From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] backup(.pl): Replace OpenVPN DH parameter with ffdhe4096
Date: Wed, 14 Dec 2022 18:02:55 +0000
Message-ID: <DE56784A-22D6-49DC-AE84-D8D1E3A34CCC@ipfire.org>
In-Reply-To: <c4d400d7-1321-bd08-1019-3732a9e887d1@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5432453987892890812=="
List-Id: <development.lists.ipfire.org>

--===============5432453987892890812==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Peter,

> On 13 Dec 2022, at 15:47, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> This ensures restoring a backup won't silently bring back an insecure
> Diffie-Hellman parameter (which could also not be inspected through the
> web interface anymore).
>=20
> Reported-by: Michael Tremer <michael.tremer(a)ipfire.org>
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> config/backup/backup.pl | 9 +++++++++
> 1 file changed, 9 insertions(+)
>=20
> diff --git a/config/backup/backup.pl b/config/backup/backup.pl
> index 6fd9e45bb..520d9315d 100644
> --- a/config/backup/backup.pl
> +++ b/config/backup/backup.pl
> @@ -187,6 +187,15 @@ restore_backup() {
> # Update OpenVPN CRL
> /etc/fcron.daily/openvpn-crl-updater
>=20
> + # Replace previously used OpenVPN Diffie-Hellman parameter by ffdhe4096
> + if [ -f /var/ipfire/ovpn/server.conf ]; then
> + sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ip=
fire/ovpn/server.conf
> + fi
> +
> + if [ -f "/var/ipfire/ovpn/n2nconf/*/*.conf" ]; then
> + sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ip=
fire/ovpn/n2nconf/*/*.conf
> + fi

The second command will never be executed because "/var/ipfire/ovpn/n2nconf/*=
/*.conf=E2=80=9D will never exist.

Because the string is quoted, the shell won=E2=80=99t conduct any path expans=
ion.

What could work is running the sed command on all files simultaneously and if=
 there is nothing to change, it won=E2=80=99t do anything. Passing server.con=
f and n2nconfig/*/*.conf will never fail if there is no N2N configuration. se=
rver.conf should always exist.

Best,
-Michael

> +
> return 0
> }
>=20
> --=20
> 2.35.3


--===============5432453987892890812==--