From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cB47K2J8Zz30Ch for ; Tue, 26 Aug 2025 10:45:17 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cB47F52T2z2xLm for ; Tue, 26 Aug 2025 10:45:13 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cB47C2Gdxz2pW; Tue, 26 Aug 2025 10:45:11 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1756205111; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=i9cpwE+vsQJbWVNUP+iRxKjbpz+ieF5zOyj0gmO/RqY=; b=CjVj08jT7wb768mIIzTGqaifzEhk8+k4DzcXkzpyvR6+b23yY06OK76sBa7MaJw5MoMdqD FL8ORugUxKPQTWBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1756205111; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=i9cpwE+vsQJbWVNUP+iRxKjbpz+ieF5zOyj0gmO/RqY=; b=Mlp9d88c6XPaqlAQSeOhpRkvaSNd5IAJXBbruwAyQ6tmvgl2jhez8dOe+ishapXJO2lH71 nSGytiKMDxMzHwIE9WzeKQhGxmd/mJeESL6EaVwWhJa0zsEIBjuvPGDehHQDbyJbsUXT+b iUpy/3qGczZAfc7JKEJqRlQMdhXwXfbsQdOgq6yN8aJ1QtSnotVAugJXiLhzWDZVIE6tiz Vpz1xjPBXa2kiaaeA5NHicIwltbYKss1KpS3ELoS1/AuxkcPGwXX7MKL8eFWxLHIqXKoqg uEwkpFlTL1tk27X2WlRVvxVwhlH35EosfKBzGASS32r2NkNKBbBJ1fRyqvb32Q== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [PATCH] ovpnmain.cgi: Apply default settings when neccessary From: Michael Tremer In-Reply-To: <68d888b8-e445-4555-bd29-e9d604adece6@ipfire.org> Date: Tue, 26 Aug 2025 11:45:10 +0100 Cc: Stefan Schantl , "IPFire: Development-List" Content-Transfer-Encoding: quoted-printable Message-Id: <179609FF-E0E3-4FCB-85F9-474C3566A224@ipfire.org> References: <118761f0-24cd-4a62-b064-8d87dffc6b89@ipfire.org> <20250819183916.5083-1-stefan.schantl@ipfire.org> <68d888b8-e445-4555-bd29-e9d604adece6@ipfire.org> To: Adolf Belka Hello Adolf, Hmm, maybe Stefan=E2=80=99s patch is not providing the full solution. I created a new function some time ago which is called = =E2=80=9Cset_defaults=E2=80=9D and the idea is that it would populate = any fields that have not been initialized. That way, if we add anything = new, there should always be a good default. I understand why Stefan is turning of that initialisation, but this does = seem to create some more consequences. We should never have any server configurations left with ncp-disable, = because that will not work any more. I thought regenerating the = configuration files through the CGI should take care of this. Maybe we need to rethink how we can make set_defaults() work so that we = don=E2=80=99t have to add more and more hacks?! Best, -Michael > On 25 Aug 2025, at 09:51, Adolf Belka wrote: >=20 > Hi Stefan, >=20 > On 23/08/2025 14:55, Adolf Belka wrote: >> Hi Stefan, >> I tried out the CU197 Testing update with this patch in place. It = works fine for a new install, where there is no existing settings file = but for updates or when a restore from an old backup is being done then = a settings file already exists and then the default settings are not = applied and this results in the settings file having no CIPHERS entry = but having a fallback DCIPHER entry. >> In the update where the OpenVPN RW server is stopped before updating = and started again afterwards this causes the server to fail to start as = there is no CIPHER entry. When a restore from backup is done then the = same thing happens with no CIPHERS entry, just a DCIPHER one but as the = server is running when the restore is done, it stays running with the = old settings but if the Save button is pressed then it Stops because the = settings file now has no CIPHERS entry. >> Not sure how to fix this at the moment. Maybe it needs to be if the = settings file exists and it contains a CIPHERS entry but I am not sure = that is the right approach or not. >=20 > Figured out how to fix this. Your patch in ovpnmain.cgi stays the = same. I just needed to add in some additional lines into backup.pl and = the CU197 update.sh file. >=20 > I just check if ncp-disable is present in server.conf and if it is = then delete it and then add in the default = DATACIPHERS=3DAES-256-GCM|AES-128-GCM|CHACHA20-POLY1305 into the = settings file. >=20 > If ncp-disable is in the server.conf then the restore is from prior to = openvpn-2.6 and there will be no DATACIPHERS entry. >=20 > I have tested this out with the backup.pl changes and your patch in = place and everything works correctly again. I will submit patches for = these additional changes. >=20 > Regards, >=20 > Adolf. >=20 >=20 >> Regards, >> Adolf. >> On 19/08/2025 20:39, Stefan Schantl wrote: >>> Only apply the default settings in case nothing has been configured = yet, >>> otherwise existing settings may get overwritten. >>>=20 >>> Signed-off-by: Stefan Schantl >>> --- >>> html/cgi-bin/ovpnmain.cgi | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>=20 >>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>> index 83f9fdc02..a2f95dc9a 100644 >>> --- a/html/cgi-bin/ovpnmain.cgi >>> +++ b/html/cgi-bin/ovpnmain.cgi >>> @@ -132,7 +132,7 @@ my $col=3D""; >>> "MAX_CLIENTS" =3D> 100, >>> "MSSFIX" =3D> "off", >>> "TLSAUTH" =3D> "on", >>> -}); >>> +}) unless (%vpnsettings); >>> # Load CGI parameters >>> &Header::getcgihash(\%cgiparams, {'wantfile' =3D> 1, 'filevar' =3D> = 'FH'}); >=20 >=20