Hi, forgot the CRL updater please ignore v1, PATCH v2 should include all. Best, Erik Am 26.01.2018 um 12:16 schrieb Erik Kapfer: > ovpnmain.cgi includes new directive '--ncp-disable' to disable for the first the cipher negotiation. > script-security flag 'system' has been dropped cause of security concerns. > Directive changes/explanations can be found in here https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage . > > Update script for OpenVPN CRL has been integrated since OpenVPN refactors the CRL handling since v.2.4.0 . > Script checks the next update field from the CRL and preforms an update two days before it expires. > Script is placed under fcron.daily for daily checks. > Changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 . > > update.sh for Core 118 includes needed server.conf changes but also an update of the CRL to prevent connection problems > if systems have already an expired CRL. > Server stop and start if active will be also executed. > > Signed-off-by: Erik Kapfer > --- > config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++ > config/rootfiles/common/openvpn | 5 +++- > config/rootfiles/core/118/update.sh | 13 +++++++++ > html/cgi-bin/ovpnmain.cgi | 3 ++- > lfs/openvpn | 11 +++++--- > src/misc-progs/openvpnctrl.c | 2 +- > 6 files changed, 81 insertions(+), 6 deletions(-) > create mode 100644 config/ovpn/ovpn_crl_updater.sh > > diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh > new file mode 100644 > index 0000000..309edc2 > --- /dev/null > +++ b/config/ovpn/ovpn_crl_updater.sh > @@ -0,0 +1,53 @@ > +#!/bin/bash > + > +# > +# Script Name: ovpn_crl_updater.sh > +# Description: This script checks the "Next Update:" field of the CRL and renews it if needed, > +# which prevents the expiration of OpenVPNs CRL. > +# With OpenVPN 2.4.x the CRL handling has been refactored, > +# whereby the verification logic has been removed from ssl_verify_.c . > +# See for more infos: > +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 > +# > +# Run Information: If OpenVPNs CRL is presant, > +# this script provides a cronjob which checks daily if an update of the CRL is needed. > +# If the expiring date reaches the value (defined in the 'UPDATE' variable in days) > +# before the CRL expiration, an openssl command will be executed to renew the CRL. > +# The renewing of the CRL will be logged into /var/log/messages. > +# > +# Author: Erik Kapfer > +# > +# Date: 17.01.2018 > +# > +############################################################################################### > + > +# Check if OpenVPN is active or if the CRL is presant > +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then > + exit 0; > +fi > + > +## Paths > +OVPN="/var/ipfire/ovpn"; > +CRL="${OVPN}/crls/cacrl.pem"; > +CAKEY="${OVPN}/ca/cakey.pem"; > +CACERT="${OVPN}/ca/cacert.pem"; > +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"; > +## Values > +# CRL check for the the 'Next Update:' in seconds > +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))"; > +# Day in seconds to calculate > +DAYINSEC="86400"; > +# Convert seconds to days > +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"; > +# Update of the CRL in days before CRL expiring date > +UPDATE="2"; > + > +# Check if OpenVPNs CRL needs to be renewed > +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then > + openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; > + logger -t openssl "OpenVPN CRL has been renewed"; > +fi > + > +exit 0 > + > +# EOF > diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn > index b58e30c..cbfd03e 100644 > --- a/config/rootfiles/common/openvpn > +++ b/config/rootfiles/common/openvpn > @@ -1,3 +1,5 @@ > +etc/fcron.daily/ovpn_crl_updater.sh > +#usr/include/openvpn-msg.h > #usr/include/openvpn-plugin.h > #usr/lib/openvpn > #usr/lib/openvpn/plugins > @@ -10,11 +12,12 @@ usr/sbin/openvpn > #usr/share/doc/openvpn > #usr/share/doc/openvpn/COPYING > #usr/share/doc/openvpn/COPYRIGHT.GPL > +#usr/share/doc/openvpn/Changes.rst > #usr/share/doc/openvpn/README > #usr/share/doc/openvpn/README.IPv6 > #usr/share/doc/openvpn/README.auth-pam > #usr/share/doc/openvpn/README.down-root > -#usr/share/doc/openvpn/README.polarssl > +#usr/share/doc/openvpn/README.mbedtls > #usr/share/doc/openvpn/management-notes.txt > #usr/share/man/man8/openvpn.8 > var/ipfire/ovpn/ca > diff --git a/config/rootfiles/core/118/update.sh b/config/rootfiles/core/118/update.sh > index 545c8ef..ea56832 100644 > --- a/config/rootfiles/core/118/update.sh > +++ b/config/rootfiles/core/118/update.sh > @@ -58,6 +58,19 @@ ldconfig > /etc/init.d/apache restart > /etc/init.d/snort start > > +# Add changed and new OpenVPN-2.4 directives to server.conf and renew CRL > +if [ -e /var/ipfire/ovpn/server.conf ]; then > + if pgrep openvpn >/dev/null; then > + openvpnctrl -k > + sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf > + openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf > + openvpnctrl -s > + else > + sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf > + openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf > + fi > +fi > + > # This update need a reboot... > touch /var/run/need_reboot > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index 9f5e682..424a5c9 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -216,7 +216,7 @@ sub writeserverconf { > print CONF "dev tun\n"; > print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; > print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; > - print CONF "script-security 3 system\n"; > + print CONF "script-security 3\n"; > print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; > print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; > print CONF "tls-server\n"; > @@ -289,6 +289,7 @@ sub writeserverconf { > } > print CONF "status-version 1\n"; > print CONF "status /var/run/ovpnserver.log 30\n"; > + print CONF "ncp-disable\n"; > print CONF "cipher $sovpnsettings{DCIPHER}\n"; > if ($sovpnsettings{'DAUTH'} eq '') { > print CONF ""; > diff --git a/lfs/openvpn b/lfs/openvpn > index 8307d01..e7f9bc2 100644 > --- a/lfs/openvpn > +++ b/lfs/openvpn > @@ -1,7 +1,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2017 IPFire Team # > +# Copyright (C) 2018 IPFire Team # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -24,7 +24,7 @@ > > include Config > > -VER = 2.3.18 > +VER = 2.4.4 > > THISAPP = openvpn-$(VER) > DL_FILE = $(THISAPP).tar.xz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881 > +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52 > > install : $(TARGET) > > @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify > chown root:root /usr/lib/openvpn/verify > chmod 755 /usr/lib/openvpn/verify > + mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily > + chown root:root /etc/fcron.daily/ovpn_crl_updater.sh > + chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh > + > @rm -rf $(DIR_APP) > @$(POSTBUILD) > + > diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c > index 20967e4..39e8f58 100644 > --- a/src/misc-progs/openvpnctrl.c > +++ b/src/misc-progs/openvpnctrl.c > @@ -485,7 +485,7 @@ void startDaemon(void) { > executeCommand(command); > snprintf(command, STRING_SIZE-1, "/bin/chown root.nobody /var/run/ovpnserver.log"); > executeCommand(command); > - snprintf(command, STRING_SIZE-1, "/bin/chmod 644 /var/run/ovpnserver.log"); > + snprintf(command, STRING_SIZE-1, "/bin/chmod 664 /var/run/ovpnserver.log"); > executeCommand(command); > } > } > -- > 2.7.4 >