public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] OpenVPN: Introduce Negotiable Crypto Parameters for roadwarriors
Date: Mon, 06 Aug 2018 09:25:54 +0200	[thread overview]
Message-ID: <1533540354-4387-1-git-send-email-erik.kapfer@ipfire.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 4271 bytes --]

The ncp-ciphers differs to the OpenVPN default value and has been adapted from Fedora.
Please see explanations in https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN .
---
 html/cgi-bin/ovpnmain.cgi | 38 +++++++++++++++++++++++++++-----------
 langs/de/cgi-bin/de.pl    |  1 +
 langs/en/cgi-bin/en.pl    |  1 +
 3 files changed, 29 insertions(+), 11 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 976300f..dc22ba5 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -321,8 +321,13 @@ sub writeserverconf {
     }	
     print CONF "status-version 1\n";
     print CONF "status /var/run/ovpnserver.log 30\n";
-    print CONF "ncp-disable\n";
     print CONF "cipher $sovpnsettings{DCIPHER}\n";
+    # Enable Negotiable Crypto Parameters
+    if ($sovpnsettings{'NCP'} eq 'on') {
+         print CONF "ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC\n";
+    } else {
+        print CONF "ncp-disable\n";
+    }
     if ($sovpnsettings{'DAUTH'} eq '') {
         print CONF "";
     } else {
@@ -789,6 +794,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
     $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
+    $vpnsettings{'NCP'} = $cgiparams{'NCP'};
     my @temp=();
     
     if ($cgiparams{'FRAGMENT'} eq '') {
@@ -2685,6 +2691,9 @@ ADV_ERROR:
     $checked{'TLSAUTH'}{'off'} = '';
     $checked{'TLSAUTH'}{'on'} = '';
     $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
+    $checked{'NCP'}{'off'} = '';
+    $checked{'NCP'}{'on'} = '';
+    $checked{'NCP'}{$cgiparams{'NCP'}} = 'CHECKED';
    
     &Header::showhttpheaders();
     &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
@@ -2818,6 +2827,22 @@ print <<END;
     <tr>
 		<td class'base'><b>$Lang::tr{'ovpn crypt options'}</b></td>
 	</tr>
+
+<table width='100%'>
+    <tr>
+    <td width='20%'></td> <td width='15%'> </td><td width='15%'> </td><td width='15%'></td><td width='35%'></td>
+    </tr>
+
+    <tr>
+         <td class='base'>$Lang::tr{'ovpn ncp'}</td>
+         <td><input type='checkbox' name='NCP' $checked{'NCP'}{'on'} /></td>
+    </tr>
+
+    <tr>
+         <td class='base'>HMAC tls-auth</td>
+         <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
+    </tr>
+
 	<tr>
 		<td width='20%'></td> <td width='30%'> </td><td width='25%'> </td><td width='25%'></td>
     </tr>	
@@ -2833,17 +2858,8 @@ print <<END;
 		<td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
     </tr>
 </table>
+<hr size='1'>
 
-<table width='100%'>
-    <tr>
-	<td width='20%'></td> <td width='15%'> </td><td width='15%'> </td><td width='15%'></td><td width='35%'></td>
-    </tr>
-
-    <tr>
-	<td class='base'>HMAC tls-auth</td>
-	<td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
-    </tr>
-    </table><hr>
 END
 
 if ( -e "/var/run/openvpn.pid"){
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 6e3dba4..9f0de6b 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1833,6 +1833,7 @@
 'ovpn mtu-disc off' => 'Deaktiviert',
 'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery kann nicht gemeinsam mit mssfix oder fragment verwendet werden.',
 'ovpn mtu-disc yes' => 'Forciert',
+'ovpn ncp' => 'Verschlüsselung aushandeln',
 'ovpn no connections' => 'Keine aktiven OpenVPN Verbindungen',
 'ovpn on blue' => 'OpenVPN auf BLAU:',
 'ovpn on orange' => 'OpenVPN auf ORANGE:',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 3ec5af5..5cd47b1 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1866,6 +1866,7 @@
 'ovpn mtu-disc off' => 'Disabled',
 'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery cannot be used with mssfix or fragment.',
 'ovpn mtu-disc yes' => 'Forced',
+'ovpn ncp' => 'Negotiate encryption',
 'ovpn no connections' => 'No active OpenVPN connections',
 'ovpn on blue' => 'OpenVPN on BLUE:',
 'ovpn on orange' => 'OpenVPN on ORANGE:',
-- 
2.7.4


             reply	other threads:[~2018-08-06  7:25 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-06  7:25 Erik Kapfer [this message]
2018-08-07 13:10 ` Michael Tremer
2018-08-07 16:19   ` ummeegge
2018-08-08  7:55     ` Michael Tremer
2018-08-08 10:32       ` ummeegge
2018-08-14 11:11         ` ummeegge
2018-08-14 11:21           ` Michael Tremer
2018-08-27  7:20         ` Michael Tremer
2018-08-27 16:21           ` ummeegge
2018-08-28 10:21             ` Michael Tremer
2018-08-28 19:35               ` ummeegge
2018-08-29 10:33                 ` Michael Tremer
2018-08-29 21:49                   ` ummeegge
2018-08-30  7:35                     ` Michael Tremer
2018-08-30 10:31                       ` ummeegge
2018-08-30 11:59                         ` Michael Tremer
2018-08-30 14:02                           ` ummeegge
2018-08-30 14:08                             ` Michael Tremer
2018-09-05 15:22                               ` Kienker, Fred
2018-09-09 12:46                                 ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1533540354-4387-1-git-send-email-erik.kapfer@ipfire.org \
    --to=erik.kapfer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox