From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] OpenVPN: Introduce Negotiable Crypto Parameters for roadwarriors
Date: Mon, 06 Aug 2018 09:25:54 +0200 [thread overview]
Message-ID: <1533540354-4387-1-git-send-email-erik.kapfer@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 4271 bytes --]
The ncp-ciphers differs to the OpenVPN default value and has been adapted from Fedora.
Please see explanations in https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN .
---
html/cgi-bin/ovpnmain.cgi | 38 +++++++++++++++++++++++++++-----------
langs/de/cgi-bin/de.pl | 1 +
langs/en/cgi-bin/en.pl | 1 +
3 files changed, 29 insertions(+), 11 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 976300f..dc22ba5 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -321,8 +321,13 @@ sub writeserverconf {
}
print CONF "status-version 1\n";
print CONF "status /var/run/ovpnserver.log 30\n";
- print CONF "ncp-disable\n";
print CONF "cipher $sovpnsettings{DCIPHER}\n";
+ # Enable Negotiable Crypto Parameters
+ if ($sovpnsettings{'NCP'} eq 'on') {
+ print CONF "ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC\n";
+ } else {
+ print CONF "ncp-disable\n";
+ }
if ($sovpnsettings{'DAUTH'} eq '') {
print CONF "";
} else {
@@ -789,6 +794,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
$vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
+ $vpnsettings{'NCP'} = $cgiparams{'NCP'};
my @temp=();
if ($cgiparams{'FRAGMENT'} eq '') {
@@ -2685,6 +2691,9 @@ ADV_ERROR:
$checked{'TLSAUTH'}{'off'} = '';
$checked{'TLSAUTH'}{'on'} = '';
$checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
+ $checked{'NCP'}{'off'} = '';
+ $checked{'NCP'}{'on'} = '';
+ $checked{'NCP'}{$cgiparams{'NCP'}} = 'CHECKED';
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'status ovpn'}, 1, '');
@@ -2818,6 +2827,22 @@ print <<END;
<tr>
<td class'base'><b>$Lang::tr{'ovpn crypt options'}</b></td>
</tr>
+
+<table width='100%'>
+ <tr>
+ <td width='20%'></td> <td width='15%'> </td><td width='15%'> </td><td width='15%'></td><td width='35%'></td>
+ </tr>
+
+ <tr>
+ <td class='base'>$Lang::tr{'ovpn ncp'}</td>
+ <td><input type='checkbox' name='NCP' $checked{'NCP'}{'on'} /></td>
+ </tr>
+
+ <tr>
+ <td class='base'>HMAC tls-auth</td>
+ <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
+ </tr>
+
<tr>
<td width='20%'></td> <td width='30%'> </td><td width='25%'> </td><td width='25%'></td>
</tr>
@@ -2833,17 +2858,8 @@ print <<END;
<td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
</tr>
</table>
+<hr size='1'>
-<table width='100%'>
- <tr>
- <td width='20%'></td> <td width='15%'> </td><td width='15%'> </td><td width='15%'></td><td width='35%'></td>
- </tr>
-
- <tr>
- <td class='base'>HMAC tls-auth</td>
- <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
- </tr>
- </table><hr>
END
if ( -e "/var/run/openvpn.pid"){
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 6e3dba4..9f0de6b 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1833,6 +1833,7 @@
'ovpn mtu-disc off' => 'Deaktiviert',
'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery kann nicht gemeinsam mit mssfix oder fragment verwendet werden.',
'ovpn mtu-disc yes' => 'Forciert',
+'ovpn ncp' => 'Verschlüsselung aushandeln',
'ovpn no connections' => 'Keine aktiven OpenVPN Verbindungen',
'ovpn on blue' => 'OpenVPN auf BLAU:',
'ovpn on orange' => 'OpenVPN auf ORANGE:',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 3ec5af5..5cd47b1 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1866,6 +1866,7 @@
'ovpn mtu-disc off' => 'Disabled',
'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery cannot be used with mssfix or fragment.',
'ovpn mtu-disc yes' => 'Forced',
+'ovpn ncp' => 'Negotiate encryption',
'ovpn no connections' => 'No active OpenVPN connections',
'ovpn on blue' => 'OpenVPN on BLUE:',
'ovpn on orange' => 'OpenVPN on ORANGE:',
--
2.7.4
next reply other threads:[~2018-08-06 7:25 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-06 7:25 Erik Kapfer [this message]
2018-08-07 13:10 ` Michael Tremer
2018-08-07 16:19 ` ummeegge
2018-08-08 7:55 ` Michael Tremer
2018-08-08 10:32 ` ummeegge
2018-08-14 11:11 ` ummeegge
2018-08-14 11:21 ` Michael Tremer
2018-08-27 7:20 ` Michael Tremer
2018-08-27 16:21 ` ummeegge
2018-08-28 10:21 ` Michael Tremer
2018-08-28 19:35 ` ummeegge
2018-08-29 10:33 ` Michael Tremer
2018-08-29 21:49 ` ummeegge
2018-08-30 7:35 ` Michael Tremer
2018-08-30 10:31 ` ummeegge
2018-08-30 11:59 ` Michael Tremer
2018-08-30 14:02 ` ummeegge
2018-08-30 14:08 ` Michael Tremer
2018-09-05 15:22 ` Kienker, Fred
2018-09-09 12:46 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1533540354-4387-1-git-send-email-erik.kapfer@ipfire.org \
--to=erik.kapfer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox