From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v3] OpenVPN: Update to version 2.4.4
Date: Tue, 30 Jan 2018 16:09:44 +0100 [thread overview]
Message-ID: <B0185CAD-8FEA-4818-AC88-B52DF7BDF70E@ipfire.org> (raw)
In-Reply-To: <1517226843.2586.40.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 15480 bytes --]
Hi Michael,
yes i can send one by one in the order you have listed it so i can amend them if needed. Hope i can start in the evening with it.
Greetings,
Erik
Am 29.01.2018 um 12:54 schrieb Michael Tremer:
> Hi,
>
> this is a very patch. We need to break it down into many many smaller ones,
> because this is hard to review. I have comments on many of them and I think that
> we can already ship some changes (like the weak ciphers), but not others. A huge
> patch won't allow us to merge parts into different branches.
>
> So I would propose to take this apart into:
>
> a) The update of the OpenVPN package (i.e. lfs/openvpn) and rootfile
> b) The script that updates the CRL
> c) The markings of weak ciphers
> d) Making the CGI ready for OpenVPN 2.4
>
> Would you be able to split this?
>
> Best,
> -Michael
>
> On Sun, 2018-01-28 at 11:51 +0100, Erik Kapfer wrote:
>> ovpnmain.cgi includes new directive '--ncp-disable' to disable for the first
>> the cipher negotiation.
>> script-security flag 'system' has been dropped cause of security concerns.
>> Directive changes/explanations can be found in here https://community.open
>> vpn.net/openvpn/wiki/Openvpn24ManPage .
>>
>> Added new AES-GCM cipher with 128, 196 and 256 bit.
>>
>> DH-parameter with 1024 bit has been marked as 'weak'.
>> All 64 bit block ciphers (DES, BF and CAST5) has also been marked as
>> 'weak'.
>>
>> Update script for OpenVPN CRL has been integrated since OpenVPN refactors the
>> CRL handling since v.2.4.0 .
>> Script checks the next update field from the CRL and preforms an update
>> two days before it expires.
>> Script is placed under fcron.daily for daily checks.
>> OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/co
>> mmit/160504a2955c4478cd2c0323452929e07016a336 .
>>
>> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
>> ---
>> config/ovpn/ovpn_crl_updater.sh | 53
>> +++++++++++++++++++++++++++++++++++++++++
>> config/rootfiles/common/openvpn | 5 +++-
>> html/cgi-bin/ovpnmain.cgi | 37 ++++++++++++++++++----------
>> lfs/openvpn | 11 ++++++---
>> 4 files changed, 90 insertions(+), 16 deletions(-)
>> create mode 100644 config/ovpn/ovpn_crl_updater.sh
>>
>> diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh
>> new file mode 100644
>> index 0000000..309edc2
>> --- /dev/null
>> +++ b/config/ovpn/ovpn_crl_updater.sh
>> @@ -0,0 +1,53 @@
>> +#!/bin/bash
>> +
>> +#
>> +# Script Name: ovpn_crl_updater.sh
>> +# Description: This script checks the "Next Update:" field of the CRL and
>> renews it if needed,
>> +# which prevents the expiration of OpenVPNs CRL.
>> +# With OpenVPN 2.4.x the CRL handling has been refactored,
>> +# whereby the verification logic has been removed from
>> ssl_verify_<backend>.c .
>> +# See for more infos:
>> +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c032345292
>> 9e07016a336
>> +#
>> +# Run Information: If OpenVPNs CRL is presant,
>> +# this script provides a cronjob which checks daily if an update of the
>> CRL is needed.
>> +# If the expiring date reaches the value (defined in the 'UPDATE'
>> variable in days)
>> +# before the CRL expiration, an openssl command will be executed to renew
>> the CRL.
>> +# The renewing of the CRL will be logged into /var/log/messages.
>> +#
>> +# Author: Erik Kapfer
>> +#
>> +# Date: 17.01.2018
>> +#
>> +#############################################################################
>> ##################
>> +
>> +# Check if OpenVPN is active or if the CRL is presant
>> +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
>> + exit 0;
>> +fi
>> +
>> +## Paths
>> +OVPN="/var/ipfire/ovpn";
>> +CRL="${OVPN}/crls/cacrl.pem";
>> +CAKEY="${OVPN}/ca/cakey.pem";
>> +CACERT="${OVPN}/ca/cacert.pem";
>> +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";
>> +## Values
>> +# CRL check for the the 'Next Update:' in seconds
>> +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP
>> 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
>> +# Day in seconds to calculate
>> +DAYINSEC="86400";
>> +# Convert seconds to days
>> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
>> +# Update of the CRL in days before CRL expiring date
>> +UPDATE="2";
>> +
>> +# Check if OpenVPNs CRL needs to be renewed
>> +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
>> + openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out
>> "${CRL}" -config "${OPENSSLCONF}";
>> + logger -t openssl "OpenVPN CRL has been renewed";
>> +fi
>> +
>> +exit 0
>> +
>> +# EOF
>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
>> index b58e30c..cbfd03e 100644
>> --- a/config/rootfiles/common/openvpn
>> +++ b/config/rootfiles/common/openvpn
>> @@ -1,3 +1,5 @@
>> +etc/fcron.daily/ovpn_crl_updater.sh
>> +#usr/include/openvpn-msg.h
>> #usr/include/openvpn-plugin.h
>> #usr/lib/openvpn
>> #usr/lib/openvpn/plugins
>> @@ -10,11 +12,12 @@ usr/sbin/openvpn
>> #usr/share/doc/openvpn
>> #usr/share/doc/openvpn/COPYING
>> #usr/share/doc/openvpn/COPYRIGHT.GPL
>> +#usr/share/doc/openvpn/Changes.rst
>> #usr/share/doc/openvpn/README
>> #usr/share/doc/openvpn/README.IPv6
>> #usr/share/doc/openvpn/README.auth-pam
>> #usr/share/doc/openvpn/README.down-root
>> -#usr/share/doc/openvpn/README.polarssl
>> +#usr/share/doc/openvpn/README.mbedtls
>> #usr/share/doc/openvpn/management-notes.txt
>> #usr/share/man/man8/openvpn.8
>> var/ipfire/ovpn/ca
>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
>> index 9f5e682..8e5d1ae 100644
>> --- a/html/cgi-bin/ovpnmain.cgi
>> +++ b/html/cgi-bin/ovpnmain.cgi
>> @@ -216,7 +216,7 @@ sub writeserverconf {
>> print CONF "dev tun\n";
>> print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
>> print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
>> - print CONF "script-security 3 system\n";
>> + print CONF "script-security 3\n";
>> print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db
>> 3600\n";
>> print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
>> print CONF "tls-server\n";
>> @@ -289,6 +289,7 @@ sub writeserverconf {
>> }
>> print CONF "status-version 1\n";
>> print CONF "status /var/run/ovpnserver.log 30\n";
>> + print CONF "ncp-disable\n";
>> print CONF "cipher $sovpnsettings{DCIPHER}\n";
>> if ($sovpnsettings{'DAUTH'} eq '') {
>> print CONF "";
>> @@ -2002,7 +2003,7 @@ END
>> </select></td>
>> <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
>> <td class='base'><select name='DHLENGHT'>
>> - <option value='1024'
>> $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
>> + <option value='1024'
>> $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn
>> weak'})</option>
>> <option value='2048'
>> $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
>> <option value='3072'
>> $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
>> <option value='4096'
>> $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
>> @@ -4543,6 +4544,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
>> }
>> $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} =
>> 'checked=\'checked\'';
>>
>> + $selected{'DCIPHER'}{'AES-256-GCM'} = '';
>> + $selected{'DCIPHER'}{'AES-192-GCM'} = '';
>> + $selected{'DCIPHER'}{'AES-128-GCM'} = '';
>> $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
>> $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
>> $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
>> @@ -4707,18 +4711,21 @@ if ($cgiparams{'TYPE'} eq 'net') {
>>
>> <tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
>> <td><select name='DCIPHER'>
>> + <option value='AES-256-GCM' $s
>> elected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
>> + <option value='AES-192-GCM'
>> $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
>> + <option value='AES-128-GCM'
>> $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
>> <option value='CAMELLIA-256-CBC' $sele
>> cted{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256
>> $Lang::tr{'bit'})</option>
>> <option value='CAMELLIA-192-CBC' $sele
>> cted{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192
>> $Lang::tr{'bit'})</option>
>> <option value='CAMELLIA-128-CBC' $sele
>> cted{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128
>> $Lang::tr{'bit'})</option>
>> <option value='AES-256-CBC'
>> $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'},
>> $Lang::tr{'default'})</option>
>> <option value='AES-192-CBC'
>> $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
>> <option value='AES-128-CBC'
>> $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='DES-EDE3-CBC'
>> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192
>> $Lang::tr{'bit'})</option>
>> - <option value='DESX-CBC' $sel
>> ected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
>> <option value='SEED-CBC' $sel
>> ected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='DES-EDE-CBC' $
>> selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='BF-CBC'
>> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='CAST5-CBC' $se
>> lected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
>> + <option value='DES-EDE3-CBC'
>> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'},
>> $Lang::tr{'vpn weak'})</option>
>> + <option value='DESX-CBC' $sel
>> ected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn
>> weak'})</option>
>> + <option value='DES-EDE-CBC' $
>> selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'},
>> $Lang::tr{'vpn weak'})</option>
>> + <option value='BF-CBC'
>> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
>> weak'})</option>
>> + <option value='CAST5-CBC' $se
>> lected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
>> weak'})</option>
>> </select>
>> </td>
>>
>> @@ -5108,6 +5115,9 @@ END
>> $selected{'DPROTOCOL'}{'tcp'} = '';
>> $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
>>
>> + $selected{'DCIPHER'}{'AES-256-GCM'} = '';
>> + $selected{'DCIPHER'}{'AES-192-GCM'} = '';
>> + $selected{'DCIPHER'}{'AES-128-GCM'} = '';
>> $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
>> $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
>> $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
>> @@ -5204,18 +5214,21 @@ END
>>
>> <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
>> <td><select name='DCIPHER'>
>> + <option value='AES-256-GCM'
>> $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
>> + <option value='AES-192-GCM'
>> $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
>> + <option value='AES-128-GCM'
>> $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
>> <option value='CAMELLIA-256-CBC'
>> $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256
>> $Lang::tr{'bit'})</option>
>> <option value='CAMELLIA-192-CBC'
>> $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192
>> $Lang::tr{'bit'})</option>
>> <option value='CAMELLIA-128-CBC'
>> $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128
>> $Lang::tr{'bit'})</option>
>> <option value='AES-256-CBC'
>> $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
>> <option value='AES-192-CBC'
>> $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
>> <option value='AES-128-CBC'
>> $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='DES-EDE3-CBC'
>> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192
>> $Lang::tr{'bit'})</option>
>> - <option value='DESX-CBC'
>> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
>> <option value='SEED-CBC'
>> $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='DES-EDE-CBC'
>> $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128
>> $Lang::tr{'bit'})</option>
>> - <option value='BF-CBC'
>> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='CAST5-CBC'
>> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
>> + <option value='DES-EDE3-CBC'
>> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'},
>> $Lang::tr{'vpn weak'})</option>
>> + <option value='DESX-CBC'
>> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'},
>> $Lang::tr{'vpn weak'})</option>
>> + <option value='DES-EDE-CBC'
>> $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'},
>> $Lang::tr{'vpn weak'})</option>
>> + <option value='BF-CBC'
>> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
>> weak'})</option>
>> + <option value='CAST5-CBC'
>> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'},
>> $Lang::tr{'vpn weak'})</option>
>> </select>
>> </td>
>> <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
>> diff --git a/lfs/openvpn b/lfs/openvpn
>> index 8307d01..e7f9bc2 100644
>> --- a/lfs/openvpn
>> +++ b/lfs/openvpn
>> @@ -1,7 +1,7 @@
>> #############################################################################
>> ##
>> #
>> #
>> # IPFire.org - A linux based
>> firewall #
>> -# Copyright (C) 2017 IPFire Team <info(a)ipfire.org>
>> #
>> +# Copyright (C) 2018 IPFire Team <info(a)ipfire.org>
>> #
>> #
>> #
>> # This program is free software: you can redistribute it and/or
>> modify #
>> # it under the terms of the GNU General Public License as published
>> by #
>> @@ -24,7 +24,7 @@
>>
>> include Config
>>
>> -VER = 2.3.18
>> +VER = 2.4.4
>>
>> THISAPP = openvpn-$(VER)
>> DL_FILE = $(THISAPP).tar.xz
>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>
>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>
>> -$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881
>> +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
>>
>> install : $(TARGET)
>>
>> @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
>> chown root:root /usr/lib/openvpn/verify
>> chmod 755 /usr/lib/openvpn/verify
>> + mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
>> + chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
>> + chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
>> +
>> @rm -rf $(DIR_APP)
>> @$(POSTBUILD)
>> +
prev parent reply other threads:[~2018-01-30 15:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-26 10:22 [PATCH] [PATCH] " Erik Kapfer
2018-01-28 10:51 ` [PATCH v3] " Erik Kapfer
2018-01-29 11:54 ` Michael Tremer
2018-01-30 15:09 ` ummeegge [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=B0185CAD-8FEA-4818-AC88-B52DF7BDF70E@ipfire.org \
--to=ummeegge@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox