From mboxrd@z Thu Jan 1 00:00:00 1970 From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH] openvpn: Warning for broken algorithms . Date: Mon, 21 Nov 2022 11:22:21 +0100 Message-ID: <20221121102221.13486-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2442942604163142426==" List-Id: --===============2442942604163142426== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Since OpenSSL-3.x will remove all 64 bit block-cipher but also OpenVPNs chang= elog for version 2.5.8 gives hints to get rid of BF-CBC for default configuations, a warning will be displayed in the WUI if the user is running BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to change as soon as possible to another more secure algorithm. The call of the pkiconfigcheck function is now located in the status page sec= tion. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 38 ++++++++++++++++++++++++++++++++++++-- langs/de/cgi-bin/de.pl | 3 +++ langs/en/cgi-bin/en.pl | 3 +++ 3 files changed, 42 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dc429d90c..5c34a5f4d 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} =3D ''; $cgiparams{'DAUTH'} =3D ''; $cgiparams{'TLSAUTH'} =3D ''; $routes_push_file =3D "${General::swroot}/ovpn/routes_push"; -# Perform crypto and configration test -&pkiconfigcheck; =20 # Add CCD files if not already presant unless (-e $routes_push_file) { @@ -240,6 +238,39 @@ sub pkiconfigcheck } } =20 + # Warning for Roadwarrior if deprecated 64-bit-block ciphers or weak HMAC i= s in usage + if (-f "${General::swroot}/ovpn/server.conf") { + my $oldciphers =3D "${General::swroot}/ovpn/server.conf"; + open(FH, $oldciphers); + while(my $cipherstring =3D ) { + if ($cipherstring =3D~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CB= C|SHA1/) { + my @tempcipherstring =3D split(" ", $cipherstring); + $cryptowarning =3D "
$Lang::tr{'ovpn warning algorithm'}: $tempcipherstring[1]
$Lang::tr{'ovpn warning 64 bit block= cipher'}"; + goto CRYPTO_WARNING; + } + } + close(FH); + } + + # Warning for Net-to-Net connections if deprecated 64-bit-block ciphers or = HMAC is in usage + if (-f "${General::swroot}/ovpn/ovpnconfig") { + my $oldciphers =3D "${General::swroot}/ovpn/ovpnconfig"; + open(FH, $oldciphers); + while(my $cipherstring =3D ) { + if ($cipherstring =3D~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CB= C/) { + my @tempcipherstring =3D split(",", $cipherstring); + $cryptowarning =3D "
$Lang::tr{'ovpn warning algorithm'}: $tempcipherstring[41]
$Lang::tr{'ovpn warning algorithm n= 2n'} $tempcipherstring[2]
$Lang::tr{'ovpn warni= ng 64 bit block cipher'}
"; + goto CRYPTO_WARNING; + } + if ($cipherstring =3D~ /SHA1/) { + my @tempcipherstring =3D split(",", $cipherstring); + $cryptowarning =3D "
$Lang::tr{'ovpn warning algorithm'}: $tempcipherstring[40]
$Lang::tr{'ovpn warning algorithm n= 2n'} $tempcipherstring[2]
$Lang::tr{'ovpn warni= ng 64 bit block cipher'}
"; + goto CRYPTO_WARNING; + } + } + } + + CRYPTO_WARNING: } =20 @@ -5056,6 +5087,9 @@ END my @status =3D ; close(FILE); =20 + # Perform crypto and configration test + &pkiconfigcheck; + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { my $ipaddr =3D ; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index abfba5d5e..bb675ec34 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1982,6 +1982,9 @@ 'ovpn subnet is invalid' =3D> 'Das OpenVPN-Subnetz ist ung=C3=BCltig.', 'ovpn subnet overlap' =3D> 'OpenVPNSubnetz =C3=BCberschneidet sich mit ', 'ovpn tls auth' =3D> 'TLS-Kanalabsicherung:', +'ovpn warning 64 bit block cipher' =3D> 'Dieser Algorithmus ist unsicher und= wird bald entfernt.
Bitte =C3=84ndern Sie dies auf beiden Seiten (Server= und Client) so schnell wie m=C3=B6glich!
', +'ovpn warning algorithm' =3D> 'Folgender Algorithmus wurde konfiguriert', +'ovpn warning algorithm n2n' =3D> 'F=C3=BCr die Netz-zu-Netz Verbindung', 'ovpn warning rfc3280' =3D> 'Das Host Zertifikat ist nicht RFC3280 Regelkonf= orm.
Bitte IPFire auf die letzte Version updaten und generieren sie ein n= eues Root und Host Zertifikat so bald wie m=C3=B6glich.

Es m=C3=BCsse= n dann alle OpenVPN clients erneuert werden!
', 'ovpn_fastio' =3D> 'Fast-IO', 'ovpn_fragment' =3D> 'Fragmentgr=C3=B6sse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index bf18b22a2..9aaf3e765 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2035,6 +2035,9 @@ 'ovpn subnet is invalid' =3D> 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' =3D> 'OpenVPN Subnet overlaps with : ', 'ovpn tls auth' =3D> 'TLS Channel Protection:', +'ovpn warning 64 bit block cipher' =3D> 'This encryption algorithm is broken= and will soon be removed.
Please change this on both sides (server and c= lient) as soon as possible!
', +'ovpn warning algorithm' =3D> 'The following algorithm was configured', +'ovpn warning algorithm n2n' =3D> 'For the Net-to-Net connection', 'ovpn warning rfc3280' =3D> 'Your host certificate is not RFC3280 compliant.=
Please update to the latest IPFire version and generate as soon as possi= ble a new root and host certificate.

All OpenVPN clients needs then t= o be renewed!
', 'ovpn_fastio' =3D> 'Fast-IO', 'ovpn_mssfix' =3D> 'MSSFIX Size', --=20 2.35.1 --===============2442942604163142426==--