From mboxrd@z Thu Jan 1 00:00:00 1970 From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH 2/3] ovpn_reorganize_encryption: Added tls-auth into global section Date: Sat, 27 Apr 2019 16:05:50 +0200 Message-ID: <20190427140551.10647-2-ummeegge@ipfire.org> In-Reply-To: <20190427140551.10647-1-ummeegge@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3213349956323555043==" List-Id: --===============3213349956323555043== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - Since HMAC selection is already in global section, it makes sense to keep t= he encryption togehter. - Given tls-auth better understandable name. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 35 +++++++++++++++++++---------------- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 80190dc34..d7895e600 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -790,7 +790,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}= ) { $vpnsettings{'DHCP_DNS'} =3D $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} =3D $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} =3D $cgiparams{'ROUTES_PUSH'}; - $vpnsettings{'TLSAUTH'} =3D $cgiparams{'TLSAUTH'}; my @temp=3D(); =20 if ($cgiparams{'FRAGMENT'} eq '') { @@ -1201,6 +1200,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgipa= rams{'TYPE'} eq '' && $cg $vpnsettings{'DCOMPLZO'} =3D $cgiparams{'DCOMPLZO'}; $vpnsettings{'DCIPHER'} =3D $cgiparams{'DCIPHER'}; $vpnsettings{'DAUTH'} =3D $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} =3D $cgiparams{'TLSAUTH'}; #wrtie enable =20 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swro= ot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ov= pn/enable_blue 2>/dev/null");} @@ -2673,9 +2673,6 @@ ADV_ERROR: $selected{'LOG_VERB'}{'10'} =3D ''; $selected{'LOG_VERB'}{'11'} =3D ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} =3D 'SELECTED'; - $checked{'TLSAUTH'}{'off'} =3D ''; - $checked{'TLSAUTH'}{'on'} =3D ''; - $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} =3D 'CHECKED'; =20 &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); @@ -2805,17 +2802,6 @@ print < =20
- - - - - - - - - -
HMAC tls-auth<= /td> -
END =20 if ( -e "/var/run/openvpn.pid"){ @@ -3492,7 +3478,7 @@ foreach my $dkey (keys %confighash) { Fragment:$configh= ash{$key}[24] $Lang::tr{'MTU'}$= confighash{$key}[31] Management Port $= confighash{$key}[22] - $Lang::tr{'ovpn hmac'}:<= td>$confighash{$key}[39] + $Lang::tr{'ovpn tls auth'}:$confighash{$key}[39] $Lang::tr{'cipher'}<= b>$confighash{$key}[40]   =09 @@ -4533,6 +4519,9 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA256'} =3D ''; $selected{'DAUTH'}{'SHA1'} =3D ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} =3D 'SELECTED'; + $checked{'TLSAUTH'}{'off'} =3D ''; + $checked{'TLSAUTH'}{'on'} =3D ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} =3D 'CHECKED'; =20 if (1) { &Header::showhttpheaders(); @@ -5079,6 +5068,9 @@ END } } } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} =3D 'off'; + } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} =3D '10.' . int(rand(256)) . '.' . int(rand(256= )) . '.0/255.255.255.0'; } @@ -5121,6 +5113,10 @@ END $selected{'DAUTH'}{'SHA1'} =3D ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} =3D 'SELECTED'; =20 + $checked{'TLSAUTH'}{'off'} =3D ''; + $checked{'TLSAUTH'}{'on'} =3D ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} =3D 'CHECKED'; + $checked{'DCOMPLZO'}{'off'} =3D ''; $checked{'DCOMPLZO'}{'on'} =3D ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} =3D 'CHECKED'; @@ -5255,6 +5251,13 @@ END $Lang::tr{'comp-lzo'} + +
+ + $Lang::tr{'ovpn tls auth'} + = + +

END ; =20 diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index bea89fde3..eac4ed667 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1877,6 +1877,7 @@ 'ovpn subnet' =3D> 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' =3D> 'Das OpenVPN-Subnetz ist ung=C3=BCltig.', 'ovpn subnet overlap' =3D> 'OpenVPNSubnetz =C3=BCberschneidet sich mit ', +'ovpn tls auth' =3D> 'TLS-Kanal Absicherung:', 'ovpn warning rfc3280' =3D> 'Das Host Zertifikat ist nicht RFC3280 Regelkonf= orm.
Bitte IPFire auf die letzte Version updaten und generieren sie ein n= eues Root und Host Zertifikat so bald wie m=C3=B6glich.

Es m=C3=BCsse= n dann alle OpenVPN clients erneuert werden!
', 'ovpn_fastio' =3D> 'Fast-IO', 'ovpn_fragment' =3D> 'Fragmentgr=C3=B6sse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 449370a89..e853477dc 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1916,6 +1916,7 @@ 'ovpn subnet' =3D> 'OpenVPN subnet:', 'ovpn subnet is invalid' =3D> 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' =3D> 'OpenVPN Subnet overlaps with : ', +'ovpn tls auth' =3D> 'TLS-Channel Protection:', 'ovpn warning rfc3280' =3D> 'Your host certificate is not RFC3280 compliant.=
Please update to the latest IPFire version and generate as soon as possi= ble a new root and host certificate.

All OpenVPN clients needs then t= o be renewed!
', 'ovpn_fastio' =3D> 'Fast-IO', 'ovpn_mssfix' =3D> 'MSSFIX Size', --=20 2.12.2 --===============3213349956323555043==--