From mboxrd@z Thu Jan  1 00:00:00 1970
From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] [PATCH] OpenVPN: Update to version 2.4.4 .
Date: Fri, 26 Jan 2018 12:29:43 +0100
Message-ID: <C1AD56CF-E8DC-4FB3-AF67-0FA0A6C60BBC@ipfire.org>
In-Reply-To: <1516965373-18093-1-git-send-email-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4908366882277038589=="
List-Id: <development.lists.ipfire.org>

--===============4908366882277038589==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,
forgot the CRL updater please ignore v1, PATCH v2 should include all.

Best,

Erik

Am 26.01.2018 um 12:16 schrieb Erik Kapfer:

> ovpnmain.cgi includes new directive '--ncp-disable' to disable for the firs=
t the cipher negotiation.
>    script-security flag 'system' has been dropped cause of security concern=
s.
>    Directive changes/explanations can be found in here https://community.op=
envpn.net/openvpn/wiki/Openvpn24ManPage .
>=20
> Update script for OpenVPN CRL has been integrated since OpenVPN refactors t=
he CRL handling since v.2.4.0 .
>    Script checks the next update field from the CRL and preforms an update =
two days before it expires.
>    Script is placed under fcron.daily for daily checks.
>    Changes can be found in here https://github.com/OpenVPN/openvpn/commit/1=
60504a2955c4478cd2c0323452929e07016a336 .
>=20
> update.sh for Core 118 includes needed server.conf changes but also an upda=
te of the CRL to prevent connection problems
>    if systems have already an expired CRL.
>    Server stop and start if active will be also executed.
>=20
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
> config/ovpn/ovpn_crl_updater.sh     | 53 ++++++++++++++++++++++++++++++++++=
+++
> config/rootfiles/common/openvpn     |  5 +++-
> config/rootfiles/core/118/update.sh | 13 +++++++++
> html/cgi-bin/ovpnmain.cgi           |  3 ++-
> lfs/openvpn                         | 11 +++++---
> src/misc-progs/openvpnctrl.c        |  2 +-
> 6 files changed, 81 insertions(+), 6 deletions(-)
> create mode 100644 config/ovpn/ovpn_crl_updater.sh
>=20
> diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater=
.sh
> new file mode 100644
> index 0000000..309edc2
> --- /dev/null
> +++ b/config/ovpn/ovpn_crl_updater.sh
> @@ -0,0 +1,53 @@
> +#!/bin/bash
> +
> +#
> +# Script Name: ovpn_crl_updater.sh
> +# Description: This script checks the "Next Update:" field of the CRL and =
renews it if needed,
> +#     which prevents the expiration of OpenVPNs CRL.
> +#     With OpenVPN 2.4.x the CRL handling has been refactored,
> +#     whereby the verification logic has been removed from ssl_verify_<bac=
kend>.c .
> +#     See for more infos:
> +#     https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c032345=
2929e07016a336
> +#
> +# Run Information: If OpenVPNs CRL is presant,=20
> +#     this script provides a cronjob which checks daily if an update of th=
e CRL is needed.
> +#     If the expiring date reaches the value (defined in the 'UPDATE' vari=
able in days)
> +#     before the CRL expiration, an openssl command will be executed to re=
new the CRL.
> +#     The renewing of the CRL will be logged into /var/log/messages.
> +#=20
> +# Author: Erik Kapfer
> +#
> +# Date: 17.01.2018
> +#
> +##########################################################################=
#####################
> +
> +# Check if OpenVPN is active or if the CRL is presant
> +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
> +	exit 0;
> +fi
> +
> +## Paths
> +OVPN=3D"/var/ipfire/ovpn";
> +CRL=3D"${OVPN}/crls/cacrl.pem";
> +CAKEY=3D"${OVPN}/ca/cakey.pem";
> +CACERT=3D"${OVPN}/ca/cacert.pem";
> +OPENSSLCONF=3D"${OVPN}/openssl/ovpn.cnf";
> +## Values
> +# CRL check for the the 'Next Update:' in seconds
> +EXPIRINGDATEINSEC=3D"$(( $(date -d "$(openssl crl -in "${CRL}" -text | gre=
p -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
> +# Day in seconds to calculate
> +DAYINSEC=3D"86400";
> +# Convert seconds to days
> +NEXTUPDATE=3D"$((EXPIRINGDATEINSEC / DAYINSEC))";
> +# Update of the CRL in days before CRL expiring date
> +UPDATE=3D"2";
> +
> +# Check if OpenVPNs CRL needs to be renewed
> +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
> +	openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -c=
onfig "${OPENSSLCONF}";
> +	logger -t openssl "OpenVPN CRL has been renewed";
> +fi
> +
> +exit 0
> +
> +# EOF
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/open=
vpn
> index b58e30c..cbfd03e 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -1,3 +1,5 @@
> +etc/fcron.daily/ovpn_crl_updater.sh
> +#usr/include/openvpn-msg.h
> #usr/include/openvpn-plugin.h
> #usr/lib/openvpn
> #usr/lib/openvpn/plugins
> @@ -10,11 +12,12 @@ usr/sbin/openvpn
> #usr/share/doc/openvpn
> #usr/share/doc/openvpn/COPYING
> #usr/share/doc/openvpn/COPYRIGHT.GPL
> +#usr/share/doc/openvpn/Changes.rst
> #usr/share/doc/openvpn/README
> #usr/share/doc/openvpn/README.IPv6
> #usr/share/doc/openvpn/README.auth-pam
> #usr/share/doc/openvpn/README.down-root
> -#usr/share/doc/openvpn/README.polarssl
> +#usr/share/doc/openvpn/README.mbedtls
> #usr/share/doc/openvpn/management-notes.txt
> #usr/share/man/man8/openvpn.8
> var/ipfire/ovpn/ca
> diff --git a/config/rootfiles/core/118/update.sh b/config/rootfiles/core/11=
8/update.sh
> index 545c8ef..ea56832 100644
> --- a/config/rootfiles/core/118/update.sh
> +++ b/config/rootfiles/core/118/update.sh
> @@ -58,6 +58,19 @@ ldconfig
> /etc/init.d/apache restart
> /etc/init.d/snort start
>=20
> +# Add changed and new OpenVPN-2.4 directives to server.conf and renew CRL
> +if [ -e /var/ipfire/ovpn/server.conf ]; then
> +    if pgrep openvpn >/dev/null; then
> +        openvpnctrl -k
> +        sed -i -e 's/script-security 3 system/script-security 3/' -e '/sta=
tus .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
> +        openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /v=
ar/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /va=
r/ipfire/ovpn/openssl/ovpn.cnf
> +        openvpnctrl -s
> +    else
> +        sed -i -e 's/script-security 3 system/script-security 3/' -e '/sta=
tus .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
> +        openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /v=
ar/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /va=
r/ipfire/ovpn/openssl/ovpn.cnf
> +    fi
> +fi
> +
> # This update need a reboot...
> touch /var/run/need_reboot
>=20
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 9f5e682..424a5c9 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -216,7 +216,7 @@ sub writeserverconf {
>     print CONF "dev tun\n";
>     print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
>     print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
> -    print CONF "script-security 3 system\n";
> +    print CONF "script-security 3\n";
>     print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\=
n";
>     print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
>     print CONF "tls-server\n";
> @@ -289,6 +289,7 @@ sub writeserverconf {
>     }=09
>     print CONF "status-version 1\n";
>     print CONF "status /var/run/ovpnserver.log 30\n";
> +    print CONF "ncp-disable\n";
>     print CONF "cipher $sovpnsettings{DCIPHER}\n";
>     if ($sovpnsettings{'DAUTH'} eq '') {
>         print CONF "";
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 8307d01..e7f9bc2 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -1,7 +1,7 @@
> ###########################################################################=
####
> #                                                                          =
   #
> # IPFire.org - A linux based firewall                                      =
   #
> -# Copyright (C) 2017  IPFire Team  <info(a)ipfire.org>                    =
      #
> +# Copyright (C) 2018  IPFire Team  <info(a)ipfire.org>                    =
      #
> #                                                                          =
   #
> # This program is free software: you can redistribute it and/or modify     =
   #
> # it under the terms of the GNU General Public License as published by     =
   #
> @@ -24,7 +24,7 @@
>=20
> include Config
>=20
> -VER        =3D 2.3.18
> +VER        =3D 2.4.4
>=20
> THISAPP    =3D openvpn-$(VER)
> DL_FILE    =3D $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
>=20
> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>=20
> -$(DL_FILE)_MD5 =3D 844ec9c64aae62051478784b8562f881
> +$(DL_FILE)_MD5 =3D 7a2002aad1671b24457bc9432a0c5c52
>=20
> install : $(TARGET)
>=20
> @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
> 	chown root:root /usr/lib/openvpn/verify
> 	chmod 755 /usr/lib/openvpn/verify
> +	mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
> +	chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
> +	chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
> +
> 	@rm -rf $(DIR_APP)
> 	@$(POSTBUILD)
> +
> diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
> index 20967e4..39e8f58 100644
> --- a/src/misc-progs/openvpnctrl.c
> +++ b/src/misc-progs/openvpnctrl.c
> @@ -485,7 +485,7 @@ void startDaemon(void) {
> 		executeCommand(command);
> 		snprintf(command, STRING_SIZE-1, "/bin/chown root.nobody /var/run/ovpnser=
ver.log");
> 		executeCommand(command);
> -		snprintf(command, STRING_SIZE-1, "/bin/chmod 644 /var/run/ovpnserver.log=
");
> +		snprintf(command, STRING_SIZE-1, "/bin/chmod 664 /var/run/ovpnserver.log=
");
> 		executeCommand(command);
> 	}
> }
> --=20
> 2.7.4
>=20


--===============4908366882277038589==--