From mboxrd@z Thu Jan  1 00:00:00 1970
From: Erik Kapfer <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] OpenVPN: Add tls-version-min for TLSv1.2
Date: Sat, 15 Aug 2020 17:08:45 +0200
Message-ID: <20200815150845.5077-1-ummeegge@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4718633256553496720=="
List-Id: <development.lists.ipfire.org>

--===============4718633256553496720==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

ovpnmain.cgi delivers now 'tls-version-min 1.2' for Roadwarrior and N2N.
Since the server needs it only on server side, this patch do not includes it =
for Roadwarrior clients.
N2N do not uses push options therefor this directive will be included on both=
 sides.

To integrate the new directive into actual working OpenVPN server environment=
, the following commands
should be executed via update.sh.

Code block start:

if test -f "/var/ipfire/ovpn/server.conf"; then
	# Add tls-version-minimum to OpenVPN server if not already there
	if ! grep -q '^tls-version-min' /var/ipfire/ovpn/server.conf > /dev/null 2>&=
1; then
		# Stop server before append the line
		/usr/local/bin/openvpnctrl -k
		# Append new directive
		echo >> "tls-version-min 1.2" /var/ipfire/ovpn/server.conf
		# Make sure server.conf have the correct permissions to prevent such
		# --> https://community.ipfire.org/t/unable-to-start-the-openvpn-server/246=
5/54?u=3Dummeegge
		# case
		chown nobody:nobody /var/ipfire/ovpn/server.conf
		# Start server again
		/usr/local/bin/openvpnctrl -s
	fi
fi

Code block end

Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 457ebcf1f..dc80cbf70 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -333,6 +333,8 @@ sub writeserverconf {
     print CONF "ncp-disable\n";
     print CONF "cipher $sovpnsettings{DCIPHER}\n";
 	print CONF "auth $sovpnsettings{'DAUTH'}\n";
+    # Set TLSv2 as minimum
+    print CONF "tls-version-min 1.2\n";
=20
     if ($sovpnsettings{'TLSAUTH'} eq 'on') {
 	print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
@@ -996,6 +998,9 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NA=
ME'}"){mkdir "${General
     print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
   }
=20
+  # Set TLSv1.2 as minimum
+  print SERVERCONF "tls-version-min 1.2\n";
+
   if ($cgiparams{'COMPLZO'} eq 'on') {
    print SERVERCONF "# Enable Compression\n";
    print SERVERCONF "comp-lzo\n";
@@ -1098,6 +1103,9 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'=
NAME'}"){mkdir "${General
     print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
   }
=20
+  # Set TLSv1.2 as minimum
+  print CLIENTCONF "tls-version-min 1.2\n";
+
   if ($cgiparams{'COMPLZO'} eq 'on') {
    print CLIENTCONF "# Enable Compression\n";
    print CLIENTCONF "comp-lzo\n";
--=20
2.12.2


--===============4718633256553496720==--