Hi Michael, yes i can send one by one in the order you have listed it so i can amend them if needed. Hope i can start in the evening with it. Greetings, Erik Am 29.01.2018 um 12:54 schrieb Michael Tremer: > Hi, > > this is a very patch. We need to break it down into many many smaller ones, > because this is hard to review. I have comments on many of them and I think that > we can already ship some changes (like the weak ciphers), but not others. A huge > patch won't allow us to merge parts into different branches. > > So I would propose to take this apart into: > > a) The update of the OpenVPN package (i.e. lfs/openvpn) and rootfile > b) The script that updates the CRL > c) The markings of weak ciphers > d) Making the CGI ready for OpenVPN 2.4 > > Would you be able to split this? > > Best, > -Michael > > On Sun, 2018-01-28 at 11:51 +0100, Erik Kapfer wrote: >> ovpnmain.cgi includes new directive '--ncp-disable' to disable for the first >> the cipher negotiation. >> script-security flag 'system' has been dropped cause of security concerns. >> Directive changes/explanations can be found in here https://community.open >> vpn.net/openvpn/wiki/Openvpn24ManPage . >> >> Added new AES-GCM cipher with 128, 196 and 256 bit. >> >> DH-parameter with 1024 bit has been marked as 'weak'. >> All 64 bit block ciphers (DES, BF and CAST5) has also been marked as >> 'weak'. >> >> Update script for OpenVPN CRL has been integrated since OpenVPN refactors the >> CRL handling since v.2.4.0 . >> Script checks the next update field from the CRL and preforms an update >> two days before it expires. >> Script is placed under fcron.daily for daily checks. >> OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/co >> mmit/160504a2955c4478cd2c0323452929e07016a336 . >> >> Signed-off-by: Erik Kapfer >> --- >> config/ovpn/ovpn_crl_updater.sh | 53 >> +++++++++++++++++++++++++++++++++++++++++ >> config/rootfiles/common/openvpn | 5 +++- >> html/cgi-bin/ovpnmain.cgi | 37 ++++++++++++++++++---------- >> lfs/openvpn | 11 ++++++--- >> 4 files changed, 90 insertions(+), 16 deletions(-) >> create mode 100644 config/ovpn/ovpn_crl_updater.sh >> >> diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh >> new file mode 100644 >> index 0000000..309edc2 >> --- /dev/null >> +++ b/config/ovpn/ovpn_crl_updater.sh >> @@ -0,0 +1,53 @@ >> +#!/bin/bash >> + >> +# >> +# Script Name: ovpn_crl_updater.sh >> +# Description: This script checks the "Next Update:" field of the CRL and >> renews it if needed, >> +# which prevents the expiration of OpenVPNs CRL. >> +# With OpenVPN 2.4.x the CRL handling has been refactored, >> +# whereby the verification logic has been removed from >> ssl_verify_.c . >> +# See for more infos: >> +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c032345292 >> 9e07016a336 >> +# >> +# Run Information: If OpenVPNs CRL is presant, >> +# this script provides a cronjob which checks daily if an update of the >> CRL is needed. >> +# If the expiring date reaches the value (defined in the 'UPDATE' >> variable in days) >> +# before the CRL expiration, an openssl command will be executed to renew >> the CRL. >> +# The renewing of the CRL will be logged into /var/log/messages. >> +# >> +# Author: Erik Kapfer >> +# >> +# Date: 17.01.2018 >> +# >> +############################################################################# >> ################## >> + >> +# Check if OpenVPN is active or if the CRL is presant >> +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then >> + exit 0; >> +fi >> + >> +## Paths >> +OVPN="/var/ipfire/ovpn"; >> +CRL="${OVPN}/crls/cacrl.pem"; >> +CAKEY="${OVPN}/ca/cakey.pem"; >> +CACERT="${OVPN}/ca/cacert.pem"; >> +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"; >> +## Values >> +# CRL check for the the 'Next Update:' in seconds >> +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP >> 'Next Update: *\K.*')" +%s) - $(date +%s) ))"; >> +# Day in seconds to calculate >> +DAYINSEC="86400"; >> +# Convert seconds to days >> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"; >> +# Update of the CRL in days before CRL expiring date >> +UPDATE="2"; >> + >> +# Check if OpenVPNs CRL needs to be renewed >> +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then >> + openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out >> "${CRL}" -config "${OPENSSLCONF}"; >> + logger -t openssl "OpenVPN CRL has been renewed"; >> +fi >> + >> +exit 0 >> + >> +# EOF >> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn >> index b58e30c..cbfd03e 100644 >> --- a/config/rootfiles/common/openvpn >> +++ b/config/rootfiles/common/openvpn >> @@ -1,3 +1,5 @@ >> +etc/fcron.daily/ovpn_crl_updater.sh >> +#usr/include/openvpn-msg.h >> #usr/include/openvpn-plugin.h >> #usr/lib/openvpn >> #usr/lib/openvpn/plugins >> @@ -10,11 +12,12 @@ usr/sbin/openvpn >> #usr/share/doc/openvpn >> #usr/share/doc/openvpn/COPYING >> #usr/share/doc/openvpn/COPYRIGHT.GPL >> +#usr/share/doc/openvpn/Changes.rst >> #usr/share/doc/openvpn/README >> #usr/share/doc/openvpn/README.IPv6 >> #usr/share/doc/openvpn/README.auth-pam >> #usr/share/doc/openvpn/README.down-root >> -#usr/share/doc/openvpn/README.polarssl >> +#usr/share/doc/openvpn/README.mbedtls >> #usr/share/doc/openvpn/management-notes.txt >> #usr/share/man/man8/openvpn.8 >> var/ipfire/ovpn/ca >> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >> index 9f5e682..8e5d1ae 100644 >> --- a/html/cgi-bin/ovpnmain.cgi >> +++ b/html/cgi-bin/ovpnmain.cgi >> @@ -216,7 +216,7 @@ sub writeserverconf { >> print CONF "dev tun\n"; >> print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; >> print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; >> - print CONF "script-security 3 system\n"; >> + print CONF "script-security 3\n"; >> print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db >> 3600\n"; >> print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; >> print CONF "tls-server\n"; >> @@ -289,6 +289,7 @@ sub writeserverconf { >> } >> print CONF "status-version 1\n"; >> print CONF "status /var/run/ovpnserver.log 30\n"; >> + print CONF "ncp-disable\n"; >> print CONF "cipher $sovpnsettings{DCIPHER}\n"; >> if ($sovpnsettings{'DAUTH'} eq '') { >> print CONF ""; >> @@ -2002,7 +2003,7 @@ END >> >> $Lang::tr{'ovpn dh'}: >> >> + >> + >> + >> >> >> >> >> >> >> - >> - >> >> - >> - >> - >> + >> + >> + >> + >> + >> >> >> >> @@ -5108,6 +5115,9 @@ END >> $selected{'DPROTOCOL'}{'tcp'} = ''; >> $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; >> >> + $selected{'DCIPHER'}{'AES-256-GCM'} = ''; >> + $selected{'DCIPHER'}{'AES-192-GCM'} = ''; >> + $selected{'DCIPHER'}{'AES-128-GCM'} = ''; >> $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; >> $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; >> $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; >> @@ -5204,18 +5214,21 @@ END >> >> $Lang::tr{'cipher'} >> >> >> $Lang::tr{'comp-lzo'} >> diff --git a/lfs/openvpn b/lfs/openvpn >> index 8307d01..e7f9bc2 100644 >> --- a/lfs/openvpn >> +++ b/lfs/openvpn >> @@ -1,7 +1,7 @@ >> ############################################################################# >> ## >> # >> # >> # IPFire.org - A linux based >> firewall # >> -# Copyright (C) 2017 IPFire Team >> # >> +# Copyright (C) 2018 IPFire Team >> # >> # >> # >> # This program is free software: you can redistribute it and/or >> modify # >> # it under the terms of the GNU General Public License as published >> by # >> @@ -24,7 +24,7 @@ >> >> include Config >> >> -VER = 2.3.18 >> +VER = 2.4.4 >> >> THISAPP = openvpn-$(VER) >> DL_FILE = $(THISAPP).tar.xz >> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >> >> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >> >> -$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881 >> +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52 >> >> install : $(TARGET) >> >> @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify >> chown root:root /usr/lib/openvpn/verify >> chmod 755 /usr/lib/openvpn/verify >> + mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily >> + chown root:root /etc/fcron.daily/ovpn_crl_updater.sh >> + chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh >> + >> @rm -rf $(DIR_APP) >> @$(POSTBUILD) >> +