From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 2/3] backup.pl: Remove the previous code for adding legacty provider to n2n Date: Sun, 11 Jun 2023 17:29:41 +0100 Message-ID: <9209325E-0CC1-46B1-A79D-1DB17F23DBDE@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7315973462322117290==" List-Id: --===============7315973462322117290== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Thanks for confirming. I will schedule the release for tomorrow then as there hasn=E2=80=99t been an= y issues any more. Thanks to everyone who helped to *finally* get this over the line and I will = keep my fingers crossed that we found all issues. Best, -Michael > On 11 Jun 2023, at 14:17, Adolf Belka wrote: >=20 > =EF=BB=BFHi Michael, >=20 >> On 10/06/2023 13:28, Michael Tremer wrote: >> Hello, >>>> On 10 Jun 2023, at 12:16, Adolf Belka wrote: >>>=20 >>> Hi Michael, >>>=20 >>> On 10/06/2023 12:16, Michael Tremer wrote: >>>> I did not merge this, as I believe we need this, because: >>>> We won=E2=80=99t rewrite the OpenVPN configuration files on update, so i= t might be a good idea to just add the line and if someone edits the connecti= on it might be removed. >>> The code in the backup.pl put the line into the config irrespective of th= e certificate being legacy or not. >>>=20 >>> With the ovpnmain.cgi code patch of this patch set, it now only adds the = providers legacy default to the config file if the cert is legacy when downlo= ading the connection set. This is now done for both n2n and roadwarrior conne= ction sets. >> Yes, this is true, but we won=E2=80=99t run the CGI during the update. >> Any connections that have legacy certificates won=E2=80=99t work after ins= talling the new version of OpenSSL. So we need the legacy provider enabled (j= ust to be safe). >=20 > Okay, understand where you are coming from.Good catch. >=20 > I have also now tested out a n2n connection created with openssl-3.x with a= nd without the providers legacy default line in the client conf. > Can confirm that it works in both cases, so having the legacy line added do= se not cause any problems with the openssl-3.x n2n client connection working. >=20 >>>> That should work I believe and -legacy should not have any side effects = when enabled but not needed. >>> That is something I have not tested out but I think you are correct, it s= houldn't have any side affects. >>>=20 >>> I think it is good to go now and I can always do any additional minor tun= ings later in CU176 and onwards, otherwise we will be here for ever. >> I would rather like to get it right than being fast, but at this point I d= on=E2=80=99t know what else we can do. So *fingers crossed*. >> Let=E2=80=99s release either tomorrow or Monday. Depending on how much I a= m going to enjoy the nice weather this weekend :) >=20 > Enjoy the nice weather. >=20 > Regards, > Adolf. >=20 >> -Michael >>>=20 >>> Regards, >>>=20 >>> Adolf. >>>> Best, >>>> -Michael >>>>> On 7 Jun 2023, at 15:21, Adolf Belka wrote: >>>>>=20 >>>>> - This code is no longer needed with the code in the ovpnmain.cgi patch= in this patch set. >>>>>=20 >>>>> Tested-by: Adolf Belka >>>>> Signed-off-by: Adolf Belka >>>>> --- >>>>> config/backup/backup.pl | 15 --------------- >>>>> 1 file changed, 15 deletions(-) >>>>>=20 >>>>> diff --git a/config/backup/backup.pl b/config/backup/backup.pl >>>>> index 8d990c0f1..60138a58a 100644 >>>>> --- a/config/backup/backup.pl >>>>> +++ b/config/backup/backup.pl >>>>> @@ -190,21 +190,6 @@ restore_backup() { >>>>> # Update OpenVPN CRL >>>>> /etc/fcron.daily/openvpn-crl-updater >>>>>=20 >>>>> - # Update OpenVPN N2N Client Configs >>>>> - ## Add providers legacy default line to n2n client config files >>>>> - # Check if ovpnconfig exists and is not empty >>>>> - if [ -s /var/ipfire/ovpn/ovpnconfig ]; then >>>>> - # Identify all n2n connections >>>>> - for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpn= config); do >>>>> - # Add the legacy option to all N2N client conf files if it = does not already exist >>>>> - if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}= /${y}.conf) -eq 1 ] ; then >>>>> - if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${= y}/${y}.conf) -eq 0 ] ; then >>>>> - echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}= .conf >>>>> - fi >>>>> - fi >>>>> - done >>>>> - fi >>>>> - >>>>> return 0 >>>>> } >>>>>=20 >>>>> --=20 >>>>> 2.40.1 >>>>>=20 >>>=20 >>> --=20 >>> Sent from my laptop --===============7315973462322117290==--