From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: [PATCH 3/3] OpenVPN: Integrate TLS-Authentication and HMAC selection Date: Thu, 03 Dec 2020 12:08:07 +0000 Message-ID: <20201203120807.20694-3-erik.kapfer@ipfire.org> In-Reply-To: <20201203120807.20694-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7958245985637273651==" List-Id: --===============7958245985637273651== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - The --auth directive has been enhanced with the Keccak (SHA3) family but also BLAKE2 has been integrated. - The TLS authentication has been enhanced with --tls-crypt and with OpenVPN version 2.5.0 new introduced --tls-crypt-v2 . - New keys will be shown and can partly be downloaded over the "Certificate Authorities and -Keys" table. - The global section has been completely cleaned up from encryption settings which follows the IPSec WUI style. Signed-off-by: ummeegge --- html/cgi-bin/ovpnmain.cgi | 367 +++++++++++++++++++++++++++++--------- langs/de/cgi-bin/de.pl | 10 +- langs/en/cgi-bin/en.pl | 12 +- 3 files changed, 298 insertions(+), 91 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index f2b8b79da..455b0a8a4 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -357,9 +357,19 @@ sub writeserverconf { # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; =20 - if ($sovpnsettings{'TLSAUTH'} eq 'on') { - print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; - } + # TLS control channel authentication + if ($sovpnsettings{'TLSAUTH'} ne 'off') { + if ($sovpnsettings{'TLSAUTH'} eq 'on') { + print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt') { + print CONF "tls-crypt ${General::swroot}/ovpn/certs/tc.key\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') { + print CONF "tls-crypt-v2 ${General::swroot}/ovpn/certs/tc-v2-server.key\n= "; + } + } + if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; } @@ -944,6 +954,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}= ) { if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); =20 + $vpnsettings{'TLSAUTH'} =3D $cgiparams{'TLSAUTH'}; + $vpnsettings{'DAUTH'} =3D $cgiparams{'DAUTH'}; $vpnsettings{'DCIPHER'} =3D $cgiparams{'DCIPHER'}; $vpnsettings{'DATACIPHERS'} =3D $cgiparams{'DATACIPHERS'}; =20 @@ -967,6 +979,39 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'= }) { $vpnsettings{'NCHANNELCIPHERS'} =3D $cgiparams{'NCHANNELCIPHERS'}; } =20 + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/o= vpn/certs/ta.key"); + if ($?) { + $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ENC_ERROR; + } + } + } + + # Create tc.key for tls-crypt if not presant + if ($cgiparams{'TLSAUTH'} eq 'tls-crypt') { + if ( ! -e "${General::swroot}/ovpn/certs/tc.key") { + system('/usr/sbin/openvpn', '--genkey', 'tls-crypt', "${General::swroot}/= ovpn/certs/tc.key"); + if ($?) { + $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ENC_ERROR; + } + } + } + + # Create tc-v2-server.key for tls-crypt-v2 server if not presant + if ($cgiparams{'TLSAUTH'} eq 'tls-crypt-v2') { + if ( ! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") { + system('/usr/sbin/openvpn', '--genkey', 'tls-crypt-v2-server', "${General= ::swroot}/ovpn/certs/tc-v2-server.key"); + if ($?) { + $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ENC_ERROR; + } + } + } + &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf(); } @@ -1257,17 +1302,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgip= arams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; } =20 - # Create ta.key for tls-auth if not presant - if ($cgiparams{'TLSAUTH'} eq 'on') { - if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/o= vpn/certs/ta.key"); - if ($?) { - $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; - goto SETTINGS_ERROR; - } - } - } - $vpnsettings{'ENABLED_BLUE'} =3D $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =3D$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} =3D $cgiparams{'ENABLED'}; @@ -1278,8 +1312,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgipa= rams{'TYPE'} eq '' && $cg $vpnsettings{'DDEST_PORT'} =3D $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} =3D $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} =3D $cgiparams{'DCOMPLZO'}; - $vpnsettings{'DAUTH'} =3D $cgiparams{'DAUTH'}; - $vpnsettings{'TLSAUTH'} =3D $cgiparams{'TLSAUTH'}; #wrtie enable =20 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swro= ot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ov= pn/enable_blue 2>/dev/null");} @@ -1708,14 +1740,36 @@ END ### ### Download tls-auth key ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) { +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) { if ( -f "${General::swroot}/ovpn/certs/ta.key" ) { - print "Content-Type: application/octet-stream\r\n"; - print "Content-Disposition: filename=3Dta.key\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; - exit(0); + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=3Dta.key\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + exit(0); } =20 +### +### Download tls-crypt key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt key'}) { + if ( -f "${General::swroot}/ovpn/certs/tc.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=3Dtc.key\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/tc.key`; + exit(0); + } + +### +### Download tls-crypt-v2 key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt-v2 key'}) { + if ( -f "${General::swroot}/ovpn/certs/tc-v2-server.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=3Dtc-v2-server.key\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`; + exit(0); + } + ### ### Form for generating a root certificate ### @@ -2443,6 +2497,29 @@ else print CLIENTCONF "tls-auth ta.key\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "C= an't add file ta.key\n"; } + + # Add tls-crypt to client ovpn + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } + print CLIENTCONF "tls-crypt tc.key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/tc.key", "tc.key") or die "= Can't add file tc.key\n"; + } + + # Add client specific tls-crypt-v2 key to client.ovpn + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } + print CLIENTCONF "tls-crypt-v2 tc-v2-client-$confighash{$cgiparams{'KEY'}}= [1].key\r\n"; + # Generate individual tls-crypt-v2 client key + my $cryptfile =3D "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1]= .key"; + system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/cer= ts/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile"); + # Add individual tls-crypt-v2 client key to client package + $zip->addFile( "$cryptfile", "tc-v2-client-$confighash{$cgiparams{'KEY'}}[= 1].key") or die "Can't add file tc-v2-client-$confighash{$cgiparams{'KEY'}}[= 1].key\n"; + } + if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; } @@ -2499,6 +2576,20 @@ else print CLIENTCONF "\r\n\r\n"; close(FILE); =20 + # Create individual tls-crypt-v2 client key and print it to client.conf + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') { + my $cryptfile =3D "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1]= .key"; + system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/cer= ts/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile"); + open(FILE, "<$cryptfile"); + print CLIENTCONF "\r\n"; + while () { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "\r\n\r\n"; + close(FILE); + } + # TLS auth if ($vpnsettings{'TLSAUTH'} eq 'on') { open(FILE, "<${General::swroot}/ovpn/certs/ta.key"); @@ -2680,7 +2771,7 @@ else &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:"); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}"); my $output =3D `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; $output =3D &Header::cleanhtml($output,"y"); print "
$output
\n"; @@ -2691,6 +2782,50 @@ else exit(0); } =20 +### +### Display tls-crypt key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt key'}) { + + if (! -e "${General::swroot}/ovpn/certs/tc.key") { + $errormessage =3D $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'tc key'}"); + my $output =3D `/bin/cat ${General::swroot}/ovpn/certs/tc.key`; + $output =3D &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print "
$Lang::tr{'= back'}
"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + +### +### Display tls-crypt-v2 server key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt-v2 key'}) { + + if (! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") { + $errormessage =3D $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'tc v2 key'}"); + my $output =3D `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`; + $output =3D &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print "
$Lang::tr{'= back'}
"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + ### ### Display Certificate Revoke List ### @@ -2743,9 +2878,6 @@ ADV_ERROR: if ($cgiparams{'LOG_VERB'} eq '') { $cgiparams{'LOG_VERB'} =3D '3'; } - if ($cgiparams{'TLSAUTH'} eq '') { - $cgiparams{'TLSAUTH'} =3D 'off'; - } $checked{'CLIENT2CLIENT'}{'off'} =3D ''; $checked{'CLIENT2CLIENT'}{'on'} =3D ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} =3D 'CHECKED'; @@ -2964,13 +3096,43 @@ END $key =3D &General::findhasharraykey (\%confighash); foreach my $i (39.. 45) { $confighash{$key}[$i] =3D ""; } } + $confighash{$key}[39] =3D $cgiparams{'DAUTH'}; $confighash{$key}[40] =3D $cgiparams{'DCIPHER'}; + $confighash{$key}[41] =3D $cgiparams{'TLSAUTH'}; $confighash{$key}[42] =3D $cgiparams{'DATACIPHERS'}; $confighash{$key}[43] =3D $cgiparams{'CHANNELCIPHERS'}; $confighash{$key}[44] =3D $cgiparams{'NCHANNELCIPHERS'}; =20 ADV_ENC_ERROR: =20 + # Set default for hash message authentication code + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} =3D 'SHA512'; #[39]; + } + $checked{'DAUTH'}{'BLAKE2b512'} =3D ''; + $checked{'DAUTH'}{'BLAKE2s256'} =3D ''; + $checked{'DAUTH'}{'SHA3-512'} =3D ''; + $checked{'DAUTH'}{'SHA3-384'} =3D ''; + $checked{'DAUTH'}{'SHA3-256'} =3D ''; + $checked{'DAUTH'}{'SHA512'} =3D ''; + $checked{'DAUTH'}{'SHA384'} =3D ''; + $checked{'DAUTH'}{'SHA256'} =3D ''; + $checked{'DAUTH'}{'whirlpool'} =3D ''; + $checked{'DAUTH'}{'SHA1'} =3D ''; + @temp =3D split('\|', $cgiparams{'DAUTH'}); + foreach my $key (@temp) {$checked{'DAUTH'}{$key} =3D "selected=3D'selected'= "; } + + # Set default for TLS control authentication + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} =3D 'tls-crypt'; #[41] + } + $checked{'TLSAUTH'}{'on'} =3D ''; + $checked{'TLSAUTH'}{'off'} =3D ''; + $checked{'TLSAUTH'}{'tls-crypt'} =3D ''; + $checked{'TLSAUTH'}{'tls-crypt-v2'} =3D ''; + @temp =3D split('\|', $cgiparams{'TLSAUTH'}); + foreach my $key (@temp) {$checked{'TLSAUTH'}{$key} =3D "selected=3D'selecte= d'"; } + # Set default for data-cipher-fallback (the old --cipher directive) if ($cgiparams{'DCIPHER'} eq '') { $cgiparams{'DCIPHER'} =3D 'AES-256-CBC'; #[40] @@ -3023,12 +3185,16 @@ ADV_ENC_ERROR: =20 # Save settings and display default if not configured if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + $confighash{$cgiparams{'KEY'}}[39] =3D $cgiparams{'DAUTH'}; $confighash{$cgiparams{'KEY'}}[40] =3D $cgiparams{'DCIPHER'}; + $confighash{$cgiparams{'KEY'}}[41] =3D $cgiparams{'TLSAUTH'}; $confighash{$cgiparams{'KEY'}}[42] =3D $cgiparams{'DATACIPHERS'}; $confighash{$cgiparams{'KEY'}}[43] =3D $cgiparams{'CHANNELCIPHERS'}; $confighash{$cgiparams{'KEY'}}[44] =3D $cgiparams{'NCHANNELCIPHERS'}; } else { + $cgiparams{'DAUTH'} =3D $vpnsettings{'DAUTH'}; $cgiparams{'DCIPHER'} =3D $vpnsettings{'DCIPHER'}; + $cgiparams{'TLSAUTH'} =3D $vpnsettings{'TLSAUTH'}; $cgiparams{'DATACIPHERS'} =3D $vpnsettings{'DATACIPHERS'}; $cgiparams{'CHANNELCIPHERS'} =3D $vpnsettings{'CHANNELCIPHERS'}; $cgiparams{'NCHANNELCIPHERS'} =3D $vpnsettings{'NCHANNELCIPHERS'}; @@ -3132,6 +3298,44 @@ ADV_ENC_ERROR: =20

=20 +

$Lang::tr{'ovpn crypt options'}:

+ + + + + + + + + + + + + + + +
$Lang::tr{'ovpn ha'}$Lang::tr{'ovpn tls auth'}
$Lang::tr{'ovpn data channel authentication'} + + + + +
END ; @@ -3906,7 +4110,6 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'CCD_WINS'} =3D $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'DAUTH'} =3D $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} =3D $confighash{$cgiparams{'KEY'}}[40]; - $cgiparams{'TLSAUTH'} =3D $confighash{$cgiparams{'KEY'}}[41]; # Index from [39] to [44] has been reserved by advanced encryption $cgiparams{'CLIENTVERSION'} =3D $confighash{$cgiparams{'KEY'}}[45]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { @@ -4824,16 +5027,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} =3D ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} =3D 'CHECKED'; =20 - $selected{'DAUTH'}{'whirlpool'} =3D ''; - $selected{'DAUTH'}{'SHA512'} =3D ''; - $selected{'DAUTH'}{'SHA384'} =3D ''; - $selected{'DAUTH'}{'SHA256'} =3D ''; - $selected{'DAUTH'}{'SHA1'} =3D ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} =3D 'SELECTED'; - $checked{'TLSAUTH'}{'off'} =3D ''; - $checked{'TLSAUTH'}{'on'} =3D ''; - $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} =3D 'CHECKED'; - if (1) { &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); @@ -5378,21 +5571,6 @@ END if ($cgiparams{'MSSFIX'} eq '') { $cgiparams{'MSSFIX'} =3D 'off'; } - if ($cgiparams{'DAUTH'} eq '') { - if (-z "${General::swroot}/ovpn/ovpnconfig") { - $cgiparams{'DAUTH'} =3D 'SHA512'; - } - foreach my $key (keys %confighash) { - if ($confighash{$key}[3] ne 'host') { - $cgiparams{'DAUTH'} =3D 'SHA512'; - } else { - $cgiparams{'DAUTH'} =3D 'SHA1'; - } - } - } - if ($cgiparams{'TLSAUTH'} eq '') { - $cgiparams{'TLSAUTH'} =3D 'off'; - } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} =3D '10.' . int(rand(256)) . '.' . int(rand(256= )) . '.0/255.255.255.0'; } @@ -5410,17 +5588,6 @@ END $selected{'DPROTOCOL'}{'tcp'} =3D ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} =3D 'SELECTED'; =20 - $selected{'DAUTH'}{'whirlpool'} =3D ''; - $selected{'DAUTH'}{'SHA512'} =3D ''; - $selected{'DAUTH'}{'SHA384'} =3D ''; - $selected{'DAUTH'}{'SHA256'} =3D ''; - $selected{'DAUTH'}{'SHA1'} =3D ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} =3D 'SELECTED'; - - $checked{'TLSAUTH'}{'off'} =3D ''; - $checked{'TLSAUTH'}{'on'} =3D ''; - $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} =3D 'CHECKED'; - $checked{'DCOMPLZO'}{'off'} =3D ''; $checked{'DCOMPLZO'}{'on'} =3D ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} =3D 'CHECKED'; @@ -5523,30 +5690,6 @@ END =20 -
- - $Lang::tr{'ovpn crypt options'}: - -
- - - $Lang::tr{'ovpn ha'} - - - - -
- - $Lang::tr{'ovpn tls auth'} - = - -

END ; =20 @@ -5845,6 +5988,10 @@ END my $col3=3D"bgcolor=3D'$color{'color22'}'"; # ta.key line my $col4=3D"bgcolor=3D'$color{'color20'}'"; + # tc-v2.key line + my $col5=3D"bgcolor=3D'$color{'color22'}'"; + # tc.key + my $col6=3D"bgcolor=3D'$color{'color20'}'"; =20 if (-f "${General::swroot}/ovpn/ca/cacert.pem") { my $casubject =3D `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn= /ca/cacert.pem`; @@ -5974,7 +6121,7 @@ END # Nothing print < - $Lang::tr{'ta key'}: + $Lang::tr{'ta key'} $Lang::tr{'not present'}   @@ -5982,6 +6129,52 @@ END ; } =20 + # Adding tc-v2.key to chart + if (-f "${General::swroot}/ovpn/certs/tc-v2-server.key") { + my $tcvsubject =3D `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.ke= y`; + $tcvsubject =3D~ /-----BEGIN (.*)-----[\n]/; + $tcvsubject =3D $1; + print < + $Lang::tr{'tc v2 key'} + $tcvsubject +
+ + +
+
+   + +END +; + } + + # Adding tc.key to chart + if (-f "${General::swroot}/ovpn/certs/tc.key") { + my $tcsubject =3D `/bin/cat ${General::swroot}/ovpn/certs/tc.key`; + $tcsubject =3D~ /# (.*)[\n]/; + $tcsubject =3D $1; + print < + $Lang::tr{'tc key'} + $tcsubject + + + + +
+ + +
+   + +END +; + } + + if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { print "
= "; print ""; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index cc7755018..9ffbbf432 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -894,6 +894,9 @@ 'download new ruleset' =3D> 'Neuen Regelsatz herunterladen', 'download pkcs12 file' =3D> 'PKCS12-Datei herunterladen', 'download root certificate' =3D> 'Root-Zertifikat herunterladen', +'download tls-auth key' =3D> 'TLS-Auth Schl=C3=BCssel herunterladen', +'download tls-crypt key' =3D> 'TLS-Crypt Schl=C3=BCssel herunterladen', +'download tls-crypt-v2 key' =3D> 'TLS-Crypt-v2 Schl=C3=BCssel herunterladen', 'download tls-auth key' =3D> 'tls-auth Key herunterladen', 'dpd action' =3D> 'Aktion f=C3=BCr Erkennung toter Gegenstellen (Dead Peer D= etection)', 'dpd delay' =3D> 'Verz=C3=B6gerung', @@ -1951,7 +1954,7 @@ 'ovpn subnet' =3D> 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' =3D> 'Das OpenVPN-Subnetz ist ung=C3=BCltig.', 'ovpn subnet overlap' =3D> 'OpenVPNSubnetz =C3=BCberschneidet sich mit ', -'ovpn tls auth' =3D> 'TLS-Kanalabsicherung:', +'ovpn tls auth' =3D> 'TLS-Kanalabsicherung', 'ovpn warning rfc3280' =3D> 'Das Host Zertifikat ist nicht RFC3280 Regelkonf= orm.
Bitte IPFire auf die letzte Version updaten und generieren sie ein n= eues Root und Host Zertifikat so bald wie m=C3=B6glich.

Es m=C3=BCsse= n dann alle OpenVPN clients erneuert werden!
', 'ovpn_fastio' =3D> 'Fast-IO', 'ovpn_fragment' =3D> 'Fragmentgr=C3=B6sse', @@ -2224,6 +2227,9 @@ 'show last x lines' =3D> 'die letzten x Zeilen anzeigen', 'show root certificate' =3D> 'Root-Zertifikat anzeigen', 'show share options' =3D> 'Anzeige der Freigabeeinstellungen', +'show tls-auth key' =3D> 'TLS-Auth Schl=C3=BCssel anzeigen', +'show tls-crypt key' =3D> 'TLS-Crypt Schl=C3=BCssel anzeigen', +'show tls-crypt-v2 key' =3D> 'TLS-Crypt-v2 Schl=C3=BCssel anzeigen', 'shuffle' =3D> 'Zufall', 'shutdown' =3D> 'Herunterfahren', 'shutdown ask' =3D> 'Herunterfahren?', @@ -2350,6 +2356,8 @@ 'system logs' =3D> 'Systemprotokolldateien', 'system status information' =3D> 'System-Statusinformationen', 'ta key' =3D> 'TLS-Authentifizierungsschl=C3=BCssel', +'tc key' =3D> 'TLS-Kryptografie-Schl=C3=BCssel', +'tc v2 key' =3D> 'TLS-Kryptografie-Schl=C3=BCssel-Version2', 'taa zombieload2' =3D> 'TSX Async Abort / ZombieLoad v2', 'tcp more reliable' =3D> 'TCP (zuverl=C3=A4ssiger)', 'telephone not set' =3D> 'Telefonnummer nicht angegeben.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 3dcb8d46e..6707a3a71 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -918,7 +918,9 @@ 'download new ruleset' =3D> 'Download new ruleset', 'download pkcs12 file' =3D> 'Download PKCS12 file', 'download root certificate' =3D> 'Download root certificate', -'download tls-auth key' =3D> 'Download tls-auth key', +'download tls-auth key' =3D> 'Download TLS-Auth key', +'download tls-crypt key' =3D> 'Download TLS-Crypt key', +'download tls-crypt-v2 key' =3D> 'Download TLS-Crypt-v2 server key', 'dpd action' =3D> 'Action', 'dpd delay' =3D> 'Delay', 'dpd timeout' =3D> 'Timeout', @@ -1983,7 +1985,7 @@ 'ovpn subnet' =3D> 'OpenVPN subnet:', 'ovpn subnet is invalid' =3D> 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' =3D> 'OpenVPN Subnet overlaps with : ', -'ovpn tls auth' =3D> 'TLS Channel Protection:', +'ovpn tls auth' =3D> 'TLS Channel Protection', 'ovpn warning rfc3280' =3D> 'Your host certificate is not RFC3280 compliant.=
Please update to the latest IPFire version and generate as soon as possi= ble a new root and host certificate.

All OpenVPN clients needs then t= o be renewed!
', 'ovpn_fastio' =3D> 'Fast-IO', 'ovpn_mssfix' =3D> 'MSSFIX Size', @@ -2260,7 +2262,9 @@ 'show lines' =3D> 'Show lines', 'show root certificate' =3D> 'Show root certificate', 'show share options' =3D> 'Show shares options', -'show tls-auth key' =3D> 'Show tls-auth key', +'show tls-auth key' =3D> 'Show TLS-Auth key', +'show tls-crypt key' =3D> 'Show TLS-Crypt key', +'show tls-crypt-v2 key' =3D> 'Show TLS-Crypt-v2 key', 'shuffle' =3D> 'Shuffle', 'shutdown' =3D> 'Shutdown', 'shutdown ask' =3D> 'Shutdown?', @@ -2388,6 +2392,8 @@ 'system logs' =3D> 'System Logs', 'system status information' =3D> 'System Status Information', 'ta key' =3D> 'TLS-Authentification-Key', +'tc key' =3D> 'TLS-Cryptografic-Key', +'tc v2 key' =3D> 'TLS-Cryptografic-Key-version2', 'taa zombieload2' =3D> 'TSX Async Abort / ZombieLoad v2', 'tcp more reliable' =3D> 'TCP (more reliable)', 'telephone not set' =3D> 'Telephone not set.', --=20 2.20.1 --===============7958245985637273651==--