From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] backup(.pl): Replace OpenVPN DH parameter with ffdhe4096
Date: Sat, 17 Dec 2022 14:44:08 +0000
Message-ID: <4be3bd37-cc2d-83b7-d09a-08f4e551b488@ipfire.org>
In-Reply-To: <DE56784A-22D6-49DC-AE84-D8D1E3A34CCC@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9143899749657788029=="
List-Id: <development.lists.ipfire.org>

--===============9143899749657788029==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

thanks for your reply, and apologies for the belated one of mine.

> Hello Peter,
>=20
>> On 13 Dec 2022, at 15:47, Peter M=C3=BCller <peter.mueller(a)ipfire.org> w=
rote:
>>
>> This ensures restoring a backup won't silently bring back an insecure
>> Diffie-Hellman parameter (which could also not be inspected through the
>> web interface anymore).
>>
>> Reported-by: Michael Tremer <michael.tremer(a)ipfire.org>
>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>> ---
>> config/backup/backup.pl | 9 +++++++++
>> 1 file changed, 9 insertions(+)
>>
>> diff --git a/config/backup/backup.pl b/config/backup/backup.pl
>> index 6fd9e45bb..520d9315d 100644
>> --- a/config/backup/backup.pl
>> +++ b/config/backup/backup.pl
>> @@ -187,6 +187,15 @@ restore_backup() {
>> # Update OpenVPN CRL
>> /etc/fcron.daily/openvpn-crl-updater
>>
>> + # Replace previously used OpenVPN Diffie-Hellman parameter by ffdhe4096
>> + if [ -f /var/ipfire/ovpn/server.conf ]; then
>> + sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/i=
pfire/ovpn/server.conf
>> + fi
>> +
>> + if [ -f "/var/ipfire/ovpn/n2nconf/*/*.conf" ]; then
>> + sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/i=
pfire/ovpn/n2nconf/*/*.conf
>> + fi
>=20
> The second command will never be executed because "/var/ipfire/ovpn/n2nconf=
/*/*.conf=E2=80=9D will never exist.
>=20
> Because the string is quoted, the shell won=E2=80=99t conduct any path expa=
nsion.

Indeed, and even with the string not quoted, it won't work either, at least a=
ccording
to https://www.shellcheck.net/wiki/SC2144. Glad you caught that, this error m=
ade it into
the update.sh script of Core Update 172 as well. :-/

> What could work is running the sed command on all files simultaneously and =
if there is nothing to change, it won=E2=80=99t do anything. Passing server.c=
onf and n2nconfig/*/*.conf will never fail if there is no N2N configuration. =
server.conf should always exist.

Thanks. I can confirm that

sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire=
/ovpn/server.conf /var/ipfire/ovpn/n2nconf/*/*.conf

conducts this task properly. I will update the update.sh script and take the =
liberty
to amend this change to backup.pl straight away. I'll get back to you bilater=
ally for
the rest of C172.

Thanks, and best regards,
Peter M=C3=BCller

>=20
> Best,
> -Michael
>=20
>> +
>> return 0
>> }
>>
>> --=20
>> 2.35.3
>=20

--===============9143899749657788029==--