* [PATCH] [PATCH] OpenVPN: Update to version 2.4.4 .
@ 2018-01-26 10:22 Erik Kapfer
2018-01-28 10:51 ` [PATCH v3] " Erik Kapfer
0 siblings, 1 reply; 4+ messages in thread
From: Erik Kapfer @ 2018-01-26 10:22 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 5822 bytes --]
ovpnmain.cgi includes new directive '--ncp-disable' to disable for the first the cipher negotiation.
script-security flag 'system' has been dropped cause of security concerns.
Directive changes/explanations can be found in here https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .
Update script for OpenVPN CRL has been integrated since OpenVPN refactors the CRL handling since v.2.4.0 .
Script checks the next update field from the CRL and preforms an update two days before it expires.
Script is placed under fcron.daily for daily checks.
Changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 .
update.sh for Core 118 includes needed server.conf changes but also an update of the CRL to prevent connection problems
if systems have already an expired CRL.
Server stop and start if active will be also executed.
Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
config/rootfiles/common/openvpn | 5 ++++-
config/rootfiles/core/118/update.sh | 13 +++++++++++++
html/cgi-bin/ovpnmain.cgi | 3 ++-
lfs/openvpn | 11 ++++++++---
4 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index b58e30c..cbfd03e 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -1,3 +1,5 @@
+etc/fcron.daily/ovpn_crl_updater.sh
+#usr/include/openvpn-msg.h
#usr/include/openvpn-plugin.h
#usr/lib/openvpn
#usr/lib/openvpn/plugins
@@ -10,11 +12,12 @@ usr/sbin/openvpn
#usr/share/doc/openvpn
#usr/share/doc/openvpn/COPYING
#usr/share/doc/openvpn/COPYRIGHT.GPL
+#usr/share/doc/openvpn/Changes.rst
#usr/share/doc/openvpn/README
#usr/share/doc/openvpn/README.IPv6
#usr/share/doc/openvpn/README.auth-pam
#usr/share/doc/openvpn/README.down-root
-#usr/share/doc/openvpn/README.polarssl
+#usr/share/doc/openvpn/README.mbedtls
#usr/share/doc/openvpn/management-notes.txt
#usr/share/man/man8/openvpn.8
var/ipfire/ovpn/ca
diff --git a/config/rootfiles/core/118/update.sh b/config/rootfiles/core/118/update.sh
index 545c8ef..ea56832 100644
--- a/config/rootfiles/core/118/update.sh
+++ b/config/rootfiles/core/118/update.sh
@@ -58,6 +58,19 @@ ldconfig
/etc/init.d/apache restart
/etc/init.d/snort start
+# Add changed and new OpenVPN-2.4 directives to server.conf and renew CRL
+if [ -e /var/ipfire/ovpn/server.conf ]; then
+ if pgrep openvpn >/dev/null; then
+ openvpnctrl -k
+ sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
+ openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf
+ openvpnctrl -s
+ else
+ sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
+ openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf
+ fi
+fi
+
# This update need a reboot...
touch /var/run/need_reboot
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 9f5e682..424a5c9 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -216,7 +216,7 @@ sub writeserverconf {
print CONF "dev tun\n";
print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
- print CONF "script-security 3 system\n";
+ print CONF "script-security 3\n";
print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
print CONF "tls-server\n";
@@ -289,6 +289,7 @@ sub writeserverconf {
}
print CONF "status-version 1\n";
print CONF "status /var/run/ovpnserver.log 30\n";
+ print CONF "ncp-disable\n";
print CONF "cipher $sovpnsettings{DCIPHER}\n";
if ($sovpnsettings{'DAUTH'} eq '') {
print CONF "";
diff --git a/lfs/openvpn b/lfs/openvpn
index 8307d01..e7f9bc2 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2017 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2018 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 2.3.18
+VER = 2.4.4
THISAPP = openvpn-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881
+$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
install : $(TARGET)
@@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
chown root:root /usr/lib/openvpn/verify
chmod 755 /usr/lib/openvpn/verify
+ mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
+ chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
+ chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
+
@rm -rf $(DIR_APP)
@$(POSTBUILD)
+
--
2.7.4
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v3] OpenVPN: Update to version 2.4.4
2018-01-26 10:22 [PATCH] [PATCH] OpenVPN: Update to version 2.4.4 Erik Kapfer
@ 2018-01-28 10:51 ` Erik Kapfer
2018-01-29 11:54 ` Michael Tremer
0 siblings, 1 reply; 4+ messages in thread
From: Erik Kapfer @ 2018-01-28 10:51 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 13540 bytes --]
ovpnmain.cgi includes new directive '--ncp-disable' to disable for the first the cipher negotiation.
script-security flag 'system' has been dropped cause of security concerns.
Directive changes/explanations can be found in here https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .
Added new AES-GCM cipher with 128, 196 and 256 bit.
DH-parameter with 1024 bit has been marked as 'weak'.
All 64 bit block ciphers (DES, BF and CAST5) has also been marked as 'weak'.
Update script for OpenVPN CRL has been integrated since OpenVPN refactors the CRL handling since v.2.4.0 .
Script checks the next update field from the CRL and preforms an update two days before it expires.
Script is placed under fcron.daily for daily checks.
OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 .
Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++++++
config/rootfiles/common/openvpn | 5 +++-
html/cgi-bin/ovpnmain.cgi | 37 ++++++++++++++++++----------
lfs/openvpn | 11 ++++++---
4 files changed, 90 insertions(+), 16 deletions(-)
create mode 100644 config/ovpn/ovpn_crl_updater.sh
diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh
new file mode 100644
index 0000000..309edc2
--- /dev/null
+++ b/config/ovpn/ovpn_crl_updater.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+#
+# Script Name: ovpn_crl_updater.sh
+# Description: This script checks the "Next Update:" field of the CRL and renews it if needed,
+# which prevents the expiration of OpenVPNs CRL.
+# With OpenVPN 2.4.x the CRL handling has been refactored,
+# whereby the verification logic has been removed from ssl_verify_<backend>.c .
+# See for more infos:
+# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336
+#
+# Run Information: If OpenVPNs CRL is presant,
+# this script provides a cronjob which checks daily if an update of the CRL is needed.
+# If the expiring date reaches the value (defined in the 'UPDATE' variable in days)
+# before the CRL expiration, an openssl command will be executed to renew the CRL.
+# The renewing of the CRL will be logged into /var/log/messages.
+#
+# Author: Erik Kapfer
+#
+# Date: 17.01.2018
+#
+###############################################################################################
+
+# Check if OpenVPN is active or if the CRL is presant
+if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
+ exit 0;
+fi
+
+## Paths
+OVPN="/var/ipfire/ovpn";
+CRL="${OVPN}/crls/cacrl.pem";
+CAKEY="${OVPN}/ca/cakey.pem";
+CACERT="${OVPN}/ca/cacert.pem";
+OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";
+## Values
+# CRL check for the the 'Next Update:' in seconds
+EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
+# Day in seconds to calculate
+DAYINSEC="86400";
+# Convert seconds to days
+NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
+# Update of the CRL in days before CRL expiring date
+UPDATE="2";
+
+# Check if OpenVPNs CRL needs to be renewed
+if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
+ openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}";
+ logger -t openssl "OpenVPN CRL has been renewed";
+fi
+
+exit 0
+
+# EOF
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index b58e30c..cbfd03e 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -1,3 +1,5 @@
+etc/fcron.daily/ovpn_crl_updater.sh
+#usr/include/openvpn-msg.h
#usr/include/openvpn-plugin.h
#usr/lib/openvpn
#usr/lib/openvpn/plugins
@@ -10,11 +12,12 @@ usr/sbin/openvpn
#usr/share/doc/openvpn
#usr/share/doc/openvpn/COPYING
#usr/share/doc/openvpn/COPYRIGHT.GPL
+#usr/share/doc/openvpn/Changes.rst
#usr/share/doc/openvpn/README
#usr/share/doc/openvpn/README.IPv6
#usr/share/doc/openvpn/README.auth-pam
#usr/share/doc/openvpn/README.down-root
-#usr/share/doc/openvpn/README.polarssl
+#usr/share/doc/openvpn/README.mbedtls
#usr/share/doc/openvpn/management-notes.txt
#usr/share/man/man8/openvpn.8
var/ipfire/ovpn/ca
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 9f5e682..8e5d1ae 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -216,7 +216,7 @@ sub writeserverconf {
print CONF "dev tun\n";
print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
- print CONF "script-security 3 system\n";
+ print CONF "script-security 3\n";
print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
print CONF "tls-server\n";
@@ -289,6 +289,7 @@ sub writeserverconf {
}
print CONF "status-version 1\n";
print CONF "status /var/run/ovpnserver.log 30\n";
+ print CONF "ncp-disable\n";
print CONF "cipher $sovpnsettings{DCIPHER}\n";
if ($sovpnsettings{'DAUTH'} eq '') {
print CONF "";
@@ -2002,7 +2003,7 @@ END
</select></td>
<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
<td class='base'><select name='DHLENGHT'>
- <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
+ <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option>
<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
@@ -4543,6 +4544,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
}
$checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\'';
+ $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-128-GCM'} = '';
$selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -4707,18 +4711,21 @@ if ($cgiparams{'TYPE'} eq 'net') {
<tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
<td><select name='DCIPHER'>
+ <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+ <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+ <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
<option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
<option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
<option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
- <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'})</option>
- <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
<option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
- <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'})</option>
- <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
- <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
+ <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
@@ -5108,6 +5115,9 @@ END
$selected{'DPROTOCOL'}{'tcp'} = '';
$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
+ $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+ $selected{'DCIPHER'}{'AES-128-GCM'} = '';
$selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
$selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -5204,18 +5214,21 @@ END
<td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
<td><select name='DCIPHER'>
+ <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+ <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+ <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
<option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
<option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
<option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
- <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'})</option>
- <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
<option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
- <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'})</option>
- <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
- <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
+ <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+ <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
diff --git a/lfs/openvpn b/lfs/openvpn
index 8307d01..e7f9bc2 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2017 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2018 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 2.3.18
+VER = 2.4.4
THISAPP = openvpn-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881
+$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
install : $(TARGET)
@@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
chown root:root /usr/lib/openvpn/verify
chmod 755 /usr/lib/openvpn/verify
+ mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
+ chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
+ chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
+
@rm -rf $(DIR_APP)
@$(POSTBUILD)
+
--
2.7.4
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v3] OpenVPN: Update to version 2.4.4
2018-01-28 10:51 ` [PATCH v3] " Erik Kapfer
@ 2018-01-29 11:54 ` Michael Tremer
2018-01-30 15:09 ` ummeegge
0 siblings, 1 reply; 4+ messages in thread
From: Michael Tremer @ 2018-01-29 11:54 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 14986 bytes --]
Hi,
this is a very patch. We need to break it down into many many smaller ones,
because this is hard to review. I have comments on many of them and I think that
we can already ship some changes (like the weak ciphers), but not others. A huge
patch won't allow us to merge parts into different branches.
So I would propose to take this apart into:
a) The update of the OpenVPN package (i.e. lfs/openvpn) and rootfile
b) The script that updates the CRL
c) The markings of weak ciphers
d) Making the CGI ready for OpenVPN 2.4
Would you be able to split this?
Best,
-Michael
On Sun, 2018-01-28 at 11:51 +0100, Erik Kapfer wrote:
> ovpnmain.cgi includes new directive '--ncp-disable' to disable for the first
> the cipher negotiation.
> script-security flag 'system' has been dropped cause of security concerns.
> Directive changes/explanations can be found in here https://community.open
> vpn.net/openvpn/wiki/Openvpn24ManPage .
>
> Added new AES-GCM cipher with 128, 196 and 256 bit.
>
> DH-parameter with 1024 bit has been marked as 'weak'.
> All 64 bit block ciphers (DES, BF and CAST5) has also been marked as
> 'weak'.
>
> Update script for OpenVPN CRL has been integrated since OpenVPN refactors the
> CRL handling since v.2.4.0 .
> Script checks the next update field from the CRL and preforms an update
> two days before it expires.
> Script is placed under fcron.daily for daily checks.
> OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/co
> mmit/160504a2955c4478cd2c0323452929e07016a336 .
>
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
> config/ovpn/ovpn_crl_updater.sh | 53
> +++++++++++++++++++++++++++++++++++++++++
> config/rootfiles/common/openvpn | 5 +++-
> html/cgi-bin/ovpnmain.cgi | 37 ++++++++++++++++++----------
> lfs/openvpn | 11 ++++++---
> 4 files changed, 90 insertions(+), 16 deletions(-)
> create mode 100644 config/ovpn/ovpn_crl_updater.sh
>
> diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh
> new file mode 100644
> index 0000000..309edc2
> --- /dev/null
> +++ b/config/ovpn/ovpn_crl_updater.sh
> @@ -0,0 +1,53 @@
> +#!/bin/bash
> +
> +#
> +# Script Name: ovpn_crl_updater.sh
> +# Description: This script checks the "Next Update:" field of the CRL and
> renews it if needed,
> +# which prevents the expiration of OpenVPNs CRL.
> +# With OpenVPN 2.4.x the CRL handling has been refactored,
> +# whereby the verification logic has been removed from
> ssl_verify_<backend>.c .
> +# See for more infos:
> +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c032345292
> 9e07016a336
> +#
> +# Run Information: If OpenVPNs CRL is presant,
> +# this script provides a cronjob which checks daily if an update of the
> CRL is needed.
> +# If the expiring date reaches the value (defined in the 'UPDATE'
> variable in days)
> +# before the CRL expiration, an openssl command will be executed to renew
> the CRL.
> +# The renewing of the CRL will be logged into /var/log/messages.
> +#
> +# Author: Erik Kapfer
> +#
> +# Date: 17.01.2018
> +#
> +#############################################################################
> ##################
> +
> +# Check if OpenVPN is active or if the CRL is presant
> +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
> + exit 0;
> +fi
> +
> +## Paths
> +OVPN="/var/ipfire/ovpn";
> +CRL="${OVPN}/crls/cacrl.pem";
> +CAKEY="${OVPN}/ca/cakey.pem";
> +CACERT="${OVPN}/ca/cacert.pem";
> +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";
> +## Values
> +# CRL check for the the 'Next Update:' in seconds
> +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP
> 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
> +# Day in seconds to calculate
> +DAYINSEC="86400";
> +# Convert seconds to days
> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
> +# Update of the CRL in days before CRL expiring date
> +UPDATE="2";
> +
> +# Check if OpenVPNs CRL needs to be renewed
> +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
> + openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out
> "${CRL}" -config "${OPENSSLCONF}";
> + logger -t openssl "OpenVPN CRL has been renewed";
> +fi
> +
> +exit 0
> +
> +# EOF
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
> index b58e30c..cbfd03e 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -1,3 +1,5 @@
> +etc/fcron.daily/ovpn_crl_updater.sh
> +#usr/include/openvpn-msg.h
> #usr/include/openvpn-plugin.h
> #usr/lib/openvpn
> #usr/lib/openvpn/plugins
> @@ -10,11 +12,12 @@ usr/sbin/openvpn
> #usr/share/doc/openvpn
> #usr/share/doc/openvpn/COPYING
> #usr/share/doc/openvpn/COPYRIGHT.GPL
> +#usr/share/doc/openvpn/Changes.rst
> #usr/share/doc/openvpn/README
> #usr/share/doc/openvpn/README.IPv6
> #usr/share/doc/openvpn/README.auth-pam
> #usr/share/doc/openvpn/README.down-root
> -#usr/share/doc/openvpn/README.polarssl
> +#usr/share/doc/openvpn/README.mbedtls
> #usr/share/doc/openvpn/management-notes.txt
> #usr/share/man/man8/openvpn.8
> var/ipfire/ovpn/ca
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 9f5e682..8e5d1ae 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -216,7 +216,7 @@ sub writeserverconf {
> print CONF "dev tun\n";
> print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
> print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
> - print CONF "script-security 3 system\n";
> + print CONF "script-security 3\n";
> print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db
> 3600\n";
> print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
> print CONF "tls-server\n";
> @@ -289,6 +289,7 @@ sub writeserverconf {
> }
> print CONF "status-version 1\n";
> print CONF "status /var/run/ovpnserver.log 30\n";
> + print CONF "ncp-disable\n";
> print CONF "cipher $sovpnsettings{DCIPHER}\n";
> if ($sovpnsettings{'DAUTH'} eq '') {
> print CONF "";
> @@ -2002,7 +2003,7 @@ END
> </select></td>
> <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
> <td class='base'><select name='DHLENGHT'>
> - <option value='1024'
> $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
> + <option value='1024'
> $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn
> weak'})</option>
> <option value='2048'
> $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
> <option value='3072'
> $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
> <option value='4096'
> $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
> @@ -4543,6 +4544,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
> }
> $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} =
> 'checked=\'checked\'';
>
> + $selected{'DCIPHER'}{'AES-256-GCM'} = '';
> + $selected{'DCIPHER'}{'AES-192-GCM'} = '';
> + $selected{'DCIPHER'}{'AES-128-GCM'} = '';
> $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
> $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
> $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
> @@ -4707,18 +4711,21 @@ if ($cgiparams{'TYPE'} eq 'net') {
>
> <tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
> <td><select name='DCIPHER'>
> + <option value='AES-256-GCM' $s
> elected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
> + <option value='AES-192-GCM'
> $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
> + <option value='AES-128-GCM'
> $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
> <option value='CAMELLIA-256-CBC' $sele
> cted{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256
> $Lang::tr{'bit'})</option>
> <option value='CAMELLIA-192-CBC' $sele
> cted{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192
> $Lang::tr{'bit'})</option>
> <option value='CAMELLIA-128-CBC' $sele
> cted{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128
> $Lang::tr{'bit'})</option>
> <option value='AES-256-CBC'
> $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'},
> $Lang::tr{'default'})</option>
> <option value='AES-192-CBC'
> $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
> <option value='AES-128-CBC'
> $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='DES-EDE3-CBC'
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192
> $Lang::tr{'bit'})</option>
> - <option value='DESX-CBC' $sel
> ected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
> <option value='SEED-CBC' $sel
> ected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='DES-EDE-CBC' $
> selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='BF-CBC'
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='CAST5-CBC' $se
> lected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
> + <option value='DES-EDE3-CBC'
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> + <option value='DESX-CBC' $sel
> ected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn
> weak'})</option>
> + <option value='DES-EDE-CBC' $
> selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> + <option value='BF-CBC'
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
> weak'})</option>
> + <option value='CAST5-CBC' $se
> lected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
> weak'})</option>
> </select>
> </td>
>
> @@ -5108,6 +5115,9 @@ END
> $selected{'DPROTOCOL'}{'tcp'} = '';
> $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
>
> + $selected{'DCIPHER'}{'AES-256-GCM'} = '';
> + $selected{'DCIPHER'}{'AES-192-GCM'} = '';
> + $selected{'DCIPHER'}{'AES-128-GCM'} = '';
> $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
> $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
> $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
> @@ -5204,18 +5214,21 @@ END
>
> <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
> <td><select name='DCIPHER'>
> + <option value='AES-256-GCM'
> $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
> + <option value='AES-192-GCM'
> $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
> + <option value='AES-128-GCM'
> $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
> <option value='CAMELLIA-256-CBC'
> $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256
> $Lang::tr{'bit'})</option>
> <option value='CAMELLIA-192-CBC'
> $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192
> $Lang::tr{'bit'})</option>
> <option value='CAMELLIA-128-CBC'
> $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128
> $Lang::tr{'bit'})</option>
> <option value='AES-256-CBC'
> $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
> <option value='AES-192-CBC'
> $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
> <option value='AES-128-CBC'
> $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='DES-EDE3-CBC'
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192
> $Lang::tr{'bit'})</option>
> - <option value='DESX-CBC'
> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
> <option value='SEED-CBC'
> $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='DES-EDE-CBC'
> $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128
> $Lang::tr{'bit'})</option>
> - <option value='BF-CBC'
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='CAST5-CBC'
> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
> + <option value='DES-EDE3-CBC'
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> + <option value='DESX-CBC'
> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> + <option value='DES-EDE-CBC'
> $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> + <option value='BF-CBC'
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
> weak'})</option>
> + <option value='CAST5-CBC'
> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> </select>
> </td>
> <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 8307d01..e7f9bc2 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -1,7 +1,7 @@
> #############################################################################
> ##
> #
> #
> # IPFire.org - A linux based
> firewall #
> -# Copyright (C) 2017 IPFire Team <info(a)ipfire.org>
> #
> +# Copyright (C) 2018 IPFire Team <info(a)ipfire.org>
> #
> #
> #
> # This program is free software: you can redistribute it and/or
> modify #
> # it under the terms of the GNU General Public License as published
> by #
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 2.3.18
> +VER = 2.4.4
>
> THISAPP = openvpn-$(VER)
> DL_FILE = $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881
> +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
>
> install : $(TARGET)
>
> @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
> chown root:root /usr/lib/openvpn/verify
> chmod 755 /usr/lib/openvpn/verify
> + mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
> + chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
> + chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
> +
> @rm -rf $(DIR_APP)
> @$(POSTBUILD)
> +
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v3] OpenVPN: Update to version 2.4.4
2018-01-29 11:54 ` Michael Tremer
@ 2018-01-30 15:09 ` ummeegge
0 siblings, 0 replies; 4+ messages in thread
From: ummeegge @ 2018-01-30 15:09 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 15480 bytes --]
Hi Michael,
yes i can send one by one in the order you have listed it so i can amend them if needed. Hope i can start in the evening with it.
Greetings,
Erik
Am 29.01.2018 um 12:54 schrieb Michael Tremer:
> Hi,
>
> this is a very patch. We need to break it down into many many smaller ones,
> because this is hard to review. I have comments on many of them and I think that
> we can already ship some changes (like the weak ciphers), but not others. A huge
> patch won't allow us to merge parts into different branches.
>
> So I would propose to take this apart into:
>
> a) The update of the OpenVPN package (i.e. lfs/openvpn) and rootfile
> b) The script that updates the CRL
> c) The markings of weak ciphers
> d) Making the CGI ready for OpenVPN 2.4
>
> Would you be able to split this?
>
> Best,
> -Michael
>
> On Sun, 2018-01-28 at 11:51 +0100, Erik Kapfer wrote:
>> ovpnmain.cgi includes new directive '--ncp-disable' to disable for the first
>> the cipher negotiation.
>> script-security flag 'system' has been dropped cause of security concerns.
>> Directive changes/explanations can be found in here https://community.open
>> vpn.net/openvpn/wiki/Openvpn24ManPage .
>>
>> Added new AES-GCM cipher with 128, 196 and 256 bit.
>>
>> DH-parameter with 1024 bit has been marked as 'weak'.
>> All 64 bit block ciphers (DES, BF and CAST5) has also been marked as
>> 'weak'.
>>
>> Update script for OpenVPN CRL has been integrated since OpenVPN refactors the
>> CRL handling since v.2.4.0 .
>> Script checks the next update field from the CRL and preforms an update
>> two days before it expires.
>> Script is placed under fcron.daily for daily checks.
>> OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/co
>> mmit/160504a2955c4478cd2c0323452929e07016a336 .
>>
>> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
>> ---
>> config/ovpn/ovpn_crl_updater.sh | 53
>> +++++++++++++++++++++++++++++++++++++++++
>> config/rootfiles/common/openvpn | 5 +++-
>> html/cgi-bin/ovpnmain.cgi | 37 ++++++++++++++++++----------
>> lfs/openvpn | 11 ++++++---
>> 4 files changed, 90 insertions(+), 16 deletions(-)
>> create mode 100644 config/ovpn/ovpn_crl_updater.sh
>>
>> diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh
>> new file mode 100644
>> index 0000000..309edc2
>> --- /dev/null
>> +++ b/config/ovpn/ovpn_crl_updater.sh
>> @@ -0,0 +1,53 @@
>> +#!/bin/bash
>> +
>> +#
>> +# Script Name: ovpn_crl_updater.sh
>> +# Description: This script checks the "Next Update:" field of the CRL and
>> renews it if needed,
>> +# which prevents the expiration of OpenVPNs CRL.
>> +# With OpenVPN 2.4.x the CRL handling has been refactored,
>> +# whereby the verification logic has been removed from
>> ssl_verify_<backend>.c .
>> +# See for more infos:
>> +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c032345292
>> 9e07016a336
>> +#
>> +# Run Information: If OpenVPNs CRL is presant,
>> +# this script provides a cronjob which checks daily if an update of the
>> CRL is needed.
>> +# If the expiring date reaches the value (defined in the 'UPDATE'
>> variable in days)
>> +# before the CRL expiration, an openssl command will be executed to renew
>> the CRL.
>> +# The renewing of the CRL will be logged into /var/log/messages.
>> +#
>> +# Author: Erik Kapfer
>> +#
>> +# Date: 17.01.2018
>> +#
>> +#############################################################################
>> ##################
>> +
>> +# Check if OpenVPN is active or if the CRL is presant
>> +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
>> + exit 0;
>> +fi
>> +
>> +## Paths
>> +OVPN="/var/ipfire/ovpn";
>> +CRL="${OVPN}/crls/cacrl.pem";
>> +CAKEY="${OVPN}/ca/cakey.pem";
>> +CACERT="${OVPN}/ca/cacert.pem";
>> +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";
>> +## Values
>> +# CRL check for the the 'Next Update:' in seconds
>> +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP
>> 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
>> +# Day in seconds to calculate
>> +DAYINSEC="86400";
>> +# Convert seconds to days
>> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
>> +# Update of the CRL in days before CRL expiring date
>> +UPDATE="2";
>> +
>> +# Check if OpenVPNs CRL needs to be renewed
>> +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
>> + openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out
>> "${CRL}" -config "${OPENSSLCONF}";
>> + logger -t openssl "OpenVPN CRL has been renewed";
>> +fi
>> +
>> +exit 0
>> +
>> +# EOF
>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
>> index b58e30c..cbfd03e 100644
>> --- a/config/rootfiles/common/openvpn
>> +++ b/config/rootfiles/common/openvpn
>> @@ -1,3 +1,5 @@
>> +etc/fcron.daily/ovpn_crl_updater.sh
>> +#usr/include/openvpn-msg.h
>> #usr/include/openvpn-plugin.h
>> #usr/lib/openvpn
>> #usr/lib/openvpn/plugins
>> @@ -10,11 +12,12 @@ usr/sbin/openvpn
>> #usr/share/doc/openvpn
>> #usr/share/doc/openvpn/COPYING
>> #usr/share/doc/openvpn/COPYRIGHT.GPL
>> +#usr/share/doc/openvpn/Changes.rst
>> #usr/share/doc/openvpn/README
>> #usr/share/doc/openvpn/README.IPv6
>> #usr/share/doc/openvpn/README.auth-pam
>> #usr/share/doc/openvpn/README.down-root
>> -#usr/share/doc/openvpn/README.polarssl
>> +#usr/share/doc/openvpn/README.mbedtls
>> #usr/share/doc/openvpn/management-notes.txt
>> #usr/share/man/man8/openvpn.8
>> var/ipfire/ovpn/ca
>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
>> index 9f5e682..8e5d1ae 100644
>> --- a/html/cgi-bin/ovpnmain.cgi
>> +++ b/html/cgi-bin/ovpnmain.cgi
>> @@ -216,7 +216,7 @@ sub writeserverconf {
>> print CONF "dev tun\n";
>> print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
>> print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
>> - print CONF "script-security 3 system\n";
>> + print CONF "script-security 3\n";
>> print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db
>> 3600\n";
>> print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
>> print CONF "tls-server\n";
>> @@ -289,6 +289,7 @@ sub writeserverconf {
>> }
>> print CONF "status-version 1\n";
>> print CONF "status /var/run/ovpnserver.log 30\n";
>> + print CONF "ncp-disable\n";
>> print CONF "cipher $sovpnsettings{DCIPHER}\n";
>> if ($sovpnsettings{'DAUTH'} eq '') {
>> print CONF "";
>> @@ -2002,7 +2003,7 @@ END
>> </select></td>
>> <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
>> <td class='base'><select name='DHLENGHT'>
>> - <option value='1024'
>> $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
>> + <option value='1024'
>> $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn
>> weak'})</option>
>> <option value='2048'
>> $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
>> <option value='3072'
>> $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
>> <option value='4096'
>> $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
>> @@ -4543,6 +4544,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
>> }
>> $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} =
>> 'checked=\'checked\'';
>>
>> + $selected{'DCIPHER'}{'AES-256-GCM'} = '';
>> + $selected{'DCIPHER'}{'AES-192-GCM'} = '';
>> + $selected{'DCIPHER'}{'AES-128-GCM'} = '';
>> $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
>> $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
>> $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
>> @@ -4707,18 +4711,21 @@ if ($cgiparams{'TYPE'} eq 'net') {
>>
>> <tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
>> <td><select name='DCIPHER'>
>> + <option value='AES-256-GCM' $s
>> elected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
>> + <option value='AES-192-GCM'
>> $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
>> + <option value='AES-128-GCM'
>> $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
>> <option value='CAMELLIA-256-CBC' $sele
>> cted{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256
>> $Lang::tr{'bit'})</option>
>> <option value='CAMELLIA-192-CBC' $sele
>> cted{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192
>> $Lang::tr{'bit'})</option>
>> <option value='CAMELLIA-128-CBC' $sele
>> cted{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128
>> $Lang::tr{'bit'})</option>
>> <option value='AES-256-CBC'
>> $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'},
>> $Lang::tr{'default'})</option>
>> <option value='AES-192-CBC'
>> $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
>> <option value='AES-128-CBC'
>> $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='DES-EDE3-CBC'
>> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192
>> $Lang::tr{'bit'})</option>
>> - <option value='DESX-CBC' $sel
>> ected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
>> <option value='SEED-CBC' $sel
>> ected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='DES-EDE-CBC' $
>> selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='BF-CBC'
>> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='CAST5-CBC' $se
>> lected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
>> + <option value='DES-EDE3-CBC'
>> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'},
>> $Lang::tr{'vpn weak'})</option>
>> + <option value='DESX-CBC' $sel
>> ected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn
>> weak'})</option>
>> + <option value='DES-EDE-CBC' $
>> selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'},
>> $Lang::tr{'vpn weak'})</option>
>> + <option value='BF-CBC'
>> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
>> weak'})</option>
>> + <option value='CAST5-CBC' $se
>> lected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
>> weak'})</option>
>> </select>
>> </td>
>>
>> @@ -5108,6 +5115,9 @@ END
>> $selected{'DPROTOCOL'}{'tcp'} = '';
>> $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
>>
>> + $selected{'DCIPHER'}{'AES-256-GCM'} = '';
>> + $selected{'DCIPHER'}{'AES-192-GCM'} = '';
>> + $selected{'DCIPHER'}{'AES-128-GCM'} = '';
>> $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
>> $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
>> $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
>> @@ -5204,18 +5214,21 @@ END
>>
>> <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
>> <td><select name='DCIPHER'>
>> + <option value='AES-256-GCM'
>> $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
>> + <option value='AES-192-GCM'
>> $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
>> + <option value='AES-128-GCM'
>> $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
>> <option value='CAMELLIA-256-CBC'
>> $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256
>> $Lang::tr{'bit'})</option>
>> <option value='CAMELLIA-192-CBC'
>> $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192
>> $Lang::tr{'bit'})</option>
>> <option value='CAMELLIA-128-CBC'
>> $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128
>> $Lang::tr{'bit'})</option>
>> <option value='AES-256-CBC'
>> $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
>> <option value='AES-192-CBC'
>> $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
>> <option value='AES-128-CBC'
>> $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='DES-EDE3-CBC'
>> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192
>> $Lang::tr{'bit'})</option>
>> - <option value='DESX-CBC'
>> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
>> <option value='SEED-CBC'
>> $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='DES-EDE-CBC'
>> $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128
>> $Lang::tr{'bit'})</option>
>> - <option value='BF-CBC'
>> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
>> - <option value='CAST5-CBC'
>> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
>> + <option value='DES-EDE3-CBC'
>> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'},
>> $Lang::tr{'vpn weak'})</option>
>> + <option value='DESX-CBC'
>> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'},
>> $Lang::tr{'vpn weak'})</option>
>> + <option value='DES-EDE-CBC'
>> $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'},
>> $Lang::tr{'vpn weak'})</option>
>> + <option value='BF-CBC'
>> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
>> weak'})</option>
>> + <option value='CAST5-CBC'
>> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'},
>> $Lang::tr{'vpn weak'})</option>
>> </select>
>> </td>
>> <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
>> diff --git a/lfs/openvpn b/lfs/openvpn
>> index 8307d01..e7f9bc2 100644
>> --- a/lfs/openvpn
>> +++ b/lfs/openvpn
>> @@ -1,7 +1,7 @@
>> #############################################################################
>> ##
>> #
>> #
>> # IPFire.org - A linux based
>> firewall #
>> -# Copyright (C) 2017 IPFire Team <info(a)ipfire.org>
>> #
>> +# Copyright (C) 2018 IPFire Team <info(a)ipfire.org>
>> #
>> #
>> #
>> # This program is free software: you can redistribute it and/or
>> modify #
>> # it under the terms of the GNU General Public License as published
>> by #
>> @@ -24,7 +24,7 @@
>>
>> include Config
>>
>> -VER = 2.3.18
>> +VER = 2.4.4
>>
>> THISAPP = openvpn-$(VER)
>> DL_FILE = $(THISAPP).tar.xz
>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>
>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>
>> -$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881
>> +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
>>
>> install : $(TARGET)
>>
>> @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
>> chown root:root /usr/lib/openvpn/verify
>> chmod 755 /usr/lib/openvpn/verify
>> + mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
>> + chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
>> + chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
>> +
>> @rm -rf $(DIR_APP)
>> @$(POSTBUILD)
>> +
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-01-30 15:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-26 10:22 [PATCH] [PATCH] OpenVPN: Update to version 2.4.4 Erik Kapfer
2018-01-28 10:51 ` [PATCH v3] " Erik Kapfer
2018-01-29 11:54 ` Michael Tremer
2018-01-30 15:09 ` ummeegge
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox