From mboxrd@z Thu Jan 1 00:00:00 1970 From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH] OpenVPN: Clarify fundamental crypto errors but also warnings in WUI Date: Thu, 21 Jun 2018 11:46:36 +0200 Message-ID: <1529574397-30471-1-git-send-email-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5276112585358551030==" List-Id: --===============5276112585358551030== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Since OpenVPN-2.4.x, a lot of changes has been introduced. This patch should = help the users for better understanding of errors in the cryptography. It includes also potential warnings for upcoming changes and needed adjustmen= ts in the system. This can also be extended in the future for upcoming configuration changes. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 53 +++++++++++++++++++++++++++++++++++++++++++++= +- langs/de/cgi-bin/de.pl | 5 +++++ langs/en/cgi-bin/en.pl | 5 +++++ 3 files changed, 62 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 4bc3473..c9d36d7 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -64,6 +64,8 @@ my %cahash=3D(); my %selected=3D(); my $warnmessage =3D ''; my $errormessage =3D ''; +my $cryptoerror =3D ''; +my $cryptowarning =3D ''; my %settings=3D(); my $routes_push_file =3D ''; my $confighost=3D"${General::swroot}/fwhosts/customhosts"; @@ -1069,7 +1071,42 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{= 'NAME'}"){mkdir "${General close(CLIENTCONF); =20 } - =20 + +### +### Check for cryptography problems +### + +# Warning if DH parameter is 1024 bit +if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { + my $dhlenght =3D `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovp= n/ca/dh1024.pem`; + if ($dhlenght =3D~ /1024 bit/) { + $cryptoerror =3D "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } +} + +# Warning if md5 is in usage +if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $signature =3D `/usr/bin/openssl x509 -noout -text -in ${General::swroot= }/ovpn/certs/servercert.pem`; + if ($signature =3D~ /md5WithRSAEncryption/) { + $cryptoerror =3D "$Lang::tr{'ovpn error md5'}"; + goto CRYPTO_ERROR; + } +} + +CRYPTO_ERROR: + +# Warning if certificate is not compliant to RFC3280 TLS rules +if (-f "${General::swroot}/ovpn/openssl/ovpn.cnf") { + my $extendkeyusage =3D `/usr/bin/openssl x509 -noout -text -in ${General::s= wroot}/ovpn/certs/servercert.pem`; + if ($extendkeyusage =3D~ /TLS Web Server Authentication/) { + $cryptowarning =3D "$Lang::tr{'ovpn warning rfc3280'}"; + goto CRYPTO_WARNING; + } +} + +CRYPTO_WARNING: + ### ### Save main settings ### @@ -5135,6 +5172,20 @@ END &Header::closebox(); } =20 + if ($cryptoerror) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'}); + print "$cryptoerror"; + print " "; + &Header::closebox(); + } + + if ($cryptowarning) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'}); + print "$cryptowarning"; + print " "; + &Header::closebox(); + } + if ($warnmessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); print "$warnmessage
"; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 630d9b2..e1e9c97 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -661,6 +661,8 @@ 'credits' =3D> 'Credits', 'crl' =3D> 'Certificate Revocation List', 'cron server' =3D> 'Cron-Server', +'crypto error' =3D> 'Kryptografiefehler', +'crypto warning' =3D> 'Kryptografiewarnungen', 'current' =3D> 'Aktuell', 'current aliases' =3D> 'Aktuelle Alias-Adresse', 'current class' =3D> 'Aktuelle Klasse', @@ -1817,6 +1819,8 @@ 'ovpn engines' =3D> 'Krypto Engine', 'ovpn errmsg green already pushed' =3D> 'Route f=C3=BCr gr=C3=BCnes Netzwerk= wird immer gesetzt', 'ovpn errmsg invalid ip or mask' =3D> 'Ung=C3=BCltige Netzwerk-Adresse oder = Subnetzmaske', +'ovpn error dh' =3D> 'Der Diffie-Hellman Parameter muss mindestens 2048 bit = lang sein!
Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochl= aden, dies kann unten =C3=BCber den Bereich "Diffie-Hellman-Parameter Optione= n" gemacht werden.
', +'ovpn error md5' =3D> 'Das Host Zertifikat nutzt einen MD5 Algorithmus welch= er nicht mehr akzeptiert wird.
Bitte IPFire auf die neueste Version updat= en und generieren sie ein neues Root und Host Zertifikate.

Es m=C3=BC= ssen dann alle OpenVPN clients erneuert werden!
', 'ovpn generating the root and host certificates' =3D> 'Die Erzeugung der Roo= t- und Host-Zertifikate kann lange Zeit dauern.', 'ovpn ha' =3D> 'Hash-Algorithmus', 'ovpn hmac' =3D> 'HMAC-Optionen', @@ -1841,6 +1845,7 @@ 'ovpn subnet' =3D> 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' =3D> 'Das OpenVPN-Subnetz ist ung=C3=BCltig.', 'ovpn subnet overlap' =3D> 'OpenVPNSubnetz =C3=BCberschneidet sich mit ', +'ovpn warning rfc3280' =3D> 'Das Host Zertifikat ist nicht RFC3280 Regelkonf= orm.
Bitte IPFire auf die letzte Version updaten und generieren sie ein n= eues Root und Host Zertifikat so bald wie m=C3=B6glich.

Es m=C3=BCsse= n dann alle OpenVPN clients erneuert werden!
', 'ovpn_fastio' =3D> 'Fast-IO', 'ovpn_fragment' =3D> 'Fragmentgr=C3=B6sse', 'ovpn_mssfix' =3D> 'MSSFIX-Gr=C3=B6sse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 8ec5bf4..d3847c9 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -682,6 +682,8 @@ 'credits' =3D> 'Credits', 'crl' =3D> 'Certificate Revocation List', 'cron server' =3D> 'CRON Server', +'crypto error' =3D> 'Cryptographic error', +'crypto warning' =3D> 'Cryptographic warning', 'current' =3D> 'Current', 'current aliases' =3D> 'Current aliases', 'current class' =3D> 'Current class', @@ -1850,6 +1852,8 @@ 'ovpn engines' =3D> 'Crypto engine', 'ovpn errmsg green already pushed' =3D> 'Route for green network is always s= et', 'ovpn errmsg invalid ip or mask' =3D> 'Invalid network-address or subnetmask= ', +'ovpn error dh' =3D> 'The Diffie-Hellman parameter needs to be in minimum 20= 48 bit!
Please generate or upload a new Diffie-Hellman parameter, this ca= n be made below in the section "Diffie-Hellman parameters options".
', +'ovpn error md5' =3D> 'You host certificate uses MD5 for the signature which= is not accepted anymore.
Please update to the latest IPFire version and = generate a new root and host certificate.

All OpenVPN clients needs t= hen to be renewed!
', 'ovpn generating the root and host certificates' =3D> 'Generating the root a= nd host certifictae can take a long time.', 'ovpn ha' =3D> 'Hash algorithm', 'ovpn hmac' =3D> 'HMAC options', @@ -1874,6 +1878,7 @@ 'ovpn subnet' =3D> 'OpenVPN subnet:', 'ovpn subnet is invalid' =3D> 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' =3D> 'OpenVPN Subnet overlaps with : ', +'ovpn warning rfc3280' =3D> 'Your host certificate is not RFC3280 compliant.=
Please update to the latest IPFire version and generate as soon as possi= ble a new root and host certificate.

All OpenVPN clients needs then t= o be renewed!
', 'ovpn_fastio' =3D> 'Fast-IO', 'ovpn_mssfix' =3D> 'MSSFIX Size', 'ovpn_mtudisc' =3D> 'MTU-Discovery', --=20 2.7.4 --===============5276112585358551030==--