From: ummeegge <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2 3/7] OpenVPN: Warning for broken algorithms
Date: Thu, 10 Dec 2020 16:59:21 +0000 [thread overview]
Message-ID: <20201210165925.25037-3-erik.kapfer@ipfire.org> (raw)
In-Reply-To: <20201210165925.25037-1-erik.kapfer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 11405 bytes --]
The user will be warned in the WUI if he uses BF, CAST, DES* or SHA1
since those algorithms will "soon be removed".
Signed-off-by: ummeegge <erik.kapfer(a)ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 17 +++++++++++++++++
langs/de/cgi-bin/de.pl | 2 ++
langs/en/cgi-bin/en.pl | 2 ++
langs/es/cgi-bin/es.pl | 4 ++++
langs/fr/cgi-bin/fr.pl | 2 ++
langs/it/cgi-bin/it.pl | 4 ++++
langs/nl/cgi-bin/nl.pl | 5 +++++
langs/pl/cgi-bin/pl.pl | 4 ++++
langs/ru/cgi-bin/ru.pl | 4 ++++
langs/tr/cgi-bin/tr.pl | 4 ++++
10 files changed, 48 insertions(+)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index dbf8a8d2e..7a2f8a5a3 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -250,6 +250,20 @@ sub pkiconfigcheck
}
}
+ # Warning if deprecated 64-bit-block ciphers or weak HMAC is in usage
+ if (-f "${General::swroot}/ovpn/server.conf") {
+ my $oldciphers = "${General::swroot}/ovpn/server.conf";
+ open(FH, $oldciphers);
+ while(my $cipherstring = <FH>) {
+ if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) {
+ my @tempcipherstring = split(" ", $cipherstring);
+ $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block cipher'}";
+ goto CRYPTO_WARNING;
+ }
+ }
+ close(FH);
+ }
+
CRYPTO_WARNING:
}
@@ -5242,6 +5256,9 @@ END
my @status = `/bin/cat /var/run/ovpnserver.log`;
+ # Perform crypto and configration test to display warnings or errors
+ &pkiconfigcheck;
+
if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
my $ipaddr = <IPADDR>;
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 08827b08a..ae05d5e55 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1948,6 +1948,8 @@
'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.',
'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ',
'ovpn tls auth' => 'TLS-Kanalabsicherung:',
+'ovpn warning 64 bit block cipher' => 'Diser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte ändern Sie dies so schnell wie möglich!</br>',
+'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert',
'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
'ovpn_fastio' => 'Fast-IO',
'ovpn_fragment' => 'Fragmentgrösse',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 880cae5f7..321503d67 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1980,6 +1980,8 @@
'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
'ovpn tls auth' => 'TLS Channel Protection:',
+'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this as soon as possible!</br>',
+'ovpn warning algorithm' => 'You configured the algorithm',
'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
'ovpn_fastio' => 'Fast-IO',
'ovpn_mssfix' => 'MSSFIX Size',
diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl
index c86580e81..752093552 100644
--- a/langs/es/cgi-bin/es.pl
+++ b/langs/es/cgi-bin/es.pl
@@ -552,6 +552,8 @@
'credits' => 'Creditos',
'crl' => 'Lista de revocación de certificados',
'cron server' => 'Servidor CRON',
+'crypto error' => 'Error de criptografía',
+'crypto warning' => 'Advertencias sobre la criptografía',
'current' => 'Actual',
'current aliases' => 'Alias actuales',
'current class' => 'Clase actual',
@@ -1345,6 +1347,8 @@
'ovpn subnet' => 'Subred de OpenVPN (ej. 10.0.10.0/255.255.255.0',
'ovpn subnet is invalid' => 'Subred de OpenVPN no es válida.',
'ovpn subnet overlap' => 'La subred de OpenVPN se traslapa con:',
+'ovpn warning 64 bit block cipher' => 'Este algoritmo de cifrado del está roto y pronto se eliminará. <br>¡Por favor, cambie esto lo antes posible!</br>',
+'ovpn warning algorithm' => 'Se configuró el siguiente algoritmo',
'ovpn_fastio' => 'Fast-IO',
'ovpn_fragment' => 'Tamaño de Fragmento',
'ovpn_mssfix' => 'Tamaño MSSFIX',
diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
index 1a1f37cbe..f931bc70e 100644
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -1981,6 +1981,8 @@
'ovpn subnet is invalid' => 'Sous-réseau OpenVPN non valide.',
'ovpn subnet overlap' => 'Le sous-réseau OpenVPN se chevauche avec : ',
'ovpn tls auth' => 'Protection du canal TLS :',
+'ovpn warning 64 bit block cipher' => 'Ce L\'algorithme de chiffage du n\'est plus sûr et sera bientôt supprimé. <br>Veuillez changer cela dès que possible!</br>',
+'ovpn warning algorithm' => 'L\'algorithme suivant a été configuré',
'ovpn warning rfc3280' => 'Votre certificat d\'hôte n\'est pas conforme avec la RFC3280.<br>Veuillez mettre à jour la dernière version d\'IPFire et générer dès que possible un nouveau certificat racine et hôte.</br><br>Tous les clients OpenVPN doivent ensuite être renouvelés !</br>',
'ovpn_fastio' => 'Fast-IO',
'ovpn_fragment' => 'Taille du fragment',
diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
index 2c1dc9559..3779de3f6 100644
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -622,6 +622,8 @@
'credits' => 'Credits',
'crl' => 'Certificate Revocation List',
'cron server' => 'CRON Server',
+'crypto error' => 'Errore di crittografia',
+'crypto warning' => 'Avvertenze di crittografia',
'current' => 'Current',
'current aliases' => 'Current aliases',
'current class' => 'Current class',
@@ -1733,6 +1735,8 @@
'ovpn subnet' => 'OpenVPN subnet (e.g. 10.0.10.0/255.255.255.0)',
'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
+'ovpn warning 64 bit block cipher' => 'L\'algoritmo di crittografia è insicuro e verrà presto disinstallato.<br>Si prega di cambiare il più presto possibile!</br>',
+'ovpn warning algorithm' => 'È stato configurato il seguente algoritmo',
'ovpn_fastio' => 'Fast-IO',
'ovpn_mssfix' => 'MSSFIX Size',
'ovpn_mtudisc' => 'MTU-Discovery',
diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
index 635cbd3b8..dc9ea350f 100644
--- a/langs/nl/cgi-bin/nl.pl
+++ b/langs/nl/cgi-bin/nl.pl
@@ -616,6 +616,8 @@
'credits' => 'Credits',
'crl' => 'Certificaatintrekkingslijst',
'cron server' => 'CRON Server',
+'crypto error' => 'Cryptografische fout',
+'crypto warning' => 'Cryptografie waarschuwingen',
'current' => 'Huidig',
'current aliases' => 'Huidige aliassen:',
'current class' => 'Huidige klasse',
@@ -1686,6 +1688,9 @@
'ovpn subnet' => 'OpenVPN subnet (bijv. 10.0.10.0/255.255.255.0)',
'ovpn subnet is invalid' => 'OpenVPN subnet is ongeldig.',
'ovpn subnet overlap' => 'OpenVPN subnet overlapt met : ',
+'ovpn warning 64 bit block cipher' => 'Dit encryptie algoritme is verbroken en zal binnenkort worden verwijderd. <br>Verander dit zo snel mogelijk!</br>',
+'ovpn warning algorithm' => 'U hebt het algoritme geconfigureerd',
+'ovpn warning rfc3280' => 'Uw gastheercertificaat is niet RFC3280-conform. <br>Please-update naar de nieuwste IPFire-versie en genereer zo snel mogelijk een nieuw root- en host-certificaat.</br><br>Alle OpenVPN-clients moeten dan vernieuwd worden!</br>',
'ovpn_fastio' => 'Fast-IO',
'ovpn_fragment' => 'Fragmentgrootte',
'ovpn_mssfix' => 'MSSFIX-grootte',
diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl
index 4ceaeef8a..96e9a95ae 100644
--- a/langs/pl/cgi-bin/pl.pl
+++ b/langs/pl/cgi-bin/pl.pl
@@ -553,6 +553,8 @@
'credits' => 'Credits',
'crl' => 'Lista odwołań certyfikatów',
'cron server' => 'Serwer CRON',
+'crypto error' => 'Błąd kryptograficzny',
+'crypto warning' => 'Ostrzeżenia kryptograficzne',
'current' => 'Aktualne',
'current aliases' => 'Aktualne alias:',
'current class' => 'Aktualna klasa',
@@ -1357,6 +1359,8 @@
'ovpn subnet' => 'Podsieć OpenVPN (np. 10.0.10.0/255.255.255.0)',
'ovpn subnet is invalid' => 'Podsieć OpenVPN jest niepoprawna.',
'ovpn subnet overlap' => 'Podsieć OpenVPN zachodzi na : ',
+'ovpn warning 64 bit block cipher' => 'Szyfr danych wymaga co najmniej jednego szyfru. <br>Proszę to zmienić jak najszybciej!</br>',
+'ovpn warning algorithm' => 'Skonfigurowałeś algorytm',
'ovpn_fastio' => 'Fast-IO',
'ovpn_fragment' => 'Rozmiar fragmentu',
'ovpn_mssfix' => 'MSSFIX Size',
diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl
index 1d81eb62c..5ba44ce29 100644
--- a/langs/ru/cgi-bin/ru.pl
+++ b/langs/ru/cgi-bin/ru.pl
@@ -551,6 +551,8 @@
'credits' => 'О Проекте',
'crl' => 'Список отозванных сертификатов',
'cron server' => 'CRON Сервер',
+'crypto error' => 'Ошибка криптографии',
+'crypto warning' => 'крипто-предупреждение',
'current' => 'Current',
'current aliases' => 'Действующие псевдонимы:',
'current class' => 'Текущий класс',
@@ -1352,6 +1354,8 @@
'ovpn subnet' => 'Подсеть OpenVPN (e.g. 10.0.10.0/255.255.255.0)',
'ovpn subnet is invalid' => 'Подсеть OpenVPN задана неверно.',
'ovpn subnet overlap' => 'Подсеть OpenVPN пересекается с: ',
+'ovpn warning 64 bit block cipher' => 'Этот алгоритм шифрования сломан и вскоре будет удален. <br>Пожалуйста, измените это как можно скорее!</br>',
+'ovpn warning algorithm' => 'Вы настроили алгоритм',
'ovpn_fastio' => 'Fast-IO',
'ovpn_fragment' => 'Fragmentsize',
'ovpn_mssfix' => 'MSSFIX Size',
diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
index 5fbd9f3d3..b459401c9 100644
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -682,6 +682,8 @@
'credits' => 'Yazarlar',
'crl' => 'Sertifika İptal Listesi',
'cron server' => 'CRON Sunucusu',
+'crypto error' => 'Kriptografi hatası',
+'crypto warning' => 'Kriptografi uyarıları',
'current' => 'Geçerli',
'current aliases' => 'Geçerli takma adlar:',
'current class' => 'Geçerli sınıflar',
@@ -1878,6 +1880,8 @@
'ovpn subnet' => 'OpenVPN alt ağı (örneğin 10.0.10.0/255.255.255.0)',
'ovpn subnet is invalid' => 'Geçersiz OpenVPN alt ağı.',
'ovpn subnet overlap' => 'OpenVPN alt ağı ile örtüşenler: ',
+'ovpn warning 64 bit block cipher' => 'Bu şifreleme algoritması bozuldu ve yakında kaldırılacak. <br> Lütfen bunu mümkün olan en kısa sürede değiştirin!</br>',
+'ovpn warning algorithm' => 'Algoritmayı sen yapılandırdın',
'ovpn_fastio' => 'Hızlı-IO',
'ovpn_mssfix' => 'MSSFIX Boyutu',
'ovpn_mtudisc' => 'MTU-Keşfi',
--
2.20.1
next prev parent reply other threads:[~2020-12-10 16:59 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-03 12:08 [PATCH 1/3] OpenVPN: Introduce advanced encryption section ummeegge
2020-12-03 12:08 ` [PATCH 2/3] OpenVPN: Control-Channel encryption settings ummeegge
2020-12-03 12:08 ` [PATCH 3/3] OpenVPN: Integrate TLS-Authentication and HMAC selection ummeegge
2020-12-08 17:28 ` [PATCH 1/3] OpenVPN: Introduce advanced encryption section ummeegge
2020-12-29 10:29 ` Michael Tremer
2020-12-10 16:59 ` [PATCH v2 1/7] " ummeegge
2020-12-10 16:59 ` [PATCH v2 2/7] OpenVPN: Substitute --cipher with --data-cipher-fallback ummeegge
2020-12-10 16:59 ` ummeegge [this message]
2020-12-10 16:59 ` [PATCH v2 4/7] OpenVPN: New ciphers and HMACs for N2N ummeegge
2020-12-10 16:59 ` [PATCH v2 5/7] OpenVPN: Control-Channel encryption settings ummeegge
2020-12-10 16:59 ` [PATCH v2 6/7] OpenVPN: Moved HMAC to advanced crypto section ummeegge
2020-12-10 16:59 ` [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section ummeegge
2020-12-14 13:03 ` ummeegge
2020-12-14 13:43 ` Michael Tremer
2020-12-14 15:12 ` ummeegge
2020-12-15 11:58 ` Michael Tremer
2020-12-14 13:44 ` Paul Simmons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201210165925.25037-3-erik.kapfer@ipfire.org \
--to=erik.kapfer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox