* Re: [PATCH v2] [PATCH] OpenVPN: Update to version 2.4.4 .
[not found] <1516965373-18093-1-git-send-email-erik.kapfer@ipfire.org>
@ 2018-01-26 11:29 ` ummeegge
0 siblings, 0 replies; only message in thread
From: ummeegge @ 2018-01-26 11:29 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 9258 bytes --]
Hi,
forgot the CRL updater please ignore v1, PATCH v2 should include all.
Best,
Erik
Am 26.01.2018 um 12:16 schrieb Erik Kapfer:
> ovpnmain.cgi includes new directive '--ncp-disable' to disable for the first the cipher negotiation.
> script-security flag 'system' has been dropped cause of security concerns.
> Directive changes/explanations can be found in here https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .
>
> Update script for OpenVPN CRL has been integrated since OpenVPN refactors the CRL handling since v.2.4.0 .
> Script checks the next update field from the CRL and preforms an update two days before it expires.
> Script is placed under fcron.daily for daily checks.
> Changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 .
>
> update.sh for Core 118 includes needed server.conf changes but also an update of the CRL to prevent connection problems
> if systems have already an expired CRL.
> Server stop and start if active will be also executed.
>
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
> config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++
> config/rootfiles/common/openvpn | 5 +++-
> config/rootfiles/core/118/update.sh | 13 +++++++++
> html/cgi-bin/ovpnmain.cgi | 3 ++-
> lfs/openvpn | 11 +++++---
> src/misc-progs/openvpnctrl.c | 2 +-
> 6 files changed, 81 insertions(+), 6 deletions(-)
> create mode 100644 config/ovpn/ovpn_crl_updater.sh
>
> diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh
> new file mode 100644
> index 0000000..309edc2
> --- /dev/null
> +++ b/config/ovpn/ovpn_crl_updater.sh
> @@ -0,0 +1,53 @@
> +#!/bin/bash
> +
> +#
> +# Script Name: ovpn_crl_updater.sh
> +# Description: This script checks the "Next Update:" field of the CRL and renews it if needed,
> +# which prevents the expiration of OpenVPNs CRL.
> +# With OpenVPN 2.4.x the CRL handling has been refactored,
> +# whereby the verification logic has been removed from ssl_verify_<backend>.c .
> +# See for more infos:
> +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336
> +#
> +# Run Information: If OpenVPNs CRL is presant,
> +# this script provides a cronjob which checks daily if an update of the CRL is needed.
> +# If the expiring date reaches the value (defined in the 'UPDATE' variable in days)
> +# before the CRL expiration, an openssl command will be executed to renew the CRL.
> +# The renewing of the CRL will be logged into /var/log/messages.
> +#
> +# Author: Erik Kapfer
> +#
> +# Date: 17.01.2018
> +#
> +###############################################################################################
> +
> +# Check if OpenVPN is active or if the CRL is presant
> +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
> + exit 0;
> +fi
> +
> +## Paths
> +OVPN="/var/ipfire/ovpn";
> +CRL="${OVPN}/crls/cacrl.pem";
> +CAKEY="${OVPN}/ca/cakey.pem";
> +CACERT="${OVPN}/ca/cacert.pem";
> +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";
> +## Values
> +# CRL check for the the 'Next Update:' in seconds
> +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
> +# Day in seconds to calculate
> +DAYINSEC="86400";
> +# Convert seconds to days
> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
> +# Update of the CRL in days before CRL expiring date
> +UPDATE="2";
> +
> +# Check if OpenVPNs CRL needs to be renewed
> +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
> + openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}";
> + logger -t openssl "OpenVPN CRL has been renewed";
> +fi
> +
> +exit 0
> +
> +# EOF
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
> index b58e30c..cbfd03e 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -1,3 +1,5 @@
> +etc/fcron.daily/ovpn_crl_updater.sh
> +#usr/include/openvpn-msg.h
> #usr/include/openvpn-plugin.h
> #usr/lib/openvpn
> #usr/lib/openvpn/plugins
> @@ -10,11 +12,12 @@ usr/sbin/openvpn
> #usr/share/doc/openvpn
> #usr/share/doc/openvpn/COPYING
> #usr/share/doc/openvpn/COPYRIGHT.GPL
> +#usr/share/doc/openvpn/Changes.rst
> #usr/share/doc/openvpn/README
> #usr/share/doc/openvpn/README.IPv6
> #usr/share/doc/openvpn/README.auth-pam
> #usr/share/doc/openvpn/README.down-root
> -#usr/share/doc/openvpn/README.polarssl
> +#usr/share/doc/openvpn/README.mbedtls
> #usr/share/doc/openvpn/management-notes.txt
> #usr/share/man/man8/openvpn.8
> var/ipfire/ovpn/ca
> diff --git a/config/rootfiles/core/118/update.sh b/config/rootfiles/core/118/update.sh
> index 545c8ef..ea56832 100644
> --- a/config/rootfiles/core/118/update.sh
> +++ b/config/rootfiles/core/118/update.sh
> @@ -58,6 +58,19 @@ ldconfig
> /etc/init.d/apache restart
> /etc/init.d/snort start
>
> +# Add changed and new OpenVPN-2.4 directives to server.conf and renew CRL
> +if [ -e /var/ipfire/ovpn/server.conf ]; then
> + if pgrep openvpn >/dev/null; then
> + openvpnctrl -k
> + sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
> + openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf
> + openvpnctrl -s
> + else
> + sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
> + openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf
> + fi
> +fi
> +
> # This update need a reboot...
> touch /var/run/need_reboot
>
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 9f5e682..424a5c9 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -216,7 +216,7 @@ sub writeserverconf {
> print CONF "dev tun\n";
> print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
> print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
> - print CONF "script-security 3 system\n";
> + print CONF "script-security 3\n";
> print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
> print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
> print CONF "tls-server\n";
> @@ -289,6 +289,7 @@ sub writeserverconf {
> }
> print CONF "status-version 1\n";
> print CONF "status /var/run/ovpnserver.log 30\n";
> + print CONF "ncp-disable\n";
> print CONF "cipher $sovpnsettings{DCIPHER}\n";
> if ($sovpnsettings{'DAUTH'} eq '') {
> print CONF "";
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 8307d01..e7f9bc2 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -1,7 +1,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2017 IPFire Team <info(a)ipfire.org> #
> +# Copyright (C) 2018 IPFire Team <info(a)ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 2.3.18
> +VER = 2.4.4
>
> THISAPP = openvpn-$(VER)
> DL_FILE = $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881
> +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
>
> install : $(TARGET)
>
> @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
> chown root:root /usr/lib/openvpn/verify
> chmod 755 /usr/lib/openvpn/verify
> + mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
> + chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
> + chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
> +
> @rm -rf $(DIR_APP)
> @$(POSTBUILD)
> +
> diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
> index 20967e4..39e8f58 100644
> --- a/src/misc-progs/openvpnctrl.c
> +++ b/src/misc-progs/openvpnctrl.c
> @@ -485,7 +485,7 @@ void startDaemon(void) {
> executeCommand(command);
> snprintf(command, STRING_SIZE-1, "/bin/chown root.nobody /var/run/ovpnserver.log");
> executeCommand(command);
> - snprintf(command, STRING_SIZE-1, "/bin/chmod 644 /var/run/ovpnserver.log");
> + snprintf(command, STRING_SIZE-1, "/bin/chmod 664 /var/run/ovpnserver.log");
> executeCommand(command);
> }
> }
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-01-26 11:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1516965373-18093-1-git-send-email-erik.kapfer@ipfire.org>
2018-01-26 11:29 ` [PATCH v2] [PATCH] OpenVPN: Update to version 2.4.4 ummeegge
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox