
> 	#
> +#										
> 	#
> +# IPFire is free software: you can redistribute it and/or modify		
> 	#
> +# it under the terms of the GNU General Public License as published by	
> 		#
> +# the Free Software Foundation, either version 3 of the License, or 		
> 	#
> +# (at your option) any later version.						
> 	#
> +#										
> 	#
> +# IPFire is distributed in the hope that it will be useful,			
> 	#
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of 		
> 	#
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 		
> 	#
> +# GNU General Public License for more details. 				
> 		#
> +#										
> 	#
> +# You should have received a copy of the GNU General Public License 		
> 	#
> +# along with IPFire.  If not, see <http://www.gnu.org/licenses/>. 		
> 	#
> +#										
> 	#
> +# Copyright (C) 2007 IPFire-Team <info(a)ipfire.org>.				
> 	#
> +#										
> 	#
> +#############################################################################
> ############
> +#										
> 	#
> +# Script Name: openvpn-crl-updater 						
> 	#
> +# Description: This script checks the "Next Update:" field of the CRL		
> 	#
> +#   and renews it if needed, which prevents the expiration of OpenVPNs CRL.	
> 	#
> +#   With OpenVPN 2.4.x the CRL handling has been refactored, 			
> 	#
> +#   whereby the verification logic has been removed from
> ssl_verify_<backend>.c . 	#
> +#   For more infos:								
> 	#
> +#   https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e
> 07016a336 	#
> +#										
> 	#
> +# Run Information: If OpenVPNs CRL is presant, 				

*present*

> 		#
> +#   this script provides a cronjob which checks daily if an update of the
> CRL 		#
> +#   is needed.	If the expiring date reaches the value			
> 		#
> +#   (defined in the 'UPDATE' variable in days) before the CRL expiration, an
> openssl	# 
> +#   command will be executed to renew the CRL.				
> 		#
> +#   Script execution will be logged into /var/log/messages.			
> 	#
> +# 										
> 	#
> +# Author: Erik Kapfer 							
> 		#
> +#										
> 	#
> +# Date: 06.02.2018								

Dates are not required. Git does this for us.

> 	#
> +#										
> 	#
> +#############################################################################
> ############
> +
> +# Check if OpenVPN is active or if the CRL is presant
> +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
> +	exit 0;
> +fi

You got a hardcoded path here. Variables are set after this. It probably makes
sense to move the check after the initialisation block and then check things
and/or exit.

> +## Paths
> +OVPN="/var/ipfire/ovpn"
> +CRL="${OVPN}/crls/cacrl.pem"
> +CAKEY="${OVPN}/ca/cakey.pem"
> +CACERT="${OVPN}/ca/cacert.pem"
> +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
> +
> +## Values
> +# CRL check for the 'Next Update:' in seconds
> +EXPIRINGDATEINSEC="$((
> +$(/bin/date -d "$(/usr/bin/openssl crl -in "${CRL}" -text | \
> +    /bin/grep -oP 'Next Update: *\K.*')" +%s) - \
> +    $(/bin/date +%s) \
> +))"

You never need to use "/bin" or so before a command. The shell will find it.
Just use date, grep, and (further down) openssl.

And I didn't mean just breaking the lines. I meant splitting this into smaller
chunks that are easy to understand and modify if we need to. Like:

NOW="$(date "+%s")"
EXPIRES_AT="$(openssl ... | grep ...)"

# Convert into seconds from epoch
EXPIRES_AT="$(date "${EXPIRES_AT}" "+%s")"

EXPIRINGDATEINSEC=$(( EXPIRES_AT - NOW ))

I find this way easier to read and audit and it will execute in the same amount
of time.

> +# Day in seconds to calculate
> +DAYINSEC="86400"
> +
> +# Convert seconds to days
> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"

Here this is super easy to read and understand. Way better.

> +# Update of the CRL in days before CRL expiring date
> +UPDATE="14"
> +
> +
> +# Check if OpenVPNs CRL needs to be renewed
> +if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
> +    if /usr/bin/openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out
> "${CRL}" -config "${OPENSSLCONF}"; then
> +	logger -t openvpn "CRL has been updated"
> +    else
> +	logger -t openvpn "error: Could not update CRL"
> +    fi
> +fi
> +
> +exit 0
> +
> +
> +# EOF
> +
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
> index 2b63424..131d798 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -1,3 +1,4 @@
> +etc/fcron.daily/openvpn-crl-updater
>  #usr/include/openvpn-msg.h
>  #usr/include/openvpn-plugin.h
>  #usr/lib/openvpn
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 3913f02..1ecc18c 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -96,5 +96,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
>  	chown root:root /usr/lib/openvpn/verify
>  	chmod 755 /usr/lib/openvpn/verify
> +	# Add crl updater
> +	mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily
> +	chown root:root /etc/fcron.daily/openvpn-crl-updater
> +	chmod 750 /etc/fcron.daily/openvpn-crl-updater
> +
>  	@rm -rf $(DIR_APP)
>  	@$(POSTBUILD)
> +

There is an extra empty line at the end of the LFS file.

Best,
-Michael

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[PATCH v2] CRL updater: Update script for OpenVPNs CRL

[Erik Kapfer]

[-- Attachment #1: Type: text/plain, Size: 5936 bytes --]

Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 .
    Script checks the next update field from the CRL and executes an update before it expires.
    Script is placed under fcron.daily for daily checks.

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
 config/ovpn/openvpn-crl-updater | 90 +++++++++++++++++++++++++++++++++++++++++
 config/rootfiles/common/openvpn |  1 +
 lfs/openvpn                     |  5 +++
 3 files changed, 96 insertions(+)
 create mode 100644 config/ovpn/openvpn-crl-updater

diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater
new file mode 100644
index 0000000..5fbe210
--- /dev/null
+++ b/config/ovpn/openvpn-crl-updater
@@ -0,0 +1,90 @@
+#!/bin/bash
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2018  IPFire Team  <erik.kapfer(a)ipfire.org>                   #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+#                                                                             #
+# Script Location/Name: /etc/fcron.daily/openvpn-crl-updater                  #
+#                                                                             #
+# Description: This script checks the "Next Update:" field of the CRL         #
+#   and renews it if needed, which prevents the expiration of OpenVPNs CRL.   #
+#   With OpenVPN 2.4.x the CRL handling has been refactored,                  #
+#   whereby the verification logic has been removed                           #
+#   from ssl_verify_<backend>.c .                                             #
+#                                                                             #
+# Run Information: If OpenVPNs CRL is present,                                #
+#   this script provides a cronjob which checks daily if an update            #
+#   of the CRL is needed. If the expiring date reaches the value              #
+#   (defined in the 'UPDATE' variable in days) before the CRL expiration,     #
+#   an openssl command will be executed to renew the CRL.                     #
+#   Script execution will be logged into /var/log/messages.                   #
+#                                                                             #
+###############################################################################
+
+## Paths
+OVPN="/var/ipfire/ovpn"
+CRL="${OVPN}/crls/cacrl.pem"
+CAKEY="${OVPN}/ca/cakey.pem"
+CACERT="${OVPN}/ca/cacert.pem"
+OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
+
+# Check if CRL is presant or if OpenVPN is active
+if [ ! -e "${CAKEY}" ]; then
+	exit 0;
+fi
+
+## Values
+# Actual time in epoch format
+NOW="$(date +%s)"
+
+# Investigate CRLs 'Next Update' date
+EXPIRES_CRL="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')"
+
+# Convert 'Next Update:' date from epoch to seconds
+EXPIRES_AT="$(date -d "${EXPIRES_CRL}" "+%s")"
+
+# Seconds left until CRL expires
+EXPIRINGDATEINSEC="$(( EXPIRES_AT - NOW ))"
+
+# Day in seconds to calculate
+DAYINSEC="86400"
+
+# Convert seconds to days
+NEXTUPDATE="$(( EXPIRINGDATEINSEC / DAYINSEC ))"
+
+# Update of the CRL in days before CRL expiring date
+UPDATE="14"
+
+
+## Mainpart
+# Check if OpenVPNs CRL needs to be renewed
+if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
+    if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
+		logger -t openvpn "CRL has been updated"
+    else
+		logger -t openvpn "error: Could not update CRL"
+    fi
+fi
+
+exit 0
+
+
+# EOF
+
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index 2b63424..131d798 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -1,3 +1,4 @@
+etc/fcron.daily/openvpn-crl-updater
 #usr/include/openvpn-msg.h
 #usr/include/openvpn-plugin.h
 #usr/lib/openvpn
diff --git a/lfs/openvpn b/lfs/openvpn
index 3913f02..ef25c25 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
 	chown root:root /usr/lib/openvpn/verify
 	chmod 755 /usr/lib/openvpn/verify
+	# Add crl updater
+	mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily
+	chown root:root /etc/fcron.daily/openvpn-crl-updater
+	chmod 750 /etc/fcron.daily/openvpn-crl-updater
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
-- 
2.7.4

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 6469 bytes --]

Hello,

I merged this patch into the openssl-11 branch and rebased the branch.

What other steps are urgently necessary that we can roll out OpenVPN
2.4? Are the CGI changes necessary or new features?

Best,
-Michael

On Wed, 2018-02-07 at 18:31 +0100, Erik Kapfer wrote:
> Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 .
>     Script checks the next update field from the CRL and executes an update before it expires.
>     Script is placed under fcron.daily for daily checks.
> 
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
>  config/ovpn/openvpn-crl-updater | 90 +++++++++++++++++++++++++++++++++++++++++
>  config/rootfiles/common/openvpn |  1 +
>  lfs/openvpn                     |  5 +++
>  3 files changed, 96 insertions(+)
>  create mode 100644 config/ovpn/openvpn-crl-updater
> 
> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater
> new file mode 100644
> index 0000000..5fbe210
> --- /dev/null
> +++ b/config/ovpn/openvpn-crl-updater
> @@ -0,0 +1,90 @@
> +#!/bin/bash
> +###############################################################################
> +#                                                                             #
> +# IPFire.org - A linux based firewall                                         #
> +# Copyright (C) 2018  IPFire Team  <erik.kapfer(a)ipfire.org>                   #
> +#                                                                             #
> +# This program is free software: you can redistribute it and/or modify        #
> +# it under the terms of the GNU General Public License as published by        #
> +# the Free Software Foundation, either version 3 of the License, or           #
> +# (at your option) any later version.                                         #
> +#                                                                             #
> +# This program is distributed in the hope that it will be useful,             #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
> +# GNU General Public License for more details.                                #
> +#                                                                             #
> +# You should have received a copy of the GNU General Public License           #
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
> +#                                                                             #
> +###############################################################################
> +
> +###############################################################################
> +#                                                                             #
> +# Script Location/Name: /etc/fcron.daily/openvpn-crl-updater                  #
> +#                                                                             #
> +# Description: This script checks the "Next Update:" field of the CRL         #
> +#   and renews it if needed, which prevents the expiration of OpenVPNs CRL.   #
> +#   With OpenVPN 2.4.x the CRL handling has been refactored,                  #
> +#   whereby the verification logic has been removed                           #
> +#   from ssl_verify_<backend>.c .                                             #
> +#                                                                             #
> +# Run Information: If OpenVPNs CRL is present,                                #
> +#   this script provides a cronjob which checks daily if an update            #
> +#   of the CRL is needed. If the expiring date reaches the value              #
> +#   (defined in the 'UPDATE' variable in days) before the CRL expiration,     #
> +#   an openssl command will be executed to renew the CRL.                     #
> +#   Script execution will be logged into /var/log/messages.                   #
> +#                                                                             #
> +###############################################################################
> +
> +## Paths
> +OVPN="/var/ipfire/ovpn"
> +CRL="${OVPN}/crls/cacrl.pem"
> +CAKEY="${OVPN}/ca/cakey.pem"
> +CACERT="${OVPN}/ca/cacert.pem"
> +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
> +
> +# Check if CRL is presant or if OpenVPN is active
> +if [ ! -e "${CAKEY}" ]; then
> +	exit 0;
> +fi
> +
> +## Values
> +# Actual time in epoch format
> +NOW="$(date +%s)"
> +
> +# Investigate CRLs 'Next Update' date
> +EXPIRES_CRL="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')"
> +
> +# Convert 'Next Update:' date from epoch to seconds
> +EXPIRES_AT="$(date -d "${EXPIRES_CRL}" "+%s")"
> +
> +# Seconds left until CRL expires
> +EXPIRINGDATEINSEC="$(( EXPIRES_AT - NOW ))"
> +
> +# Day in seconds to calculate
> +DAYINSEC="86400"
> +
> +# Convert seconds to days
> +NEXTUPDATE="$(( EXPIRINGDATEINSEC / DAYINSEC ))"
> +
> +# Update of the CRL in days before CRL expiring date
> +UPDATE="14"
> +
> +
> +## Mainpart
> +# Check if OpenVPNs CRL needs to be renewed
> +if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
> +    if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
> +		logger -t openvpn "CRL has been updated"
> +    else
> +		logger -t openvpn "error: Could not update CRL"
> +    fi
> +fi
> +
> +exit 0
> +
> +
> +# EOF
> +
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
> index 2b63424..131d798 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -1,3 +1,4 @@
> +etc/fcron.daily/openvpn-crl-updater
>  #usr/include/openvpn-msg.h
>  #usr/include/openvpn-plugin.h
>  #usr/lib/openvpn
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 3913f02..ef25c25 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
>  	chown root:root /usr/lib/openvpn/verify
>  	chmod 755 /usr/lib/openvpn/verify
> +	# Add crl updater
> +	mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily
> +	chown root:root /etc/fcron.daily/openvpn-crl-updater
> +	chmod 750 /etc/fcron.daily/openvpn-crl-updater
> +
>  	@rm -rf $(DIR_APP)
>  	@$(POSTBUILD)

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 775 bytes --]

Hi Michael,
thanks for merging.


Am Sonntag, den 11.02.2018, 22:25 +0000 schrieb Michael Tremer:
> Hello,
> 
> I merged this patch into the openssl-11 branch and rebased the
> branch.
> 
> What other steps are urgently necessary that we can roll out OpenVPN
> 2.4? Are the CGI changes necessary or new features?

there is the need to make the changes for '--script-security' and to
add '--ncp-disable' in ovpnmain.cgi. 

Also the integration of the directives via update.sh for the core
update needs to be made since a server stop|start do not includes the
changes into server.conf.

So there are two steps left for a roll out of a 2.4 minimum version.
Should i send this in two patches or better in one ?

In which core update should this be delivered ?

Greetings,

Erik

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[Horace Michael]

[-- Attachment #1: Type: text/plain, Size: 1130 bytes --]

Hi all,

On February 13, 2018 8:02:57 AM GMT+02:00, ummeegge <ummeegge(a)ipfire.org> wrote:
>Hi Michael,
>thanks for merging.
>
>
>Am Sonntag, den 11.02.2018, 22:25 +0000 schrieb Michael Tremer:
>> Hello,
>> 
>> I merged this patch into the openssl-11 branch and rebased the
>> branch.
>> 
>> What other steps are urgently necessary that we can roll out OpenVPN
>> 2.4? Are the CGI changes necessary or new features?
>
>there is the need to make the changes for '--script-security' and to
>add '--ncp-disable' in ovpnmain.cgi. 
>

Please consider to add auth-nocache also in order to get rid of the warnings for caching credentials.


>Also the integration of the directives via update.sh for the core
>update needs to be made since a server stop|start do not includes the
>changes into server.conf.
>
>So there are two steps left for a roll out of a 2.4 minimum version.
>Should i send this in two patches or better in one ?
>
>In which core update should this be delivered ?
>
>Greetings,
>
>Erik

--
Horace Michael (aka H&M)
 Please excuse my typos and brevity. Sent from a Smartphone. 

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 1189 bytes --]

Hi Michael,

Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael:
> 
> Please consider to add auth-nocache also in order to get rid of the
> warnings for caching credentials.

just to bear in mind, if we set auth-nocache and a user/password
authentication has been configured manually by the user (IPFire do not
provides this currently), there is the need to authenticate again after
a session key has been expired.

With OpenVPN-2.3.13 and above the rekeying are managed by '--reneg-
bytes 64000000' (after 64 MB data transfer) if 64 bit block ciphers are
used which IPFire do provides at this time.

So by the usage of an old deprecated configuration (old ciphers) and a
faster and heavily loaded connection there is the need to authenticate
every few minutes.

This warning looks not so nice but is in regular configurations, which
has been made via WUI, useless since there is no user/password
authentication currently available.

If someone has configured it manually (in most cases via
server{client}.conf.local i think) it is there also possible to set '
--auth-nocache' for each configuration individually if needed ?

Just some thoughts from here.


Greetings,

Erik

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 1102 bytes --]

Have forgot one more thing,
we should also add the new AES-GCM cipher for N2N and RWs . Would push
this one may before the directive changes ?

Will track all that to openssl-11 branch.

Greetings,

Erik


Am Dienstag, den 13.02.2018, 07:02 +0100 schrieb ummeegge:
> Hi Michael,
> thanks for merging.
> 
> 
> Am Sonntag, den 11.02.2018, 22:25 +0000 schrieb Michael Tremer:
> > 
> > Hello,
> > 
> > I merged this patch into the openssl-11 branch and rebased the
> > branch.
> > 
> > What other steps are urgently necessary that we can roll out
> > OpenVPN
> > 2.4? Are the CGI changes necessary or new features?
> there is the need to make the changes for '--script-security' and to
> add '--ncp-disable' in ovpnmain.cgi. 
> 
> Also the integration of the directives via update.sh for the core
> update needs to be made since a server stop|start do not includes the
> changes into server.conf.
> 
> So there are two steps left for a roll out of a 2.4 minimum version.
> Should i send this in two patches or better in one ?
> 
> In which core update should this be delivered ?
> 
> Greetings,
> 
> Erik

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[Horace Michael]

[-- Attachment #1: Type: text/plain, Size: 1956 bytes --]

Hi Erik,

On February 13, 2018 12:00:12 PM GMT+02:00, ummeegge <ummeegge(a)ipfire.org> wrote:
>Hi Michael,
>
>Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael:
>> 
>> Please consider to add auth-nocache also in order to get rid of the
>> warnings for caching credentials.
>
>just to bear in mind, if we set auth-nocache and a user/password
>authentication has been configured manually by the user (IPFire do not
>provides this currently), there is the need to authenticate again after
>a session key has been expired.

If an IPFire user manually changed the standard configuration of OpenVPN and add passwd authentication then he/she should assume also the impact - entering the credentials on key renewing or changing the config and removal of --auth-nocache directive.

>
>With OpenVPN-2.3.13 and above the rekeying are managed by '--reneg-
>bytes 64000000' (after 64 MB data transfer) if 64 bit block ciphers are
>used which IPFire do provides at this time.
>
>So by the usage of an old deprecated configuration (old ciphers) and a
>faster and heavily loaded connection there is the need to authenticate
>every few minutes.
>
>This warning looks not so nice but is in regular configurations, which
>has been made via WUI, useless since there is no user/password
>authentication currently available.
>

Indeed is just a warning - no problem for tunnel being established. But is a warning that might be wrongly understood - who knows to what "credentials" the user will think of and the overall image of the user for IPFire security will be poor...
>If someone has configured it manually (in most cases via
>server{client}.conf.local i think) it is there also possible to set '
>--auth-nocache' for each configuration individually if needed ?
>
>Just some thoughts from here.
>

>
>Greetings,
>
>Erik

--
Horace Michael (aka H&M)
 Please excuse my typos and brevity. Sent from a Smartphone. 

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1298 bytes --]

Hi,

On Tue, 2018-02-13 at 07:02 +0100, ummeegge wrote:
> Hi Michael,
> thanks for merging.
> 
> 
> Am Sonntag, den 11.02.2018, 22:25 +0000 schrieb Michael Tremer:
> > Hello,
> > 
> > I merged this patch into the openssl-11 branch and rebased the
> > branch.
> > 
> > What other steps are urgently necessary that we can roll out OpenVPN
> > 2.4? Are the CGI changes necessary or new features?
> 
> there is the need to make the changes for '--script-security' and to
> add '--ncp-disable' in ovpnmain.cgi. 

Okay. I will wait with merging OpenSSL until we have this sorted.

> Also the integration of the directives via update.sh for the core
> update needs to be made since a server stop|start do not includes the
> changes into server.conf.

And this, too.

> So there are two steps left for a roll out of a 2.4 minimum version.
> Should i send this in two patches or better in one ?

Please try this in two patches.

> In which core update should this be delivered ?

I am not sure, yet. 119 would have been good, but we already have a lot in there
and I think we should not delay this too much. But 120 at the latest.

It is really important that we get the latest OpenSSL out there as soon as
possible.

Best,
-Michael

> 
> Greetings,
> 
> Erik

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 1907 bytes --]

Hi Michael,

Am Mittwoch, den 14.02.2018, 12:22 +0000 schrieb Michael Tremer:

> > > What other steps are urgently necessary that we can roll out
> > > OpenVPN
> > > 2.4? Are the CGI changes necessary or new features?
> > there is the need to make the changes for '--script-security' and
> > to
> > add '--ncp-disable' in ovpnmain.cgi. 
> Okay. I will wait with merging OpenSSL until we have this sorted.

Have send the forgotten AES-GCM patch --> https://lists.ipfire.org/pipe
rmail/development/2018-February/004063.html would you merge it to
openssl-11 if the review is OK, i would pull the chnages then and
prepare/send the last ovpnmain.cgi patch ?

> 
> > 
> > Also the integration of the directives via update.sh for the core
> > update needs to be made since a server stop|start do not includes
> > the
> > changes into server.conf.
> And this, too.

Since there is currently no config/rootfiles/core/config/rootfiles/core
directory for openssl-11 should i make one for core 119 (or 120 ?) and
add there the commands in update.sh ?

> 
> > 
> > So there are two steps left for a roll out of a 2.4 minimum
> > version.
> > Should i send this in two patches or better in one ?
> Please try this in two patches.

No problem if i am clear about the quest above.

> 
> > 
> > In which core update should this be delivered ?
> I am not sure, yet. 119 would have been good, but we already have a
> lot in there
> and I think we should not delay this too much. But 120 at the latest.
> 
> It is really important that we get the latest OpenSSL out there as
> soon as
> possible.

Have successfully installed yesterday an IPFire ISO with OpenSSL-1.1.0g 
i think the last changes from commit
59d77d2eae265304887408b1d36074269f6075a4
did it :D . Great work Michael. Two more commits and from the OpenVPN
side all should be for the first OK. After that i would step then into
testing mode...

Greetings,

Erik

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 2279 bytes --]

Hi Michael,

Am Dienstag, den 13.02.2018, 16:21 +0200 schrieb Horace Michael:
> Hi Erik,
> 
> On February 13, 2018 12:00:12 PM GMT+02:00, ummeegge <ummeegge(a)ipfire
> .org> wrote:
> > 
> > Hi Michael,
> > 
> > Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael:
> > > 
> > >  
> > > Please consider to add auth-nocache also in order to get rid of
> > > the
> > > warnings for caching credentials.
> > just to bear in mind, if we set auth-nocache and a user/password
> > authentication has been configured manually by the user (IPFire do
> > not
> > provides this currently), there is the need to authenticate again
> > after
> > a session key has been expired.
> If an IPFire user manually changed the standard configuration of
> OpenVPN and add passwd authentication then he/she should assume also
> the impact - entering the credentials on key renewing or changing the
> config and removal of --auth-nocache directive.
> 
The removal is kind of unpractical if we hardcode --auth-nocache it can
be indeed manually deleted in ovpnmain.cgi but it won´t be consistent
for coming updates.
If someone uses user/pwd auth via manual configuration it might be
easier for the first to add also --auth-nocache into the local configs
if wanted ? In some cases this might be also a problem e.g. for every
kind of automation (such as larger backups e.g.) whereby processes will
be stopped if no user interaction is made.

In my opinion there should be a checkbox for this available but this
kind of contradicts also the current usability for keeping it as easy
as possible even this option is for an default IPFire configuration
useless.

But this are only my two cents on this topic, if this is wanted from
the core developer side this should be made very quickly but i would
do/discuss this in an own topic but also after we have finished the
OpenVPN-2.4 update.
There is also the need to think about a lowered --script-security level
(from 3 to 2) which matches also this topic i think and also some other
possible (and already fixed) warnings --> https://bugzilla.ipfire.org/s
how_bug.cgi?id=11364 like e.g. the MTU warning which should also be
thinking about but also better tested...

Nevertheless it might be nice if you stay tuned in this topic.

Greetings,

Erik

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2258 bytes --]

Hi,

On Wed, 2018-02-14 at 14:24 +0100, ummeegge wrote:
> Hi Michael,
> 
> Am Mittwoch, den 14.02.2018, 12:22 +0000 schrieb Michael Tremer:
> 
> > > > What other steps are urgently necessary that we can roll out
> > > > OpenVPN
> > > > 2.4? Are the CGI changes necessary or new features?
> > > 
> > > there is the need to make the changes for '--script-security' and
> > > to
> > > add '--ncp-disable' in ovpnmain.cgi. 
> > 
> > Okay. I will wait with merging OpenSSL until we have this sorted.
> 
> Have send the forgotten AES-GCM patch --> https://lists.ipfire.org/pipe
> rmail/development/2018-February/004063.html would you merge it to
> openssl-11 if the review is OK, i would pull the chnages then and
> prepare/send the last ovpnmain.cgi patch ?

You can work on the other patches independently from this one.

> > 
> > > 
> > > Also the integration of the directives via update.sh for the core
> > > update needs to be made since a server stop|start do not includes
> > > the
> > > changes into server.conf.
> > 
> > And this, too.
> 
> Since there is currently no config/rootfiles/core/config/rootfiles/core
> directory for openssl-11 should i make one for core 119 (or 120 ?) and
> add there the commands in update.sh ?

Please provide that in an extra script. I do not know when this will land in a
Core Update.

> > 
> > > 
> > > So there are two steps left for a roll out of a 2.4 minimum
> > > version.
> > > Should i send this in two patches or better in one ?
> > 
> > Please try this in two patches.
> 
> No problem if i am clear about the quest above.
> 
> > 
> > > 
> > > In which core update should this be delivered ?
> > 
> > I am not sure, yet. 119 would have been good, but we already have a
> > lot in there
> > and I think we should not delay this too much. But 120 at the latest.
> > 
> > It is really important that we get the latest OpenSSL out there as
> > soon as
> > possible.
> 
> Have successfully installed yesterday an IPFire ISO with OpenSSL-1.1.0g 
> i think the last changes from commit
> 59d77d2eae265304887408b1d36074269f6075a4
> did it :D . Great work Michael. Two more commits and from the OpenVPN
> side all should be for the first OK. After that i would step then into
> testing mode...
> 
> Greetings,
> 
> Erik

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 1897 bytes --]

Hello,


Am Mittwoch, den 14.02.2018, 20:27 +0000 schrieb Michael Tremer:
> Hi,
> 
> On Wed, 2018-02-14 at 14:24 +0100, ummeegge wrote:
> > 
> > Hi Michael,
> > 
> > Am Mittwoch, den 14.02.2018, 12:22 +0000 schrieb Michael Tremer:
> > 
> > > 
> > > > 
> > > > > 
> > > > > What other steps are urgently necessary that we can roll out
> > > > > OpenVPN
> > > > > 2.4? Are the CGI changes necessary or new features?
> > > > there is the need to make the changes for '--script-security'
> > > > and
> > > > to
> > > > add '--ncp-disable' in ovpnmain.cgi. 
> > > Okay. I will wait with merging OpenSSL until we have this sorted.
> > Have send the forgotten AES-GCM patch --> https://lists.ipfire.org/
> > pipe
> > rmail/development/2018-February/004063.html would you merge it to
> > openssl-11 if the review is OK, i would pull the chnages then and
> > prepare/send the last ovpnmain.cgi patch ?
> You can work on the other patches independently from this one.

If we leave the AES-GCM patch for the first behind there is not much more to do in ovpnmain.cgi . 
This directives https://lists.ipfire.org/pipermail/development/2018-February/004085.html should bring 
OpenVPN-2.4 to life again.

> 
> > 
> > > 
> > > 
> > > > 
> > > > 
> > > > Also the integration of the directives via update.sh for the
> > > > core
> > > > update needs to be made since a server stop|start do not
> > > > includes
> > > > the
> > > > changes into server.conf.
> > > And this, too.
> > Since there is currently no
> > config/rootfiles/core/config/rootfiles/core
> > directory for openssl-11 should i make one for core 119 (or 120 ?)
> > and
> > add there the commands in update.sh ?
> Please provide that in an extra script. I do not know when this will
> land in a
> Core Update.

OK, where is a good place for this until then ?

Greetings,

Erik

Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2297 bytes --]

On Thu, 2018-02-15 at 07:18 +0100, ummeegge wrote:
> Hello,
> 
> 
> Am Mittwoch, den 14.02.2018, 20:27 +0000 schrieb Michael Tremer:
> > Hi,
> > 
> > On Wed, 2018-02-14 at 14:24 +0100, ummeegge wrote:
> > > 
> > > Hi Michael,
> > > 
> > > Am Mittwoch, den 14.02.2018, 12:22 +0000 schrieb Michael Tremer:
> > > 
> > > > 
> > > > > 
> > > > > > 
> > > > > > What other steps are urgently necessary that we can roll out
> > > > > > OpenVPN
> > > > > > 2.4? Are the CGI changes necessary or new features?
> > > > > 
> > > > > there is the need to make the changes for '--script-security'
> > > > > and
> > > > > to
> > > > > add '--ncp-disable' in ovpnmain.cgi. 
> > > > 
> > > > Okay. I will wait with merging OpenSSL until we have this sorted.
> > > 
> > > Have send the forgotten AES-GCM patch --> https://lists.ipfire.org/
> > > pipe
> > > rmail/development/2018-February/004063.html would you merge it to
> > > openssl-11 if the review is OK, i would pull the chnages then and
> > > prepare/send the last ovpnmain.cgi patch ?
> > 
> > You can work on the other patches independently from this one.
> 
> If we leave the AES-GCM patch for the first behind there is not much more to
> do in ovpnmain.cgi . 
> This directives https://lists.ipfire.org/pipermail/development/2018-February/0
> 04085.html should bring 
> OpenVPN-2.4 to life again.
> 
> > 
> > > 
> > > > 
> > > > 
> > > > > 
> > > > > 
> > > > > Also the integration of the directives via update.sh for the
> > > > > core
> > > > > update needs to be made since a server stop|start do not
> > > > > includes
> > > > > the
> > > > > changes into server.conf.
> > > > 
> > > > And this, too.
> > > 
> > > Since there is currently no
> > > config/rootfiles/core/config/rootfiles/core
> > > directory for openssl-11 should i make one for core 119 (or 120 ?)
> > > and
> > > add there the commands in update.sh ?
> > 
> > Please provide that in an extra script. I do not know when this will
> > land in a
> > Core Update.
> 
> OK, where is a good place for this until then ?

Just by email for now as you did.

This isn't too great for many of these things, but I cannot think of an easier
way for this one time.

-Michael

> 
> Greetings,
> 
> Erik
> 
> 
>