[PATCH 1/6] ovpnmain.cgi: Fix for bug#11048 - insecure download icon shown for connections with a password

[PATCH 1/6] ovpnmain.cgi: Fix for bug#11048 - insecure download icon shown for connections with a password

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 7635 bytes --]

- At long last I have re-visited the patch submission for bug #11048 and fixed the issues
   that caused the problems last time I evaluated it in Testing.
- The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig
   is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the
   connection is a host and if the first password entry is a null. Then it adds no-pass
   to ovpnconfig.
- The same block of code is also used for when he connection is edited. However at this
   stage the password entry is back to null because the password value is only kept until
   the connection has been saved. Therefore doing an edit results in the password value
   being taken as null even for connections with a password.
- This fix enters no-pass if the connection type is host and the password is null, pass if
   the connection type is host and the password has characters. If the connection type is
   net then no-pass is used as net2net connections dop not have encrypted certificates.
- The code has been changed to show a different icon for unencrypted and encrypted
   certificates.
- Separate patches are provided for the language file change, the provision of a new icon
   and the code for the update.sh script for the Core Update to update all existing
   connections, if any exist, to have either pass or no-pass in index 41.
- This patch set was a joint collaboration between Erik Kapfer and Adolf Belka
- Patch set, including the code for the Core Update 180 update.sh script has been tested
   on a vm testbed

Fixes: Bug#11048
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Suggested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Suggested-by: Erik Kapfer <ummeegge(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 75 +++++++++++++++++++++++----------------
 1 file changed, 44 insertions(+), 31 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 5afe54f55..eb89c5095 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -4370,9 +4370,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	$confighash{$key}[39]		= $cgiparams{'DAUTH'};
 	$confighash{$key}[40]		= $cgiparams{'DCIPHER'};
 
-	if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
-		$confighash{$key}[41] = "no-pass";
-	}
+       if ($confighash{$key}[41] eq "") {
+               if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
+                       $confighash{$key}[41] = "no-pass";
+               } elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne "")) {
+                       $confighash{$key}[41] = "pass";
+               } elsif ($cgiparams{'TYPE'} eq 'net') {
+                       $confighash{$key}[41] = "no-pass";
+               }
+       }
 
    $confighash{$key}[42] = 'HOTP/T30/6';
 	$confighash{$key}[43] = $cgiparams{'OTP_STATE'};
@@ -5512,20 +5518,24 @@ END
 }
 
 
-    print <<END;
-	<td align='center' $col1>$active</td>
+       if ($confighash{$key}[41] eq "pass") {
+               print <<END;
+                       <td align='center' $col1>$active</td>
 
-	<form method='post' name='frm${key}a'><td align='center' $col>
-	    <input type='image'  name='$Lang::tr{'dl client arch'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
-	    <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
-	    <input type='hidden' name='KEY' value='$key' />
-	</td></form>
+                       <form method='post' name='frm${key}a'><td align='center' $col>
+                           <input type='image'  name='$Lang::tr{'dl client arch'}' src='/images/openvpn_encrypted.png'
+                                       alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
+                           <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
+                           <input type='hidden' name='MODE' value='secure' />
+                           <input type='hidden' name='KEY' value='$key' />
+                       </td></form>
 END
-	;
 
-	if ($confighash{$key}[41] eq "no-pass") {
+       ; } elsif ($confighash{$key}[41] eq "no-pass") {
 		print <<END;
-			<form method='post' name='frm${key}g'><td align='center' $col>
+                       <td align='center' $col1>$active</td>
+
+                       <form method='post' name='frm${key}a'><td align='center' $col>
 				<input type='image'  name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
 					alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
 				<input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
@@ -5533,7 +5543,7 @@ END
 				<input type='hidden' name='KEY' value='$key' />
 			</td></form>
 END
-	} else {
+	; } else {
 		print "<td $col>&nbsp;</td>";
 	}
 
@@ -5609,30 +5619,33 @@ END
     # If the config file contains entries, print Key to action icons
     if ( $id ) {
     print <<END;
-    <table border='0'>
-    <tr>
+       <table width='85%' border='0'>
+       <tr>
 		<td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
-		<td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
-		<td class='base'>$Lang::tr{'click to disable'}</td>
+              <td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
+              <td class='base'>$Lang::tr{'dl client arch insecure'}</td>
+              <td>&nbsp; &nbsp; <img src='/images/openvpn_encrypted.png' alt='?RELOAD'/></td>
+              <td class='base'>$Lang::tr{'dl client arch'}</td>
 		<td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
 		<td class='base'>$Lang::tr{'show certificate'}</td>
+              <td>&nbsp; &nbsp; <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td>
+              <td class='base'>$Lang::tr{'show otp qrcode'}</td>
+       </tr>
+       <tr>
+              <td>&nbsp; </td>
+              <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
+              <td class='base'>$Lang::tr{'download certificate'}</td>
+              <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
+              <td class='base'>$Lang::tr{'click to enable'}</td>
+              <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
+              <td class='base'>$Lang::tr{'click to disable'}</td>		
+
 		<td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
 		<td class='base'>$Lang::tr{'edit'}</td>
 		<td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
 		<td class='base'>$Lang::tr{'remove'}</td>
-    </tr>
-    <tr>
-		<td>&nbsp; </td>
-		<td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
-		<td class='base'>$Lang::tr{'click to enable'}</td>
-		<td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
-		<td class='base'>$Lang::tr{'download certificate'}</td>
-		<td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
-		<td class='base'>$Lang::tr{'dl client arch'}</td>
-		<td>&nbsp; &nbsp; <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td>
-		<td class='base'>$Lang::tr{'show otp qrcode'}</td>
-		</tr>
-    </table><br>
+       </tr>
+       </table><br>
 END
     ;
     }
-- 
2.42.0

[PATCH 2/6] de.pl: Change language text for secure icon wording

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 867 bytes --]

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 langs/de/cgi-bin/de.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 0c2f1af53..140806130 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -818,7 +818,7 @@
 'display hostname in window title' => 'Hostname im Fenstertitel anzeigen',
 'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen',
 'display webinterface effects' => 'Überblendeffekte einschalten',
-'dl client arch' => 'Client Paket herunterladen (zip)',
+'dl client arch' => 'Verschlüsseltes Client Paket herunterladen (zip)',
 'dl client arch insecure' => 'Ungesichertes Client-Paket herunterladen (zip)',
 'dmz' => 'DMZ',
 'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches',
-- 
2.42.0

[PATCH 3/6] en.pl: Change language text for secure icon wording

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 793 bytes --]

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 langs/en/cgi-bin/en.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 90d6f7739..7bbf7cd32 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -859,7 +859,7 @@
 'display hostname in window title' => 'Display hostname in window title',
 'display traffic at home' => 'Display calculated traffic on startpage',
 'display webinterface effects' => 'Activate effects',
-'dl client arch' => 'Download Client Package (zip)',
+'dl client arch' => 'Download Encrypted Client Package (zip)',
 'dl client arch insecure' => 'Download insecure Client Package (zip)',
 'dmz' => 'DMZ',
 'dmz pinhole configuration' => 'DMZ pinhole configuration',
-- 
2.42.0

[PATCH 4/6] nl.pl: Change language text for secure icon wording

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 893 bytes --]

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 langs/nl/cgi-bin/nl.pl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
index 4da924a74..898d42d28 100644
--- a/langs/nl/cgi-bin/nl.pl
+++ b/langs/nl/cgi-bin/nl.pl
@@ -731,7 +731,8 @@
 'display hostname in window title' => 'Toon hostnaam in venstertitel',
 'display traffic at home' => 'Toon netwerkverkeer op startpagina',
 'display webinterface effects' => 'Activeer effecten',
-'dl client arch' => 'Download clientpakket (zip)',
+'dl client arch' => 'Download versleuteld clientpakket (zip)',
+'dl client arch insecure' => 'Download onveilig clientpakket (zip)',
 'dmz' => 'DMZ',
 'dmz pinhole configuration' => 'DMZ pinhole configuratie',
 'dmz pinhole rule added' => 'DMZ pinhole regel toegevoegd; DMZ regel wordt herstart.',
-- 
2.42.0

[PATCH 5/6] web-user-interface: Addition of new icon for secure connection certificate download

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 8182 bytes --]

- This uses a padlock icon from https://commons.wikimedia.org/wiki/File:Encrypted.png
- The license for this image is the following:-
   This library is free software; you can redistribute it and/or modify it under the terms
   of the GNU Lesser General Public License as published by the Free Software Foundation;
   either version 2.1 of the License, or (at your option) any later version. This library
   is distributed in the hope that it will be useful, but without any warranty; without
   even the implied warranty of merchantability or fitness for a particular purpose. See
   version 2.1 and version 3 of the GNU Lesser General Public License for more details.
- Based on the above license I believe it can be used by IPFire covered by the GNU General
   Public License that is used for it.
- The icon image was made by taking the existing openvpn.png file and superimposing the
   padlock icon on top of it as a 12x12 pixel format and naming it openvpn_encrypted.png

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/rootfiles/common/web-user-interface |   1 +
 html/html/images/openvpn_encrypted.png     | Bin 0 -> 7004 bytes
 2 files changed, 1 insertion(+)
 create mode 100644 html/html/images/openvpn_encrypted.png

diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/common/web-user-interface
index 52f879d35..6c2a40cc2 100644
--- a/config/rootfiles/common/web-user-interface
+++ b/config/rootfiles/common/web-user-interface
@@ -235,6 +235,7 @@ srv/web/ipfire/html/images/off.gif
 srv/web/ipfire/html/images/on.gif
 srv/web/ipfire/html/images/openvpn.gif
 srv/web/ipfire/html/images/openvpn.png
+srv/web/ipfire/html/images/openvpn_encrypted.png
 srv/web/ipfire/html/images/package-x-generic.png
 srv/web/ipfire/html/images/printer-error.png
 srv/web/ipfire/html/images/printer.png
diff --git a/html/html/images/openvpn_encrypted.png b/html/html/images/openvpn_encrypted.png
new file mode 100644
index 0000000000000000000000000000000000000000..873c6c46113df0b973022c9c0f3a01cba19c0fbd
GIT binary patch
literal 7004
zcmeHKc{J4h_aFOO_9gXbnigAQHq4kzw!tXMmaH)=BQwLyFry?{LbM1GQiyih+AL9)
z$W{_XNGVHsEM-gb`%q6$&+qp==XaiSe!u^kIiKym?|r(a)Reck)M=lzbe+hw&%QcV&B
z0<E$p;2nUc?D8cp3f$L!S|S3ETL+w6xDG(a)fIDpNf(fz4lZb$$XOy$#QAP~RX)6R5t
z4OqH-Na>(ig!z#n_^qUwNZjFklfBAuwQ*3fQ*S?oHReWBRZeQLs6EL8bvrK$yB<tN
zWqdhnm8-Cob1$}9&gE&3Q%qQ^t%}Aq{3J~;wTH8L3T*Zbr568$sVF`}blS2WOWeLM
zXjpBYcWPJs&YlDJWQ-<LX9!AW7;igT^#Y_+$f>izpU`1%ZnMj!y61AJ!0SJ4j!8q`
zxPd^DSh~5not-a>%i{R50>IYh=6{6(1dw^|4A04_OF5>kl6N4x1+J)NK3=&BT#3HY
zjwhzA(a)zxYtjnXUHkRvE(ffrUXjev+I9EB7?jzx!iKTtmfzEJC}Xm1~aDt6|+dsms7
z+P~iC(Ejt4vpApeL!D)yQx%K%D!49^;d)u&>)*WFaWdgpK6ybvdIBWW4Dv2Uq6E!w
zHQ|Kq>denJi3)QN(a)o+S+RtJPWUJ*IWomjF?PkEpc+b$gUBBG^{5_i|G_R7l$>7qlH
zwH<Sch#F1ACkrvfqKY&Hm6sDGZIEs8XV2A><6T1EO9!jDH{&3E>6-^*RVP&f?UhrL
zpl{qEoi<AOffiq#*JacbX(a)cR9xG}-iI(a)Y!MkS&unX0PxSilB8`lR77sj)`QhJ2L0M
z99eTOlu0(a)rUeMH@oAI(6Ioy}|(dmSVw_+_N4?gc-=6=9UG$~c8`pr4xot7T%WtST|
zX}3E&E#KGEyp%?(nBQ#U4we&cMi|dZ=S&|eT1(a)defCDAC+B1Sfi|WQjE|5{6soAO*
zdNP7wtx(a)-d>b<ksaYLJ}!3~8dL}P2K!F#q#{hNqy*-Il6=+Dn*6Y563Y0C7TOR84P
zmmGdmR(a)CnJEIRZ6O*E-4d+lOK>{8%suk$tVsHExv4nHS0;AwJTNL)_vrxzXq=yO&>
zQ{NmFmWVITmtwjg_G;S&{H`NTsa+5p?AjilBP$@!F)0;Ve2P9Cijl3V5Pu$5cW-Iy
zaDT}|>YL3;8FPlM&`k-g@>3<sv$bvV7X$<dg4%W<Z4;qk!HwRl{ljqqqUzNu!Vz#;
z5oZBqf*?Iyrr31*3-Mzn5-$XTBmL~8)Jzn71vE^=FspRKn_gq(a)3NRzZyoD1YhrC5A
z1U|_M6E`67M-;((2vW%K<_)5Q;vpvA?8FsC>P+KgW#rA~pKQ4-tQ~VT8+%#ei#k(a)s
zGrYho@(IpYF+CzIrmsfaCgMsV^7^WbYUvjuGm$l~Qvx6rYORq{17iV79y04Adj_N?
zg60g21dU^S<icg;)N+ohZji2BC4tXL6plK1-TYYMj*IGa)3Q_h2Dcz1Y&MSDsVa(C
zSgpzaXy14Fou;y%zTY2L755y+M)+AxUts1~+M_P-_C>l$Fv4$}FI?F8G;Y|RD_17p
z8_P8JGV8ZIncMFTS5>nVBS%iw<B6vc`{8+Mi)qfyA<bZ#G%CK1q*N&CBIXZ16Q|@I
zUwE+SQQ=Ub`HR4h?(5_(9YZ||d6N(a)p<RMTX&r{?nqoXpaTi)hPxbe4zg0qgd)uj%s
zo$#C!_=*Y30^2^>fRTMD-WYW}O503oKz?AufKnpCNuygnGS1_TC`oA&GbtIEJa=M~
zdAr8FL=wTQJ-D6N9(a)36$*Fm1WZX3MCDoJE;Y;enz#T0qUUE)|&QPfFccTy$(IKI60
zRIQYC#l<rh;|H}HjT(0}CY=^K{mg-{#n3`)<#%AOs9kY%sBtK1SEQpxOh)uZ97b~6
z_vUF(3z6MOb)^4Uv$N(%6>7bvxJBd}OQOAjy_#mK=36J}Ju#!^w)to5s&Z!>eJE54
zlv+dOQ1(;W8csZsO*d$XIkQ72_uPfv?8;QfGn~Y?4UDAyiEB(a)1BzZx`x3(q1&ahId
zpiBFX6uizpl~d(a)LZ9b3)*<tU6a6!0FhQHZdH?p~7^UO|{oySr$UD#d{&h2|8?cH*@
zge$x0&aM_OcN&_9+?=v_M^{QeR<fgbNAzRY6s<kSuI6g*y=69?If^RV+8dp<<7Uq6
z6Q7Rcj*90|enEbVexF9MqfO7HI^3VHr_1W8s!6CRsr9O%(yyiqq|c|fq|e@(aFf2V
z=?2cN(v8!N?Uw6yFWpwE5i}SS%AMk-2dR&q4m!u(`=RqgUwh3k;<Ll&nGd~BVy16=
zPWrt6vzWBE(0-wU2Vs$>=B3#;HnbJ?1-yu*43d(m9sYWLHmDi2F8oh;7%_(~&nSL&
zv1>5tN(%idJ#s_{wFc!?B3PnZ(%&-O;`(0y{hh51%2~=EpjhZWH#HabRvDMRTRAQw
zE{vkl+h2Sc<d!?kqO9VlrEw)MeNfF8kP)hR2|BlZ-S_rP-(a)e4?f9cvI(a)p0FSMH-88
zo^-e)jD4lmp|$;J9(ncXYMU5rjGR>&IrFXQBRLIyjeN(-X9_;6d~S1cKSjl7?JRCW
zq^cC;7ld{hbQz+z-MPga>XqZcW=XSQGHXu0Q-7|0689XZfXl%7R9vs<<e!_hJh%`t
z{#kv-eug-&H{U$hJy$S2Ho0*=`pcdL++^46&;n1STHwAwxuCl4Gq-y8PC0SGLxMb!
z?UL;hZhw3x!?$2G?{1l+$GQ^22rSLbdIq0;hcn<^g~f$pO+l$rsl1q-M;}F(a)quVU*
zS|wX0;M4I1$1BwHRO^n9Ce&NTSfMT33MO2N4%YD#_So1rpG(2&aGdvf=H1l}dVbcW
z(S`Q05ySPszj}ICrrCss;~4a5gn50HZaRJ|W;%1MxxjmO;5y8^%sAngsHvz%d`zup
zoTK$F>lEu}9%!ciEVY=&W=whP(a)P0gy9NiJy(W&R*=FzQ{B(a)K)2N-8*=m9#yLc*;H*
zQQXa({_{C1)Hsa1CHWq*#L+})(PmmAC^{oL*Y$*}zALMwreybf!q5c!3wxS#=iRQs
zkoSkmMQ<IwmA}mkdYJre*e&%|(1!~_lOM{u_Fsp27~g-ezb5f`)N!q~hqd8QO&GsY
zi{!XBn>}#!VNuJzjEwkA$L1_*+&|vwU|KNVF~|C8MU3&=yX!u_*}pk|bIRuRJ6!X+
z?jsiRM>C?wBzhK_t~agzSpD(!*xiz6^r1xd$W+Btk*7d;x6ZIqozhL-qd)Jv(Oq53
zV+yVA`doZmb(M4TecvAkjh!_1^cMu)p!Z%XW%b;@xA<|<Tr5+jv_re=OvioW1|0uR
z>$QT)edYJ3WZ&C$W?x!0u&S~jd7t6u<iC~vm7m7r4-y&@v$ka9=jZOQYDyoV5kGYl
zrIFG1IZFj4b(ixBQaat(>(;5LAD%h%YL>Ta?%eS9M$F5p$WEDsZcRqrnB76<f{m5K
zBZ809&}*%J$6n7FPlmDD5`V6=dn6rI?DM!)zEwHP6O+ng&V<&_k4VL-)R&RV*Lx&X
z(a)ULmyy|i??KTjtW2lM(EG=k&R4LlyX7QA=2C)wk}UFM<6%C(a)UF$26{;@BVUQp-0SL
z6w7+iH>~D?<p(#=hacL`W~8#_UzLR&d^z(a)DThsWfKTfPszt?nsTL^5ruW7+`c4)mn
zKQ_$eD`C|B9XapOwDE_<S6C8`P3t&RI&M9jBu2hoG*m_THbtzM(3+>eiyFm0yEs2M
zqSba~ZJV>v+QV6sp<!jidq=!xE1w*itYNiQO}F4%6RHNQJmxAtr#!q?a}(;tYZGnR
z9+osi3oDqr(a)vvv(xa#<UeyfV}X>H%a7wx9)$H`q9Rl8+W+Le{Ri3p{A`f9LFrXAQG
z^Xb4g*u~ZcOJ*^2i4+!zs>^2t0Q+MQ$jF!<KqT*{a=|3351omFjF(qIz;p@@vRB_0
zZW~}u^`#RIu&Is*b~%v`>?a#iAjaDzjrdpqfI;OF!F+~4lY`~sAS<|7;C)#PgMe35
zxchMs7h5~9Ig3pN>*?z0!l4#?dN2~QT(a)q}>rqHksc*`FUz!whU%jE`OVK5$#r^`d>
zve-T_grT7!432~$kx)Pb$_Zg|iF_!NvvC>XI|iQ0A+zZLTsn&hUdAMnSV3GI1OkkM
z|MHI!U~Bsmp2_*a0>B51PYi$|bm1(a)t1NN&0hiefGfc$XiKU#2{fYSubfy!Y8vB^}6
zU(a)DWl@mB~6`KNtA5Ziwx910mm^`|lbRSqyK;vZ95S=-wEv{<IVht3FCu>#2chbEU!
z`<twP__jQ<63(xV0Omh&|DpX?>?_KEmaQ!o&mspcyJwBZL6+yoQdnd<1-tSJN01E+
zFl00o2`3ps^=JqR6hkHfH=;fjV*p1O67`9{Kv^?6Tq2W9U4{a{b?E>O(Ey1?Q_#SM
zfwBx?NTxtZBpMNFK+;2_C<p`wMMeGsv71c?s*>pct5?fV6ab2X(lbO;_4T1hA_flC
zBf<5dL^u)+r5IqSR1(bqi9w(a)RpeSUlC5z1<0_mhPh(1(U0Mln>V3}~Nshu?rg4Bio
zEwS?_a%q484q`)R2J!zMaH2D)j$Gn0n+OAp9twdlK<OD^^bO$OCtAUCrm{IeB`#wk
z;JPTi74zk^V1Zx&Vu{Oj3IMFgfmpESY$}n<Vmq-|{y4}o1bEr<=ddlXoG3&t5l`e&
z0Z=#+g(a)x;55ojj_9E*fwQAiy)5)1!DpGBe5LjE`H<;4Rw`krzEode7tvLgDvq8zD#
z-(a)m?p`qNjI5*WO)D6mBG_YgS5U(a)B$BPXO!t5ZRZ=^q~UX<43vvC8z&~QXm;n^?+QF
zp>RDakUxF2KGcv(G=!qaWCJP!rB5Ow{u?@nMdR{_Y^tdbz$3sFP(a)XGXfi+hWrS(r=
zc)rx-EC7T-fztS!Fufmy!F~h`TkaWuMQjB7ADkGiDE!i70K4xppm_nk5cabf{@`r6
z?fgIfe&pi+aRvbT_ay&{-`{lort4oZ(a)UN7ASJ!X4{uKlNO8Iwn{h!e#`S)>($^>>n
zJm9cY0ym2X4qBq5omP0z((?a8<)tJ*A`w7v<$yp^3d@%OC_PgZ5Q=fFZ7sxxMC8O3
zA(a)Zx{*MLBR`>gS%PM9V}(r$tiQL*lD|7;ej8{@2rPbYY<UUU_9wT}--v>5YqWU%GT
zZsgf!<bY4*Fc^X=q-%nv+S1&_qb?nGt~5Vs-THMgX(a)RuNknx3Qq-JzJFK8h1;Gc#n
z1(>kKmz*2Z7LTbCSBv}QlN?q*>FXVr*|lkGDKE*fbL}DDO7!fFT{g^z3rB|-2YFRN
z0;MnSHm^UNVB8*`8}AJr?N!Lk^^9um^&CpOwMIhxMiA&C&2D35L+7*DEUnrWy6?DI
z)wp(a)vNs*n&`&3Lus*hx;TaH4)9zpxUcEP^{st0`(MS4VjGf<o;6{v<vsg`zPP6!E3
zl_DnxR9^0pc@#MRc(a)M{~KGwP3gY){##<VH;>(X-(a)w!2=?UW`=uV(a)NC6sJO(jS>N-0
z!;$yZN06pbkJmmaJZX3-%Y_4dnX>LMGQ=(Td7)D;2&!@C{*kJD=jI_oOI=)d|L~W}
zyVsiVd(>b~@gCNNdTV|3Q+pv1NRNZ?dM#YTbDi>g+y~(Yj-0n9HOfzUq?6^5H&s>r
z-UekSb>^2n-sm?WNysqMRB0f7l6qCXc-q5s^0JT2!$4D~fw`d9D)!p);&VI538vx#
zc_Okp;w25={y0-Xmdo2j5GWSis!Fy?kxRI(N-kVojZBkHK69nbZ`9}lR=Q_XtgLvv
zzFNPG(a)I+{|j(~83MPW!RKeO^#19qombsYp=|5|6y(TlPQljj?2it4-l+Lg;IB{x7!
zgbgZlg<OIy&5sC?89tDdHC{HC$d6Y=FPv8woE#^P)$hJNaY(CK#W<x4vQ(a)bGtB8WG
Wi<pASU;<ElAZv?V_yRNUi2nlR@?R_f

literal 0
HcmV?d00001

-- 
2.42.0

[PATCH 6/6] update.sh: Adds code to update an existing ovpnconfig with pass or no-pass

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 3678 bytes --]

- The code checks first if ovpnconfig exists and is not empty.
- Then it makes all net2net connections no-pass since they do not use encryption
- Then it cycles through all .p12 files and checks with openssl if a password exists or not.
   If a password is present then pass is added to index 41 and if not then no-pass is added
   to index 41
- I had to add a blank line to the top of the ovpnconfig file otherwise the awk code
   treated the first line as a blank line and missed it out of the update. This was the
   problem that was discovered during the previous Testing Release evaluation.
   Tested out this time with several existing entries both encrypted and insecure and with
   additional entries of both added in afterwards and all connection entries were
   maintained - road warrior and net2net.
- This code should be left in update.sh for future Core Updates in case people don't update
   with Core Update 175 but leave it till later. This code works fine on code that already
   has pass or no-pass entered into index 41 in ovpnconfig

Fixes: Bug#11048
Suggested-by: Erik Kapfer <ummeegge(a)ipfire.org>
Suggested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/rootfiles/core/180/update.sh | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/config/rootfiles/core/180/update.sh b/config/rootfiles/core/180/update.sh
index b538832bf..1f74e2f98 100644
--- a/config/rootfiles/core/180/update.sh
+++ b/config/rootfiles/core/180/update.sh
@@ -65,6 +65,33 @@ fi
 /etc/rc.d/init.d/udev restart
 /etc/rc.d/init.d/suricata restart
 
+## Modify ovpnconfig according to bug 11048 for pass, no-pass modification in ovpnconfig index
+# Check if ovpnconfig exists and is not empty
+if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
+       # Add blank line at top of ovpnconfig otherwise the first roadwarrior entry is treated like a blank line and missed out from update
+       awk 'NR==1{print ""}1' /var/ipfire/ovpn/ovpnconfig > /var/ipfire/ovpn/tmp_file && mv /var/ipfire/ovpn/tmp_file /var/ipfire/ovpn/ovpnconfig
+
+       # Make all N2N connections 'no-pass' since they do not use encryption
+       awk '{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
+
+       # Evaluate roadwarrior connection names for *.p12 files
+       for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
+           # Sort all unencrypted roadwarriors out and set 'no-pass' in [43] index
+               if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'Encrypted data') ]]; then
+                       awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
+               fi
+           # Sort all encrypted roadwarriors out and set 'pass' in [43] index
+               if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'verify error')  ]]; then
+                       awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
+               fi
+       done
+fi
+
+# Replace existing ovpnconfig with updated index
+mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig
+# Set correct ownership
+chown nobody:nobody /var/ipfire/ovpn/ovpnconfig
+
 # This update needs a reboot...
 #touch /var/run/need_reboot
 
-- 
2.42.0

Re: [PATCH 1/6] ovpnmain.cgi: Fix for bug#11048 - insecure download icon shown for connections with a password

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 8557 bytes --]

Hi All,

Yesterday I submitted this updated patch set for bug#11048 (better late than never).

One of the patches is adding update code for the fix to the update.sh script in Core Update 180, as that was still the version in next.

As CU180 has now been released for Testing, then that update code will likely need to be in the update.sh script for CU181.


Do I need to resubmit a v2 version of my patch set, once next has been updated to CU181, or can the patch set still be merged without problems as it is?


Regards,

Adolf


On 25/09/2023 18:41, Adolf Belka wrote:
> - At long last I have re-visited the patch submission for bug #11048 and fixed the issues
>     that caused the problems last time I evaluated it in Testing.
> - The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig
>     is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the
>     connection is a host and if the first password entry is a null. Then it adds no-pass
>     to ovpnconfig.
> - The same block of code is also used for when he connection is edited. However at this
>     stage the password entry is back to null because the password value is only kept until
>     the connection has been saved. Therefore doing an edit results in the password value
>     being taken as null even for connections with a password.
> - This fix enters no-pass if the connection type is host and the password is null, pass if
>     the connection type is host and the password has characters. If the connection type is
>     net then no-pass is used as net2net connections dop not have encrypted certificates.
> - The code has been changed to show a different icon for unencrypted and encrypted
>     certificates.
> - Separate patches are provided for the language file change, the provision of a new icon
>     and the code for the update.sh script for the Core Update to update all existing
>     connections, if any exist, to have either pass or no-pass in index 41.
> - This patch set was a joint collaboration between Erik Kapfer and Adolf Belka
> - Patch set, including the code for the Core Update 180 update.sh script has been tested
>     on a vm testbed
> 
> Fixes: Bug#11048
> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
> Suggested-by: Adolf Belka <adolf.belka(a)ipfire.org>
> Suggested-by: Erik Kapfer <ummeegge(a)ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>   html/cgi-bin/ovpnmain.cgi | 75 +++++++++++++++++++++++----------------
>   1 file changed, 44 insertions(+), 31 deletions(-)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 5afe54f55..eb89c5095 100755
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -4370,9 +4370,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
>   	$confighash{$key}[39]		= $cgiparams{'DAUTH'};
>   	$confighash{$key}[40]		= $cgiparams{'DCIPHER'};
>   
> -	if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
> -		$confighash{$key}[41] = "no-pass";
> -	}
> +       if ($confighash{$key}[41] eq "") {
> +               if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
> +                       $confighash{$key}[41] = "no-pass";
> +               } elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne "")) {
> +                       $confighash{$key}[41] = "pass";
> +               } elsif ($cgiparams{'TYPE'} eq 'net') {
> +                       $confighash{$key}[41] = "no-pass";
> +               }
> +       }
>   
>      $confighash{$key}[42] = 'HOTP/T30/6';
>   	$confighash{$key}[43] = $cgiparams{'OTP_STATE'};
> @@ -5512,20 +5518,24 @@ END
>   }
>   
>   
> -    print <<END;
> -	<td align='center' $col1>$active</td>
> +       if ($confighash{$key}[41] eq "pass") {
> +               print <<END;
> +                       <td align='center' $col1>$active</td>
>   
> -	<form method='post' name='frm${key}a'><td align='center' $col>
> -	    <input type='image'  name='$Lang::tr{'dl client arch'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
> -	    <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
> -	    <input type='hidden' name='KEY' value='$key' />
> -	</td></form>
> +                       <form method='post' name='frm${key}a'><td align='center' $col>
> +                           <input type='image'  name='$Lang::tr{'dl client arch'}' src='/images/openvpn_encrypted.png'
> +                                       alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
> +                           <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
> +                           <input type='hidden' name='MODE' value='secure' />
> +                           <input type='hidden' name='KEY' value='$key' />
> +                       </td></form>
>   END
> -	;
>   
> -	if ($confighash{$key}[41] eq "no-pass") {
> +       ; } elsif ($confighash{$key}[41] eq "no-pass") {
>   		print <<END;
> -			<form method='post' name='frm${key}g'><td align='center' $col>
> +                       <td align='center' $col1>$active</td>
> +
> +                       <form method='post' name='frm${key}a'><td align='center' $col>
>   				<input type='image'  name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
>   					alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
>   				<input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
> @@ -5533,7 +5543,7 @@ END
>   				<input type='hidden' name='KEY' value='$key' />
>   			</td></form>
>   END
> -	} else {
> +	; } else {
>   		print "<td $col>&nbsp;</td>";
>   	}
>   
> @@ -5609,30 +5619,33 @@ END
>       # If the config file contains entries, print Key to action icons
>       if ( $id ) {
>       print <<END;
> -    <table border='0'>
> -    <tr>
> +       <table width='85%' border='0'>
> +       <tr>
>   		<td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
> -		<td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
> -		<td class='base'>$Lang::tr{'click to disable'}</td>
> +              <td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
> +              <td class='base'>$Lang::tr{'dl client arch insecure'}</td>
> +              <td>&nbsp; &nbsp; <img src='/images/openvpn_encrypted.png' alt='?RELOAD'/></td>
> +              <td class='base'>$Lang::tr{'dl client arch'}</td>
>   		<td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
>   		<td class='base'>$Lang::tr{'show certificate'}</td>
> +              <td>&nbsp; &nbsp; <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td>
> +              <td class='base'>$Lang::tr{'show otp qrcode'}</td>
> +       </tr>
> +       <tr>
> +              <td>&nbsp; </td>
> +              <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
> +              <td class='base'>$Lang::tr{'download certificate'}</td>
> +              <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
> +              <td class='base'>$Lang::tr{'click to enable'}</td>
> +              <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
> +              <td class='base'>$Lang::tr{'click to disable'}</td>		
> +
>   		<td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
>   		<td class='base'>$Lang::tr{'edit'}</td>
>   		<td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
>   		<td class='base'>$Lang::tr{'remove'}</td>
> -    </tr>
> -    <tr>
> -		<td>&nbsp; </td>
> -		<td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
> -		<td class='base'>$Lang::tr{'click to enable'}</td>
> -		<td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
> -		<td class='base'>$Lang::tr{'download certificate'}</td>
> -		<td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
> -		<td class='base'>$Lang::tr{'dl client arch'}</td>
> -		<td>&nbsp; &nbsp; <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td>
> -		<td class='base'>$Lang::tr{'show otp qrcode'}</td>
> -		</tr>
> -    </table><br>
> +       </tr>
> +       </table><br>
>   END
>       ;
>       }

Re: [PATCH 1/6] ovpnmain.cgi: Fix for bug#11048 - insecure download icon shown for connections with a password

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 8775 bytes --]

Hello Adolf,

No problem. I took care of this when merging the patchset.

-Michael

> On 27 Sep 2023, at 09:20, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> Hi All,
> 
> Yesterday I submitted this updated patch set for bug#11048 (better late than never).
> 
> One of the patches is adding update code for the fix to the update.sh script in Core Update 180, as that was still the version in next.
> 
> As CU180 has now been released for Testing, then that update code will likely need to be in the update.sh script for CU181.
> 
> 
> Do I need to resubmit a v2 version of my patch set, once next has been updated to CU181, or can the patch set still be merged without problems as it is?
> 
> 
> Regards,
> 
> Adolf
> 
> 
> On 25/09/2023 18:41, Adolf Belka wrote:
>> - At long last I have re-visited the patch submission for bug #11048 and fixed the issues
>>    that caused the problems last time I evaluated it in Testing.
>> - The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig
>>    is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the
>>    connection is a host and if the first password entry is a null. Then it adds no-pass
>>    to ovpnconfig.
>> - The same block of code is also used for when he connection is edited. However at this
>>    stage the password entry is back to null because the password value is only kept until
>>    the connection has been saved. Therefore doing an edit results in the password value
>>    being taken as null even for connections with a password.
>> - This fix enters no-pass if the connection type is host and the password is null, pass if
>>    the connection type is host and the password has characters. If the connection type is
>>    net then no-pass is used as net2net connections dop not have encrypted certificates.
>> - The code has been changed to show a different icon for unencrypted and encrypted
>>    certificates.
>> - Separate patches are provided for the language file change, the provision of a new icon
>>    and the code for the update.sh script for the Core Update to update all existing
>>    connections, if any exist, to have either pass or no-pass in index 41.
>> - This patch set was a joint collaboration between Erik Kapfer and Adolf Belka
>> - Patch set, including the code for the Core Update 180 update.sh script has been tested
>>    on a vm testbed
>> Fixes: Bug#11048
>> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> Suggested-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> Suggested-by: Erik Kapfer <ummeegge(a)ipfire.org>
>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> ---
>>  html/cgi-bin/ovpnmain.cgi | 75 +++++++++++++++++++++++----------------
>>  1 file changed, 44 insertions(+), 31 deletions(-)
>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
>> index 5afe54f55..eb89c5095 100755
>> --- a/html/cgi-bin/ovpnmain.cgi
>> +++ b/html/cgi-bin/ovpnmain.cgi
>> @@ -4370,9 +4370,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
>>   $confighash{$key}[39] = $cgiparams{'DAUTH'};
>>   $confighash{$key}[40] = $cgiparams{'DCIPHER'};
>>  - if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
>> - $confighash{$key}[41] = "no-pass";
>> - }
>> +       if ($confighash{$key}[41] eq "") {
>> +               if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
>> +                       $confighash{$key}[41] = "no-pass";
>> +               } elsif (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} ne "")) {
>> +                       $confighash{$key}[41] = "pass";
>> +               } elsif ($cgiparams{'TYPE'} eq 'net') {
>> +                       $confighash{$key}[41] = "no-pass";
>> +               }
>> +       }
>>       $confighash{$key}[42] = 'HOTP/T30/6';
>>   $confighash{$key}[43] = $cgiparams{'OTP_STATE'};
>> @@ -5512,20 +5518,24 @@ END
>>  }
>>    -    print <<END;
>> - <td align='center' $col1>$active</td>
>> +       if ($confighash{$key}[41] eq "pass") {
>> +               print <<END;
>> +                       <td align='center' $col1>$active</td>
>>  - <form method='post' name='frm${key}a'><td align='center' $col>
>> -    <input type='image'  name='$Lang::tr{'dl client arch'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
>> -    <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
>> -    <input type='hidden' name='KEY' value='$key' />
>> - </td></form>
>> +                       <form method='post' name='frm${key}a'><td align='center' $col>
>> +                           <input type='image'  name='$Lang::tr{'dl client arch'}' src='/images/openvpn_encrypted.png'
>> +                                       alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
>> +                           <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
>> +                           <input type='hidden' name='MODE' value='secure' />
>> +                           <input type='hidden' name='KEY' value='$key' />
>> +                       </td></form>
>>  END
>> - ;
>>  - if ($confighash{$key}[41] eq "no-pass") {
>> +       ; } elsif ($confighash{$key}[41] eq "no-pass") {
>>   print <<END;
>> - <form method='post' name='frm${key}g'><td align='center' $col>
>> +                       <td align='center' $col1>$active</td>
>> +
>> +                       <form method='post' name='frm${key}a'><td align='center' $col>
>>   <input type='image'  name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
>>   alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
>>   <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
>> @@ -5533,7 +5543,7 @@ END
>>   <input type='hidden' name='KEY' value='$key' />
>>   </td></form>
>>  END
>> - } else {
>> + ; } else {
>>   print "<td $col>&nbsp;</td>";
>>   }
>>  @@ -5609,30 +5619,33 @@ END
>>      # If the config file contains entries, print Key to action icons
>>      if ( $id ) {
>>      print <<END;
>> -    <table border='0'>
>> -    <tr>
>> +       <table width='85%' border='0'>
>> +       <tr>
>>   <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
>> - <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
>> - <td class='base'>$Lang::tr{'click to disable'}</td>
>> +              <td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
>> +              <td class='base'>$Lang::tr{'dl client arch insecure'}</td>
>> +              <td>&nbsp; &nbsp; <img src='/images/openvpn_encrypted.png' alt='?RELOAD'/></td>
>> +              <td class='base'>$Lang::tr{'dl client arch'}</td>
>>   <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
>>   <td class='base'>$Lang::tr{'show certificate'}</td>
>> +              <td>&nbsp; &nbsp; <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td>
>> +              <td class='base'>$Lang::tr{'show otp qrcode'}</td>
>> +       </tr>
>> +       <tr>
>> +              <td>&nbsp; </td>
>> +              <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
>> +              <td class='base'>$Lang::tr{'download certificate'}</td>
>> +              <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
>> +              <td class='base'>$Lang::tr{'click to enable'}</td>
>> +              <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
>> +              <td class='base'>$Lang::tr{'click to disable'}</td> 
>> +
>>   <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
>>   <td class='base'>$Lang::tr{'edit'}</td>
>>   <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
>>   <td class='base'>$Lang::tr{'remove'}</td>
>> -    </tr>
>> -    <tr>
>> - <td>&nbsp; </td>
>> - <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
>> - <td class='base'>$Lang::tr{'click to enable'}</td>
>> - <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
>> - <td class='base'>$Lang::tr{'download certificate'}</td>
>> - <td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
>> - <td class='base'>$Lang::tr{'dl client arch'}</td>
>> - <td>&nbsp; &nbsp; <img src='/images/qr-code.png' alt='$Lang::tr{'show otp qrcode'}'/></td>
>> - <td class='base'>$Lang::tr{'show otp qrcode'}</td>
>> - </tr>
>> -    </table><br>
>> +       </tr>
>> +       </table><br>
>>  END
>>      ;
>>      }