From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 3/4] OpenVPN: Introduce --data-cipher-fallback to substitude the deprecated --cipher directive .
Date: Thu, 21 Mar 2024 13:24:50 +0100 [thread overview]
Message-ID: <20240321122511.3287692-3-erik.kapfer@ipfire.org> (raw)
In-Reply-To: <20240321122511.3287692-1-erik.kapfer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 11737 bytes --]
- Since the '--cipher' directive is with OpenVPN version 2.5.0 deprecated and will be handled now via
'--data-cipher-fallback' to keep the compatibility with already existing clients until version 2.3.x.
The old 'DCIPHER' variable name has been kept and uses also the old setting file but
the directive has now be renamed from '--cipher' to '--data-cipher-fallback'.
All new clients needs to be at least at OpenVPN version 2.5.0 since the '--cipher' directive
will no longer be printed into client.ovpn but uses instead only NCP.
- All old CBC ciphers except the GCM familiy and CHACHA20-POLY1305 (AEAD ciphers),
are now included in the '--data-ciphers-fallback' table which is located beneath the
data-channel ciphers in a separate table.
- With this patch all ciphers are now located under the "Advanced server options" and no longer under
the "Global settings" therefor, tls-auth needed to be rearranged in the "Global settings".
Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 92 +++++++++++++++++++++------------------
langs/de/cgi-bin/de.pl | 1 +
langs/en/cgi-bin/en.pl | 1 +
3 files changed, 51 insertions(+), 43 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 833ce8247..49ddae4ce 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -337,7 +337,10 @@ sub writeserverconf {
@advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
- print CONF "cipher $sovpnsettings{DCIPHER}\n";
+ # The "--cipher" directive has been renamed to "--data-cipher-fallback"
+ # but uses the old setting files. This should deliver compatibility
+ # for already existing old clients back to OpenVPN version 2.3.x
+ print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n";
print CONF "auth $sovpnsettings{'DAUTH'}\n";
# Set TLSv2 as minimum
print CONF "tls-version-min 1.2\n";
@@ -819,6 +822,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
$vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
+ $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
my @temp=();
# data-ciphers needs at least one cipher
@@ -1243,7 +1247,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
$vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
$vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
$vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
- $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
$vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
#wrtie enable
@@ -2306,6 +2309,12 @@ else
$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
}
+ # !!! With the update to version 2.6.x all new configured clients
+ # needs to be at least at OpenVPN version >= 2.5.0 cause the cipher
+ # directive is deprecated and reach his EOL with 2.7.x so only the
+ # following NCP will be used !!!
+ #print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
# Data cipher negotiation
# Set seperator ':' for --data-ciphers algorithms
@advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
@@ -2684,6 +2693,26 @@ ADV_ERROR:
@temp = split('\|', $cgiparams{'DATACIPHERS'});
foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+ # Set default for data-cipher-fallback (the old --cipher directive)
+ if ($cgiparams{'DCIPHER'} eq '') {
+ $cgiparams{'DCIPHER'} = 'AES-256-CBC';
+ }
+ # All CBC ciphers are now in data-cipher-fallback section
+ $selected{'DCIPHER'}{'AES-256-CBC'} = '';
+ $selected{'DCIPHER'}{'AES-192-CBC'} = '';
+ $selected{'DCIPHER'}{'AES-128-CBC'} = '';
+ $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
+ $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
+ $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
+ $selected{'DCIPHER'}{'SEED-CBC'} = '';
+ $selected{'DCIPHER'}{'DES-CBC'} = '';
+ $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
+ $selected{'DCIPHER'}{'DESX-CBC'} = '';
+ $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
+ $selected{'DCIPHER'}{'BF-CBC'} = '';
+ $selected{'DCIPHER'}{'CAST5-CBC'} = '';
+ $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
+
if ($cgiparams{'MAX_CLIENTS'} eq '') {
$cgiparams{'MAX_CLIENTS'} = '100';
}
@@ -2772,6 +2801,7 @@ ADV_ERROR:
<tr>
<th width="15%"></th>
<th>$Lang::tr{'ovpn data channel'}</th>
+ <th>$Lang::tr{'ovpn data channel fallback'}</th>
</tr>
</thead>
<tbody>
@@ -2785,6 +2815,23 @@ ADV_ERROR:
<option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
</select>
</td>
+
+ <td class='boldbase'>
+ <select name='DCIPHER' size='6' style='width: 100%'>
+ <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option>
+ <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option>
+ <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option>
+ <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option>
+ <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} CAMELLIA-CBC</option>
+ <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option>
+ <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option>
+ <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+ <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+ <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+ <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+ <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+ </select>
+ </td>
</tr>
</tbody>
</table>
@@ -5250,24 +5297,6 @@ END
$selected{'DPROTOCOL'}{'tcp'} = '';
$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
- $selected{'DCIPHER'}{'AES-256-GCM'} = '';
- $selected{'DCIPHER'}{'AES-192-GCM'} = '';
- $selected{'DCIPHER'}{'AES-128-GCM'} = '';
- $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
- $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
- $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
- $selected{'DCIPHER'}{'AES-256-CBC'} = '';
- $selected{'DCIPHER'}{'AES-192-CBC'} = '';
- $selected{'DCIPHER'}{'AES-128-CBC'} = '';
- $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
- $selected{'DCIPHER'}{'DESX-CBC'} = '';
- $selected{'DCIPHER'}{'SEED-CBC'} = '';
- $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
- $selected{'DCIPHER'}{'CAST5-CBC'} = '';
- $selected{'DCIPHER'}{'BF-CBC'} = '';
- $selected{'DCIPHER'}{'DES-CBC'} = '';
- $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
-
$selected{'DAUTH'}{'whirlpool'} = '';
$selected{'DAUTH'}{'SHA512'} = '';
$selected{'DAUTH'}{'SHA384'} = '';
@@ -5391,29 +5420,6 @@ END
</select>
</td>
- <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
- <td><select name='DCIPHER'>
- <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
- <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
- <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
- <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
- <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
- <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
- <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
- <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
- <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
- <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
- <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- </select>
- </td>
- </tr>
-
- <tr><td colspan='4'><br></td></tr>
- <tr>
<td class='base'>$Lang::tr{'ovpn tls auth'}</td>
<td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
</tr>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 7c8287510..92bacc0ef 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1959,6 +1959,7 @@
'ovpn crypt options' => 'Kryptografieoptionen',
'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
'ovpn data channel' => 'Daten-Kanal',
+'ovpn data channel fallback' => 'Daten-Kanal Fallback',
'ovpn device' => 'OpenVPN-Gerät',
'ovpn dl' => 'OVPN-Konfiguration downloaden',
'ovpn engines' => 'Krypto Engine',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index cfa826245..2f517e79c 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2020,6 +2020,7 @@
'ovpn crypt options' => 'Cryptographic options',
'ovpn data encryption' => 'Data-Channel encryption',
'ovpn data channel' => 'Data-Channel',
+'ovpn data channel fallback' => 'Data-Channel fallback',
'ovpn device' => 'OpenVPN device:',
'ovpn dl' => 'OVPN-Config Download',
'ovpn engines' => 'Crypto engine',
--
2.43.0
next prev parent reply other threads:[~2024-03-21 12:24 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-21 12:24 [PATCH 1/4] OpenVPN: Update to version 2.6.9 Erik Kapfer
2024-03-21 12:24 ` [PATCH 2/4] OpenVPN: Integration of the Negotiation Cipher Protocol (NCP) Erik Kapfer
2024-03-21 12:24 ` Erik Kapfer [this message]
2024-03-21 12:24 ` [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x Erik Kapfer
2024-03-21 12:29 ` ummeegge
2024-03-21 15:14 ` Michael Tremer
2024-03-21 15:50 ` ummeegge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240321122511.3287692-3-erik.kapfer@ipfire.org \
--to=erik.kapfer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox