From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: [PATCH v2 5/7] OpenVPN: Control-Channel encryption settings Date: Thu, 10 Dec 2020 16:59:23 +0000 Message-ID: <20201210165925.25037-5-erik.kapfer@ipfire.org> In-Reply-To: <20201210165925.25037-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1521518035932367434==" List-Id: --===============1521518035932367434== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - The --tls-ciphers for the control channel TLSv2 crypto can now be combined for negotiation. - The --tls-ciphersuite crypto does the same but with TLSv3 and can also be combined for negotiation. There are no defaults for both and this feature is inactive unless the user decides to use them. - The --tls-ciphersuite directive will only be printed into client.ovpn if the client is >=3D2.5.0 ready. Signed-off-by: ummeegge --- html/cgi-bin/ovpnmain.cgi | 106 ++++++++++++++++++++++++++++++++++++++ langs/de/cgi-bin/de.pl | 3 ++ langs/en/cgi-bin/en.pl | 3 ++ langs/es/cgi-bin/es.pl | 3 ++ langs/fr/cgi-bin/fr.pl | 3 ++ langs/it/cgi-bin/it.pl | 3 ++ langs/nl/cgi-bin/nl.pl | 3 ++ langs/pl/cgi-bin/pl.pl | 3 ++ langs/ru/cgi-bin/ru.pl | 3 ++ langs/tr/cgi-bin/tr.pl | 3 ++ 10 files changed, 133 insertions(+) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 71cba6d88..e248b3cbb 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -100,6 +100,8 @@ $cgiparams{'DCIPHER'} =3D ''; $cgiparams{'DAUTH'} =3D ''; $cgiparams{'TLSAUTH'} =3D ''; $cgiparams{'DATACIPHERS'} =3D ''; +$cgiparams{'CHANNELCIPHERS'} =3D ''; +$cgiparams{'NCHANNELCIPHERS'} =3D ''; $routes_push_file =3D "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -351,6 +353,20 @@ sub writeserverconf { print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; } =20 + # Control channel encryption TLSv2 needs own line cause directive name diff= ers + if ($sovpnsettings{'CHANNELCIPHERS'} ne '') { + # Set seperator for TLSv2 channel ciphers + @advcipherchar =3D ($sovpnsettings{'CHANNELCIPHERS'} =3D~ s/\|/:/g); + print CONF "tls-cipher $sovpnsettings{'CHANNELCIPHERS'}\n"; + } + + # Control channel encryption >=3D TLSv3 + if ($sovpnsettings{'NCHANNELCIPHERS'} ne '') { + # Set seperator for TLSv3 channel ciphers + @advcipherchar =3D ($sovpnsettings{'NCHANNELCIPHERS'} =3D~ s/\|/:/g); + print CONF "tls-ciphersuites $sovpnsettings{'NCHANNELCIPHERS'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -951,6 +967,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'= }) { goto ADV_ENC_ERROR; } =20 + # If no value for --tls-cipher has been set, delete setting + if ($cgiparams{'CHANNELCIPHERS'} eq '') { + delete $vpnsettings{'CHANNELCIPHERS'}; + } else { + $vpnsettings{'CHANNELCIPHERS'} =3D $cgiparams{'CHANNELCIPHERS'}; + } + + # If no value for --tls-ciphersuites has been set, delete setting + if ($cgiparams{'NCHANNELCIPHERS'} eq '') { + delete $vpnsettings{'NCHANNELCIPHERS'}; + } else { + $vpnsettings{'NCHANNELCIPHERS'} =3D $cgiparams{'NCHANNELCIPHERS'}; + } + &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf(); } @@ -2402,6 +2432,23 @@ else print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; } =20 + # Set --tls-cipher TLSv2 in client.ovpn if configured + if ($vpnsettings{'CHANNELCIPHERS'} ne '') { + # Set seperator for TLSv2 channel ciphers + @advcipherchar =3D ($vpnsettings{'CHANNELCIPHERS'} =3D~ s/\|/:/g); + print CLIENTCONF "tls-cipher $vpnsettings{'CHANNELCIPHERS'}\r\n"; + } + + # Print new tls-ciphersuites TLSv3 in client.ovpn only if client is >=3D2.5= .0 + if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') { + # Set --tls-ciphersuites TLSv3 if configured + if ($vpnsettings{'NCHANNELCIPHERS'} ne '') { + # Set seperator for TLSv3 channel ciphers + @advcipherchar =3D ($vpnsettings{'NCHANNELCIPHERS'} =3D~ s/\|/:/g); + print CLIENTCONF "tls-ciphersuites $vpnsettings{'NCHANNELCIPHERS'}\r\n"; + } + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; =20 if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2934,6 +2981,8 @@ END } $confighash{$key}[40] =3D $cgiparams{'DCIPHER'}; $confighash{$key}[42] =3D $cgiparams{'DATACIPHERS'}; + $confighash{$key}[43] =3D $cgiparams{'CHANNELCIPHERS'}; + $confighash{$key}[44] =3D $cgiparams{'NCHANNELCIPHERS'}; =20 ADV_ENC_ERROR: =20 @@ -2967,13 +3016,37 @@ ADV_ENC_ERROR: @temp =3D split('\|', $cgiparams{'DATACIPHERS'}); foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} =3D "selected=3D'sel= ected'"; } =20 + # No default settings for --tls-cipher so OpenVPN makes his own choice + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'} =3D '= '; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'}= =3D ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'} =3D '= '; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'} =3D ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = =3D ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'} =3D ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'} =3D ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} =3D= ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'} =3D ''; + @temp =3D split('\|', $cgiparams{'CHANNELCIPHERS'}); + foreach my $key (@temp) {$checked{'CHANNELCIPHERS'}{$key} =3D "selected=3D'= selected'"; } + + # No default settings for --tls-ciphersuites so OpenVPN makes his own choice + $checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'} =3D ''; + $checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'} =3D ''; + $checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'} =3D ''; + @temp =3D split('\|', $cgiparams{'NCHANNELCIPHERS'}); + foreach my $key (@temp) {$checked{'NCHANNELCIPHERS'}{$key} =3D "selected=3D= 'selected'"; } + # Save settings and display default if not configured if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { $confighash{$cgiparams{'KEY'}}[40] =3D $cgiparams{'DCIPHER'}; $confighash{$cgiparams{'KEY'}}[42] =3D $cgiparams{'DATACIPHERS'}; + $confighash{$cgiparams{'KEY'}}[43] =3D $cgiparams{'CHANNELCIPHERS'}; + $confighash{$cgiparams{'KEY'}}[44] =3D $cgiparams{'NCHANNELCIPHERS'}; } else { $cgiparams{'DCIPHER'} =3D $vpnsettings{'DCIPHER'}; $cgiparams{'DATACIPHERS'} =3D $vpnsettings{'DATACIPHERS'}; + $cgiparams{'CHANNELCIPHERS'} =3D $vpnsettings{'CHANNELCIPHERS'}; + $cgiparams{'NCHANNELCIPHERS'} =3D $vpnsettings{'NCHANNELCIPHERS'}; } =20 ADV_ENC_ERROR: @@ -3040,8 +3113,41 @@ ADV_ENC_ERROR: =20 + + + $Lang::tr{'ovpn control channel v3'} + $Lang::tr{'ovpn control channel v2'} + + + + $Lang::tr{'ovpn channel encryption'= } + + + + + + + + + +

+
END ; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index ae05d5e55..cadf4b141 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1908,6 +1908,9 @@ 'ovpn config' =3D> 'OVPN-Konfiguration', 'ovpn connection name' =3D> 'Verbindungs-Name', 'ovpn crypt options' =3D> 'Kryptografieoptionen', +'ovpn channel encryption' =3D> 'Kontroll-Kanal Verschl=C3=BCsselung', +'ovpn control channel v2' =3D> 'Kontroll-Kanal TLSv2', +'ovpn control channel v3' =3D> 'Kontroll-Kanal TLSv3', 'ovpn data encryption' =3D> 'Daten-Kanal Verschl=C3=BCsselung', 'ovpn data channel' =3D> 'Daten-Kanal', 'ovpn data channel fallback' =3D> 'Daten-Kanal Fallback', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 321503d67..4b667f881 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1940,6 +1940,9 @@ 'ovpn config' =3D> 'OVPN-Config', 'ovpn connection name' =3D> 'Connection Name', 'ovpn crypt options' =3D> 'Cryptographic options', +'ovpn channel encryption' =3D> 'Control-Channel encryption', +'ovpn control channel v2' =3D> 'Control-Channel TLSv2', +'ovpn control channel v3' =3D> 'Control-Channel TLSv3', 'ovpn data encryption' =3D> 'Data-Channel encryption', 'ovpn data channel' =3D> 'Data-Channel', 'ovpn data channel fallback' =3D> 'Data-Channel fallback', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index 752093552..65505706c 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -1333,6 +1333,9 @@ 'ovpn' =3D> 'OpenVPN', 'ovpn con stat' =3D> 'Estadisticas de conexi=C3=B3n OpenVPN', 'ovpn config' =3D> 'Configruaci=C3=B3n de OVPN', +'ovpn channel encryption' =3D> 'Encriptaci=C3=B3n Canal-Control', +'ovpn control channel v2' =3D> 'Canal-Control TLSv2', +'ovpn control channel v3' =3D> 'Canal-Control TLSv3', 'ovpn data encryption' =3D> 'Encriptaci=C3=B3n Data-Channel', 'ovpn data channel' =3D> 'Canal-Datos', 'ovpn data channel fallback' =3D> 'Retroceso Canal-Datos', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index f931bc70e..cda133e5d 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1941,6 +1941,9 @@ 'ovpn config' =3D> 'Config OVPN', 'ovpn connection name' =3D> 'Nom de la connexion ', 'ovpn crypt options' =3D> 'Options cryptographiques', +'ovpn channel encryption' =3D> 'Chiffrage du canal de contr=C3=B4le', +'ovpn control channel v2' =3D> 'Canal de contr=C3=B4le TLSv2', +'ovpn control channel v3' =3D> 'Canal de contr=C3=B4le TLSv3', 'ovpn data encryption' =3D> 'Chiffrage du canal de donn=C3=A9es', 'ovpn data channel' =3D> 'Canal de donn=C3=A9es', 'ovpn data channel fallback' =3D> 'Canal de donn=C3=A9es de repli', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 3779de3f6..22ce7cd4d 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -1701,6 +1701,9 @@ 'ovpn con stat' =3D> 'OpenVPN Connection Statistics', 'ovpn config' =3D> 'OVPN-Config', 'ovpn crypt options' =3D> 'Cryptographic options', +'ovpn channel encryption' =3D> 'Crittografia del canale di controllo', +'ovpn control channel v2' =3D> 'Canale di controllo TLSv2', +'ovpn control channel v3' =3D> 'Canale di controllo TLSv3', 'ovpn device' =3D> 'OpenVPN device:', 'ovpn dh' =3D> 'Diffie-Hellman parameters length', 'ovpn dh new key' =3D> 'Generate new Diffie-Hellman parameters', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index dc9ea350f..15482b7c7 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -1660,6 +1660,9 @@ 'ovpn' =3D> 'OpenVPN', 'ovpn con stat' =3D> 'OpenVPN connectiestatistieken', 'ovpn config' =3D> 'OVPN-Configuratie', +'ovpn channel encryption' =3D> 'Control-kanaal versleuteling', +'ovpn control channel v2' =3D> 'Controle-Kanaal TLSv2', +'ovpn control channel v3' =3D> 'Controle-Kanaal TLSv3', 'ovpn data encryption' =3D> 'Datakanaalversleuteling', 'ovpn data channel' =3D> 'Data-kanaal', 'ovpn data channel fallback' =3D> 'Data-Kanaal terugval', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index 96e9a95ae..a5bde2044 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -1345,6 +1345,9 @@ 'ovpn' =3D> 'OpenVPN', 'ovpn con stat' =3D> 'Statystyki po=C5=82=C4=85cze=C5=84 OpenVPN', 'ovpn config' =3D> 'OVPN-Konfig', +'ovpn channel encryption' =3D> 'Szyfrowanie Control-Channel', +'ovpn control channel v2' =3D> 'Kana=C5=82-Kontrolny TLSv2', +'ovpn control channel v3' =3D> 'Kana=C5=82-Kontrolny TLSv3', 'ovpn data encryption' =3D> 'Szyfrowanie Kana=C5=82u-Danych', 'ovpn data channel' =3D> 'Kana=C5=82-Danych', 'ovpn data channel fallback' =3D> 'Awaria Kana=C5=82u-Danych', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 5ba44ce29..17666de80 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -1336,6 +1336,9 @@ 'ovpn' =3D> 'OpenVPN', 'ovpn con stat' =3D> '=D0=A1=D1=82=D0=B0=D1=82=D0=B8=D1=81=D1=82=D0=B8=D0=BA= =D0=B0 =D0=BF=D0=BE=D0=B4=D0=BA=D0=BB=D1=8E=D1=87=D0=B5=D0=BD=D0=B8=D0=B9 Ope= nVPN', 'ovpn config' =3D> '=D0=9D=D0=B0=D1=81=D1=82=D1=80=D0=BE=D0=B9=D0=BA=D0=B8 O= VPN', +'ovpn channel encryption' =3D> '=D0=A8=D0=B8=D1=84=D1=80=D0=BE=D0=B2=D0=B0= =D0=BD=D0=B8=D0=B5 =D0=BA=D0=B0=D0=BD=D0=B0=D0=BB=D0=BE=D0=B2 =D1=83=D0=BF=D1= =80=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=B8=D1=8F', +'ovpn control channel v2' =3D> '=D0=9A=D0=B0=D0=BD=D0=B0=D0=BB-=D1=83=D0=BF= =D1=80=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=B8=D1=8F TLSv2', +'ovpn control channel v3' =3D> '=D0=9A=D0=B0=D0=BD=D0=B0=D0=BB-=D1=83=D0=BF= =D1=80=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=B8=D1=8F TLSv3', 'ovpn data encryption' =3D> '=D1=88=D0=B8=D1=84=D1=80=D0=BE=D0=B2=D0=B0=D0= =BD=D0=B8=D0=B5-=D0=BA=D0=B0=D0=BD=D0=B0=D0=BB=D0=BE=D0=B2 =D0=B4=D0=B0=D0=BD= =D0=BD=D1=8B=D1=85', 'ovpn data channel' =3D> '=D0=98=D0=BD=D1=84=D0=BE=D1=80=D0=BC=D0=B0=D1=86= =D0=B8=D0=BE=D0=BD=D0=BD=D1=8B=D0=B9-=D0=BA=D0=B0=D0=BD=D0=B0=D0=BB', 'ovpn data channel fallback' =3D> '=D0=98=D0=BD=D1=84=D0=BE=D1=80=D0=BC=D0= =B0=D1=86=D0=B8=D0=BE=D0=BD=D0=BD=D1=8B=D0=B9-=D0=BA=D0=B0=D0=BD=D0=B0=D0=BB = =D0=BE=D1=82=D1=81=D1=82=D1=83=D0=BF=D0=BB=D0=B5=D0=BD=D0=B8=D0=B5', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index b459401c9..7df486bc8 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -1843,6 +1843,9 @@ 'ovpn con stat' =3D> 'OpenVPN Ba=C4=9Flant=C4=B1 =C4=B0statisti=C4=9Fi', 'ovpn config' =3D> 'OVPN-Yap=C4=B1land=C4=B1rmas=C4=B1', 'ovpn crypt options' =3D> '=C5=9Eifreleme se=C3=A7enekleri', +'ovpn channel encryption' =3D> 'Kontrol-Kanal=C4=B1 =C5=9Fifreleme', +'ovpn control channel v2' =3D> 'Kontrol-Kanal=C4=B1 TLSv2', +'ovpn control channel v3' =3D> 'Kontrol-Kanal=C4=B1 TLSv3', 'ovpn data channel' =3D> 'Veri-Kanal=C4=B1', 'ovpn data channel fallback' =3D> 'Veri-Kanal=C4=B1 geri d=C3=B6n=C3=BC=C5= =9F=C3=BC', 'ovpn data encryption' =3D> 'Veri-Kanal=C4=B1 =C5=9Fifreleme', --=20 2.20.1 --===============1521518035932367434==--