From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 1/3] OpenVPN: Replace existing Diffie-Hellman parameter with ffdhe4096 Date: Fri, 11 Nov 2022 12:14:37 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2471038300488650518==" List-Id: --===============2471038300488650518== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Initial patch: https://git.ipfire.org/?p=3Dpeople/ummeegge/ipfire-2.x.git;a= =3Dcommit;h=3D2ccc799f8bd6a12c3edab5f1a89fab4d2cd05ea8 Minor adjustments to make it apply to the current state of "next", and removal of chown operation in OpenSSL's LFS file, which would have lead to the Diffie-Hellman group file being writable by nobody, for which there is no necessity. Fixes: #12632 From: Erik Kapfer Signed-off-by: Peter M=C3=BCller --- config/rootfiles/common/openssl | 1 + html/cgi-bin/ovpnmain.cgi | 185 ++------------------------------ langs/de/cgi-bin/de.pl | 16 --- langs/en/cgi-bin/en.pl | 17 --- langs/fr/cgi-bin/fr.pl | 17 --- langs/it/cgi-bin/it.pl | 16 --- langs/tr/cgi-bin/tr.pl | 16 --- lfs/openssl | 3 + 8 files changed, 11 insertions(+), 260 deletions(-) diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index bb7e6f65c..ae9716eea 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -2,6 +2,7 @@ #etc/ssl/certs #etc/ssl/ct_log_list.cnf #etc/ssl/ct_log_list.cnf.dist +etc/ssl/ffdhe4096.pem #etc/ssl/misc #etc/ssl/misc/CA.pl #etc/ssl/misc/tsget diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index f85d610d8..dc429d90c 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -78,6 +78,7 @@ my $name; my $col=3D""; my $local_serverconf =3D "${General::swroot}/ovpn/scripts/server.conf.local"; my $local_clientconf =3D "${General::swroot}/ovpn/scripts/client.conf.local"; +my $dhparameter =3D "/etc/ssl/ffdhe4096.pem"; =20 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} =3D 'off'; @@ -89,8 +90,6 @@ $cgiparams{'COMPRESSION'} =3D 'off'; $cgiparams{'ONLY_PROPOSED'} =3D 'off'; $cgiparams{'ACTION'} =3D ''; $cgiparams{'CA_NAME'} =3D ''; -$cgiparams{'DH_NAME'} =3D 'dh1024.pem'; -$cgiparams{'DHLENGHT'} =3D ''; $cgiparams{'DHCP_DOMAIN'} =3D ''; $cgiparams{'DHCP_DNS'} =3D ''; $cgiparams{'DHCP_WINS'} =3D ''; @@ -221,28 +220,6 @@ sub deletebackupcert =20 sub pkiconfigcheck { - # Warning if DH parameter is 1024 bit - if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - my @dhparameter =3D &General::system_output("/usr/bin/openssl", "dhparam",= "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); - my $dhbit; - - # Loop through the output and search for the DH bit lenght. - foreach my $line (@dhparameter) { - if ($line =3D~ (/(\d+)/)) { - # Assign match to dhbit value. - $dhbit =3D $1; - - last; - } - } - - # Check if the used key lenght is at least 2048 bit. - if ($dhbit < 2048) { - $cryptoerror =3D "$Lang::tr{'ovpn error dh'}"; - goto CRYPTO_ERROR; - } - } - # Warning if md5 is in usage if (-f "${General::swroot}/ovpn/certs/servercert.pem") { my @signature =3D &General::system_output("/usr/bin/openssl", "x509", "-no= out", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); @@ -290,7 +267,7 @@ sub writeserverconf { print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; - print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; + print CONF "dh $dhparameter\n"; my @tempovpnsubnet =3D split("\/",$sovpnsettings{'DOVPN_SUBNET'}); print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{= 'GREEN_NETMASK'}\"\n"; @@ -1358,102 +1335,6 @@ END exit (0); =20 ### -### Generate DH key step 2 -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{= 'AREUSURE'} eq 'yes') { - # Delete if old key exists - if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; - } - # Create Diffie Hellmann Parameter - # The system call is safe, because all arguments are passed as an array. - system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/d= h1024.pem", "$cgiparams{'DHLENGHT'}"); - if ($?) { - $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); - } - -### -### Generate DH key step 1 -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ovpn'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:"); - print < - - - - - $Lang::tr{'ovpn dh'}: - -
- - - - -
- - - - $Lang::tr{'capswarning'}: <= /b>$Lang::tr{'dh key warn'} - - - - - - - - - -
$Lang::tr{'dh key warn1'}

- -END - ; - &Header::closebox(); - print ""; - &Header::closebigbox(); - &Header::closepage(); - exit (0); - -### -### Upload DH key -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) { - unless (ref ($cgiparams{'FH'})) { - $errormessage =3D $Lang::tr{'there was no file upload'}; - goto UPLOADCA_ERROR; - } - # Move uploaded dh key to a temporary file - (my $fh, my $filename) =3D tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) !=3D 1) { - $errormessage =3D $!; - goto UPLOADCA_ERROR; - } - my @temp =3D &General::system_output("/usr/bin/openssl", "dhparam", "-te= xt", "-in", "$filename"); - if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) { - $errormessage =3D $Lang::tr{'not a valid dh key'}; - unlink ($filename); - goto UPLOADCA_ERROR; - } else { - # Delete if old key exists - if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; - } - - unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}")= ) { - $errormessage =3D "$Lang::tr{'dh key move failed'}: $!"; - unlink ($filename); - goto UPLOADCA_ERROR; - } - } -### ### Upload CA Certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) { @@ -2028,21 +1909,6 @@ END &cleanssldatabase(); goto ROOTCERT_ERROR; } - # Create Diffie Hellmann Parameter - # The system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/d= h1024.pem", "$cgiparams{'DHLENGHT'}"); - if ($?) { - $errormessage =3D "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); - unlink ("${General::swroot}/ovpn/certs/servercert.pem"); - unlink ("${General::swroot}/ovpn/ca/cacert.pem"); - unlink ("${General::swroot}/ovpn/crls/cacrl.pem"); - unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); - &cleanssldatabase(); - goto ROOTCERT_ERROR; -# } else { -# &cleanssldatabase(); - } goto ROOTCERT_SUCCESS; } ROOTCERT_ERROR: @@ -2092,14 +1958,6 @@ END } print < - $Lang::tr{'ovpn dh'}: - - - =20   @@ -2107,16 +1965,6 @@ END 3D'*' $Lang::tr{'requ= ired field'}
- - - $Lang::tr{'capswarning'}: <= /b>$Lang::tr{'ovpn generating the root and host certificates'} - - - - - - -
$Lang::tr{'dh key warn'}
$Lang::tr{'dh key warn1'}

=20 @@ -2681,14 +2529,14 @@ END ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) { =20 - if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") { + if (! -e "$dhparameter") { $errormessage =3D $Lang::tr{'not present'}; } else { &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:"); - my @output =3D &General::system_output("/usr/bin/openssl", "dhparam", "-te= xt", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); + my @output =3D &General::system_output("/usr/bin/openssl", "dhparam", "-te= xt", "-in", "$dhparameter"); my $output =3D &Header::cleanhtml(join("", @output) ,"y"); print "
$output
\n"; &Header::closebox(); @@ -5447,7 +5295,7 @@ END print ""; if (( -e "${General::swroot}/ovpn/ca/cacert.pem" && - -e "${General::swroot}/ovpn/ca/dh1024.pem" && + -e "$dhparameter" && -e "${General::swroot}/ovpn/certs/servercert.pem" && -e "${General::swroot}/ovpn/certs/serverkey.pem") && (( $cgiparams{'ENABLED'} eq 'on') || @@ -5838,8 +5686,8 @@ END } =20 # Adding DH parameter to chart - if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { - my @dhsubject =3D &General::system_output("/usr/bin/openssl", "dhparam", "= -text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); + if (-f "$dhparameter") { + my @dhsubject =3D &General::system_output("/usr/bin/openssl", "dhparam", "= -text", "-in", "$dhparameter"); my $dhsubject; =20 foreach my $line (@dhsubject) { @@ -5996,25 +5844,6 @@ END
- -
- - - - - - - - - - - - - - - -
$Lang::tr{'ovpn dh parameters'}
$Lang::tr{'ovpn dh upload'}: -
$Lang::tr{'ovpn dh new key'}:
=20
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index db7d117b0..f64fbb6fa 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -760,11 +760,6 @@ 'details' =3D> 'Mehr', 'device' =3D> 'Ger=C3=A4t', 'devices on blue' =3D> 'Ger=C3=A4te auf BLAU', -'dh' =3D> 'Diffie-Hellman-Parameter', -'dh key move failed' =3D> 'Verschieben der Diffie-Hellman-Parameter fehlgesc= hlagen.', -'dh key warn' =3D> 'Das Erzeugen eines Diffie-Hellman-Parameters mit 2048 Bi= t dauert =C3=BCblicherweise einige Minuten. Parameter von 3072 oder 4096 Bit = L=C3=A4nge beanspruchen gegebenenfalls mehrere Stunden. Bitte haben Sie etwas= Geduld.', -'dh key warn1' =3D> 'Bei schwachen Systemen oder Systeme mit wenig Entropie = wird empfohlen, lange Diffie-Hellman-Parameter =C3=BCber die Upload-Funktion = hochzuladen.', -'dh parameter' =3D> 'Diffie-Hellman-Parameter', 'dhcp advopt add' =3D> 'DHCP Option hinzuf=C3=BCgen', 'dhcp advopt added' =3D> 'DHCP Option hinzugef=C3=BCgt', 'dhcp advopt blank value' =3D> 'Wert f=C3=BCr DHCP Option darf nicht leer se= in', @@ -898,7 +893,6 @@ 'download' =3D> 'herunterladen', 'download ca certificate' =3D> 'CA-Zertifikat herunterladen', 'download certificate' =3D> 'Datei herunterladen', -'download dh parameter' =3D> 'Diffie-Hellman-Parameter herunterladen', 'download host certificate' =3D> 'Host-Zertifikat herunterladen', 'download new ruleset' =3D> 'Neuen Regelsatz herunterladen', 'download pkcs12 file' =3D> 'PKCS12-Datei herunterladen', @@ -1313,11 +1307,9 @@ 'fwhost wo subnet' =3D> '(Ohne Subnetz)', 'gateway' =3D> 'Gateway', 'gateway ip' =3D> 'Gateway-IP', -'gen dh' =3D> 'Neuen Diffie-Hellman-Parameter erzeugen', 'gen static key' =3D> 'Statischen Schl=C3=BCssel erzeugen', 'generate' =3D> 'Root/Host-Zertifikate generieren', 'generate a certificate' =3D> 'Erzeuge ein Zertifikat:', -'generate dh key' =3D> 'Diffie-Hellman Key generieren', 'generate iso' =3D> 'ISO erstellen', 'generate ptr' =3D> 'PTR erzeugen', 'generate root/host certificates' =3D> 'Erzeuge Root/Host-Zertifikate', @@ -1860,7 +1852,6 @@ 'nonetworkname' =3D> 'Kein Netzwerkname wurde eingegeben', 'noservicename' =3D> 'Kein Dienstname wurde eingegeben', 'not a valid ca certificate' =3D> 'Kein g=C3=BCltiges CA Zertifikat.', -'not a valid dh key' =3D> 'Kein g=C3=BCltiger Diffie-Hellman-Parameter. Es s= ind nur Parameter mit einer L=C3=A4nge von 2048, 3072 oder 4096 Bit im PKCS#3= -Format erlaubt.', 'not affected' =3D> 'Nicht betroffen', 'not enough disk space' =3D> 'Nicht gen=C3=BCgend Plattenplatz vorhanden', 'not present' =3D> 'Nicht vorhanden', @@ -1961,15 +1952,10 @@ 'ovpn connection name' =3D> 'Verbindungs-Name', 'ovpn crypt options' =3D> 'Kryptografieoptionen', 'ovpn device' =3D> 'OpenVPN-Ger=C3=A4t', -'ovpn dh' =3D> 'Diffie-Hellman-Parameter-L=C3=A4nge', -'ovpn dh new key' =3D> 'Neuen Diffie-Hellman Parameter erstellen', -'ovpn dh parameters' =3D> 'Diffie-Hellman-Parameter Optionen', -'ovpn dh upload' =3D> 'Neuen Diffie-Hellman-Parameter hochladen', 'ovpn dl' =3D> 'OVPN-Konfiguration downloaden', 'ovpn engines' =3D> 'Krypto Engine', 'ovpn errmsg green already pushed' =3D> 'Route f=C3=BCr gr=C3=BCnes Netzwerk= wird immer gesetzt', 'ovpn errmsg invalid ip or mask' =3D> 'Ung=C3=BCltige Netzwerk-Adresse oder = Subnetzmaske', -'ovpn error dh' =3D> 'Der Diffie-Hellman Parameter muss mindestens 2048 bit = lang sein!
Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochl= aden, dies kann unten =C3=BCber den Bereich "Diffie-Hellman-Parameter Optione= n" gemacht werden.
', 'ovpn error md5' =3D> 'Das Host Zertifikat nutzt einen MD5 Algorithmus welch= er nicht mehr akzeptiert wird.
Bitte IPFire auf die neueste Version updat= en und generieren sie ein neues Root und Host Zertifikate.

Es m=C3=BC= ssen dann alle OpenVPN clients erneuert werden!
', 'ovpn generating the root and host certificates' =3D> 'Die Erzeugung der Roo= t- und Host-Zertifikate kann lange Zeit dauern.', 'ovpn ha' =3D> 'Hash-Algorithmus', @@ -2270,7 +2256,6 @@ 'show ca certificate' =3D> 'CA Zertifikat anzeigen', 'show certificate' =3D> 'Datei anzeigen', 'show crl' =3D> 'Certificate Revocation List anzeigen', -'show dh' =3D> 'Diffie-Hellman-Parameter anzeigen', 'show host certificate' =3D> 'Host-Zertifikat anzeigen', 'show last x lines' =3D> 'die letzten x Zeilen anzeigen', 'show otp qrcode' =3D> 'Zeige OTP QRCode', @@ -2645,7 +2630,6 @@ 'upload a certificate' =3D> 'Ein Zertifikat hochladen:', 'upload a certificate request' =3D> 'Eine Zertifikatsanfrage hochladen:', 'upload ca certificate' =3D> 'CA-Zertifikat hochladen', -'upload dh key' =3D> 'Diffie-Hellman-Parameter hochladen', 'upload file' =3D> 'Datei zum Hochladen', 'upload new ruleset' =3D> 'Neuen Regelsatz hochladen', 'upload p12 file' =3D> 'PKCS12-Datei hochladen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 60dca5be4..deafcf660 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -794,12 +794,6 @@ 'details' =3D> 'Details', 'device' =3D> 'Device', 'devices on blue' =3D> 'Devices on BLUE', -'dh' =3D> 'Diffie-Hellman parameters', -'dh key move failed' =3D> 'Diffie-Hellman parameters move failed.', -'dh key warn' =3D> 'Creating DH-parameters with a length of 2048 bits takes = up to several minutes. Lengths of 3072 or 4096 bits might needs several hours= . Please be patient.', -'dh key warn1' =3D> 'For weak systems or systems with little entropy, it is = recommended to upload long Diffie-Hellman parameters by usage of the upload f= unction.', -'dh name is invalid' =3D> 'Name is invalid, please use "dh1024.pem".', -'dh parameter' =3D> 'Diffie-Hellman parameters', 'dhcp advopt add' =3D> 'Add a DHCP option', 'dhcp advopt added' =3D> 'DHCP option added', 'dhcp advopt blank value' =3D> 'DHCP Option value cannot be empty.', @@ -939,7 +933,6 @@ 'download apple profile' =3D> 'Download Apple Configuration Profile', 'download ca certificate' =3D> 'Download CA certificate', 'download certificate' =3D> 'Download file', -'download dh parameter' =3D> 'Download Diffie-Hellman parameters', 'download host certificate' =3D> 'Download host certificate', 'download new ruleset' =3D> 'Download new ruleset', 'download pkcs12 file' =3D> 'Download PKCS12 file', @@ -1358,11 +1351,9 @@ 'g.lite' =3D> 'TO BE REMOVED', 'gateway' =3D> 'Gateway', 'gateway ip' =3D> 'Gateway IP', -'gen dh' =3D> 'Generate new Diffie-Hellman parameters', 'gen static key' =3D> 'Generate a static key', 'generate' =3D> 'Generate root/host zertifikate', 'generate a certificate' =3D> 'Generate a certificate:', -'generate dh key' =3D> 'Generate Diffie-Hellman parameters', 'generate iso' =3D> 'Generate ISO', 'generate ptr' =3D> 'Generate PTR', 'generate root/host certificates' =3D> 'Generate root/host certificates', @@ -1911,7 +1902,6 @@ 'nonetworkname' =3D> 'No Network Name entered', 'noservicename' =3D> 'No Service Name entered', 'not a valid ca certificate' =3D> 'Not a valid CA certificate.', -'not a valid dh key' =3D> 'Not a valid Diffie-Hellman parameters file. Pleas= e use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.', 'not affected' =3D> 'Not Affected', 'not enough disk space' =3D> 'Not enough disk space', 'not present' =3D> 'Not present', @@ -2015,15 +2005,10 @@ 'ovpn connection name' =3D> 'Connection Name', 'ovpn crypt options' =3D> 'Cryptographic options', 'ovpn device' =3D> 'OpenVPN device:', -'ovpn dh' =3D> 'Diffie-Hellman parameters length', -'ovpn dh new key' =3D> 'Generate new Diffie-Hellman parameters', -'ovpn dh parameters' =3D> 'Diffie-Hellman parameters options', -'ovpn dh upload' =3D> 'Upload new Diffie-Hellman parameters', 'ovpn dl' =3D> 'OVPN-Config Download', 'ovpn engines' =3D> 'Crypto engine', 'ovpn errmsg green already pushed' =3D> 'Route for green network is always s= et', 'ovpn errmsg invalid ip or mask' =3D> 'Invalid network-address or subnetmask= ', -'ovpn error dh' =3D> 'The Diffie-Hellman parameter needs to be in minimum 20= 48 bit!
Please generate or upload a new Diffie-Hellman parameter, this ca= n be made below in the section "Diffie-Hellman parameters options".
', 'ovpn error md5' =3D> 'You host certificate uses MD5 for the signature which= is not accepted anymore.
Please update to the latest IPFire version and = generate a new root and host certificate.

All OpenVPN clients needs t= hen to be renewed!
', 'ovpn generating the root and host certificates' =3D> 'Generating the root a= nd host certificate can take a long time.', 'ovpn ha' =3D> 'Hash algorithm', @@ -2327,7 +2312,6 @@ 'show ca certificate' =3D> 'Show CA certificate', 'show certificate' =3D> 'Show file', 'show crl' =3D> 'Show certificate revocation list', -'show dh' =3D> 'Show Diffie-Hellman parameters', 'show host certificate' =3D> 'Show host certificate', 'show last x lines' =3D> 'Show last x lines', 'show lines' =3D> 'Show lines', @@ -2710,7 +2694,6 @@ 'upload a certificate' =3D> 'Upload a certificate:', 'upload a certificate request' =3D> 'Upload a certificate request:', 'upload ca certificate' =3D> 'Upload CA certificate', -'upload dh key' =3D> 'Upload Diffie-Hellman parameters', 'upload fcdsl.o' =3D> 'TO BE REMOVED', 'upload file' =3D> 'Upload file', 'upload new ruleset' =3D> 'Upload new ruleset', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index a1643557e..ee5c40025 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -799,12 +799,6 @@ 'details' =3D> 'D=C3=A9tails', 'device' =3D> 'P=C3=A9riph=C3=A9rique', 'devices on blue' =3D> 'P=C3=A9riph=C3=A9riques sur BLEU', -'dh' =3D> 'Param=C3=A8tres Diffie-Hellman', -'dh key move failed' =3D> 'Le d=C3=A9placement des param=C3=A8tres Diffie-He= llman a =C3=A9chou=C3=A9.', -'dh key warn' =3D> 'La cr=C3=A9ation de param=C3=A8tres DH avec des longueur= s de 1024 ou 2048 bits prend plusieurs minutes. Des longueurs de 3072 ou 4096= bits peuvent n=C3=A9cessiter plusieurs heures. Soyez patient.', -'dh key warn1' =3D> 'Pour des syst=C3=A8mes faibles ou avec peu d\'entropie,= il est recommand=C3=A9 de t=C3=A9l=C3=A9charger les param=C3=A8tres Diffie-H= ellman longs en utilisant la fonction de t=C3=A9l=C3=A9chargement.', -'dh name is invalid' =3D> 'Le nom est invalide, veuillez utiliser "dh1024.pe= m".', -'dh parameter' =3D> 'Param=C3=A8tres Diffie-Hellman', 'dhcp advopt add' =3D> 'Ajouter une option DHCP', 'dhcp advopt added' =3D> 'Option DHCP ajout=C3=A9e', 'dhcp advopt blank value' =3D> 'La valeur de l\'option DHCP ne peut pas =C3= =AAtre vide.', @@ -944,7 +938,6 @@ 'download apple profile' =3D> 'T=C3=A9l=C3=A9charger le profil de configurat= ion Apple', 'download ca certificate' =3D> 'T=C3=A9l=C3=A9charger le certificat CA', 'download certificate' =3D> 'T=C3=A9l=C3=A9charger le certificat', -'download dh parameter' =3D> 'T=C3=A9l=C3=A9charger param=C3=A8tres Diffie-H= ellman', 'download host certificate' =3D> 'T=C3=A9l=C3=A9charger le certificat de l\'= h=C3=B4te', 'download new ruleset' =3D> 'T=C3=A9l=C3=A9charger de nouvelles r=C3=A8gles', 'download pkcs12 file' =3D> 'T=C3=A9l=C3=A9charger le fichier PKCS12', @@ -1360,11 +1353,9 @@ 'fwhost wo subnet' =3D> '(sans sous-r=C3=A9seau)', 'gateway' =3D> 'Passerelle ', 'gateway ip' =3D> 'IP passerelle', -'gen dh' =3D> 'G=C3=A9n=C3=A9rer nouveaux param=C3=A8tres Diffie-Hellman ', 'gen static key' =3D> 'G=C3=A9n=C3=A9rer une clef statique', 'generate' =3D> 'G=C3=A9n=C3=A9rer un certificat racine / h=C3=B4te', 'generate a certificate' =3D> 'G=C3=A9n=C3=A9rer un certificat :', -'generate dh key' =3D> 'G=C3=A9n=C3=A9rer param=C3=A8tres Diffie-Hellman', 'generate iso' =3D> 'G=C3=A9n=C3=A9rer ISO', 'generate ptr' =3D> 'G=C3=A9n=C3=A9rer PTR ', 'generate root/host certificates' =3D> 'G=C3=A9n=C3=A9rer des certificats ro= ot / h=C3=B4te', @@ -1917,7 +1908,6 @@ 'nonetworkname' =3D> 'Aucun nom de r=C3=A9seau saisi', 'noservicename' =3D> 'Aucun nom de service saisi', 'not a valid ca certificate' =3D> 'Le certificat CA n\'est pas valide.', -'not a valid dh key' =3D> 'Ce n\'est pas un fichier de param=C3=A8tres Diffi= e-Hellman valide. Veuillez choisir une longueur de 1024, 2048, 3072 ou 4096 b= its et le format PKCS#3.', 'not affected' =3D> 'Non affect=C3=A9', 'not enough disk space' =3D> 'Pas assez d\'espace sur le disque', 'not present' =3D> 'Absent', @@ -2021,15 +2011,10 @@ 'ovpn connection name' =3D> 'Nom de la connexion ', 'ovpn crypt options' =3D> 'Options cryptographiques', 'ovpn device' =3D> 'P=C3=A9riph=C3=A9rique OpenVPN :', -'ovpn dh' =3D> 'Longueur de param=C3=A8tres Diffie-Hellman ', -'ovpn dh new key' =3D> 'G=C3=A9n=C3=A9rer de nouveaux param=C3=A8tres Diffie= -Hellman ', -'ovpn dh parameters' =3D> 'Options de param=C3=A8tres Diffie-Hellman', -'ovpn dh upload' =3D> 'Mettre =C3=A0 jour nouveaux param=C3=A8tres Diffie-He= llman ', 'ovpn dl' =3D> 'T=C3=A9l=C3=A9charger Config OVPN', 'ovpn engines' =3D> 'Moteur Crypto', 'ovpn errmsg green already pushed' =3D> 'La route pour le r=C3=A9seau VERT e= st toujours activ=C3=A9e', 'ovpn errmsg invalid ip or mask' =3D> 'Adresse ou masque de sous-r=C3=A9seau= invalide', -'ovpn error dh' =3D> 'Le param=C3=A8tre Diffie-Hellman doit =C3=AAtre au min= imum =C3=A0 2048 bits !
Veuillez g=C3=A9n=C3=A9rer ou t=C3=A9l=C3=A9charg= er un nouveau param=C3=A8tre Diffie-Hellman, cela peut =C3=AAtre fait ci-dess= ous dans la section "Options de param=C3=A8tres Diffie-Hellman".
', 'ovpn error md5' =3D> 'Votre certificat h=C3=B4te utilise MD5 pour la signat= ure qui n\'est plus accept=C3=A9e.
Veuillez mettre =C3=A0 jour la derni= =C3=A8re version d\'IPFire et g=C3=A9n=C3=A9rez un nouveau certificat racine = et h=C3=B4te..

Tous les clients OpenVPN doivent ensuite =C3=AAtre ren= ouvel=C3=A9s!
', 'ovpn generating the root and host certificates' =3D> 'La g=C3=A9n=C3=A9rati= on du certificat racine et h=C3=B4te peut prendre du temps.', 'ovpn ha' =3D> 'Algorithme de hashage', @@ -2335,7 +2320,6 @@ 'show ca certificate' =3D> 'Afficher le certificat CA', 'show certificate' =3D> 'Afficher le certificat', 'show crl' =3D> 'Montrer la liste de r=C3=A9vocation des certificats', -'show dh' =3D> 'Afficher les param=C3=A8tres Diffie-Hellman', 'show host certificate' =3D> 'Afficher le certificat h=C3=B4te', 'show last x lines' =3D> 'Montrer les derni=C3=A8res x lignes', 'show lines' =3D> 'Montrer les lignes', @@ -2718,7 +2702,6 @@ 'upload a certificate' =3D> 'Envoyer un certificat :', 'upload a certificate request' =3D> 'Envoyer une demande de certificat :', 'upload ca certificate' =3D> 'Envoyer un certificat CA', -'upload dh key' =3D> 'T=C3=A9l=C3=A9charger param=C3=A8tres Diffie-Hellman', 'upload file' =3D> 'Envoyer un fichier', 'upload new ruleset' =3D> 'T=C3=A9l=C3=A9charger un nouveau r=C3=A9glement', 'upload p12 file' =3D> 'Envoyer fichier PKCS12', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index cf58bea90..87a86946f 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -681,12 +681,6 @@ 'details' =3D> 'Dettagli', 'device' =3D> 'Device', 'devices on blue' =3D> 'Devices on Blu', -'dh' =3D> 'Diffie-Hellman parameters', -'dh key move failed' =3D> 'Diffie-Hellman parameters move failed.', -'dh key warn' =3D> 'Creating DH-parameters with lengths of 1024 or 2048 bits= takes up to several minutes. Lengths of 3072 or 4096 bits might needs severa= l hours. Please be patient.', -'dh key warn1' =3D> 'For weak systems or systems with little entropy, it is = recommended to upload long Diffie-Hellman parameters by usage of the upload f= unction.', -'dh name is invalid' =3D> 'Name is invalid, please use "dh1024.pem".', -'dh parameter' =3D> 'Diffie-Hellman parameters', 'dhcp advopt add' =3D> 'Aggiungere un opzione DHCP', 'dhcp advopt added' =3D> 'Opzione DHCP aggiunto', 'dhcp advopt blank value' =3D> 'DHCP opzione non pu=C3=B2 essere vuoto.', @@ -796,7 +790,6 @@ 'download' =3D> 'download', 'download ca certificate' =3D> 'Download CA certificate', 'download certificate' =3D> 'Download certificate', -'download dh parameter' =3D> 'Download Diffie-Hellman parameters', 'download host certificate' =3D> 'Download host certificate', 'download new ruleset' =3D> 'Scarica il nuovo set di regole', 'download pkcs12 file' =3D> 'Download PKCS12 file', @@ -1158,11 +1151,9 @@ 'g.lite' =3D> 'TO BE REMOVED', 'gateway' =3D> 'Gateway', 'gateway ip' =3D> 'Gateway IP', -'gen dh' =3D> 'Generate new Diffie-Hellman parameters', 'gen static key' =3D> 'Generate a static key', 'generate' =3D> 'Generate root/host zertifikate', 'generate a certificate' =3D> 'Generate a certificate:', -'generate dh key' =3D> 'Generate Diffie-Hellman parameters', 'generate iso' =3D> 'Genera file ISO', 'generate root/host certificates' =3D> 'Generate root/host certificates', 'generate tripwire keys and init' =3D> 'generate tripwire keys and init', @@ -1594,7 +1585,6 @@ 'nonetworkname' =3D> 'No Network Name entered', 'noservicename' =3D> 'No Service Name entered', 'not a valid ca certificate' =3D> 'Not a valid CA certificate.', -'not a valid dh key' =3D> 'Not a valid Diffie-Hellman parameters file. Pleas= e use a length of 1024, 2048, 3072 or 4096 bits and the PKCS#3 format.', 'not enough disk space' =3D> 'Spazio su disco insufficiente', 'not present' =3D> 'Non presente', 'not running' =3D> 'not running', @@ -1684,10 +1674,6 @@ 'ovpn config' =3D> 'OVPN-Config', 'ovpn crypt options' =3D> 'Cryptographic options', 'ovpn device' =3D> 'OpenVPN device:', -'ovpn dh' =3D> 'Diffie-Hellman parameters length', -'ovpn dh new key' =3D> 'Generate new Diffie-Hellman parameters', -'ovpn dh parameters' =3D> 'Diffie-Hellman parameters options', -'ovpn dh upload' =3D> 'Upload new Diffie-Hellman parameters', 'ovpn dl' =3D> 'OVPN-Config Download', 'ovpn engines' =3D> 'Crypto engine', 'ovpn errmsg green already pushed' =3D> 'Route for Verde network is always s= et', @@ -1958,7 +1944,6 @@ 'show ca certificate' =3D> 'Show CA certificate', 'show certificate' =3D> 'Show file', 'show crl' =3D> 'Show certificate revocation list', -'show dh' =3D> 'Show Diffie-Hellman parameters', 'show host certificate' =3D> 'Show host certificate', 'show last x lines' =3D> 'Show last x lines', 'show lines' =3D> 'Show lines', @@ -2298,7 +2283,6 @@ 'upload a certificate' =3D> 'Upload a certificate:', 'upload a certificate request' =3D> 'Upload a certificate request:', 'upload ca certificate' =3D> 'Upload CA certificate', -'upload dh key' =3D> 'Upload Diffie-Hellman parameters', 'upload fcdsl.o' =3D> 'TO BE REMOVED', 'upload file' =3D> 'Upload file', 'upload new ruleset' =3D> 'Upload new ruleset', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index bc2eead9a..ad5567ce1 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -746,12 +746,6 @@ 'details' =3D> 'Detaylar', 'device' =3D> 'Ayg=C4=B1t', 'devices on blue' =3D> 'Mavi =C3=BCzerindeki ayg=C4=B1tlar', -'dh' =3D> 'Diffie-Hellman parametreleri', -'dh key move failed' =3D> 'Diffie-Hellman parametreleri ta=C5=9F=C4=B1namad= =C4=B1.', -'dh key warn' =3D> '1024 veya 2048 bit uzunlu=C4=9Fundaki Diffie-Hellman par= ametrelerini olu=C5=9Fturma birka=C3=A7 dakika s=C3=BCrebilir. 3072 veya 4096= bit uzunlu=C4=9Fundaki parametreleri olu=C5=9Fturmak ise birka=C3=A7 saate i= htiya=C3=A7 olabilir. L=C3=BCtfen sab=C4=B1rl=C4=B1 olun.', -'dh key warn1' =3D> 'Zay=C4=B1f veya entropileri k=C3=BC=C3=A7=C3=BCk olan s= istemler i=C3=A7in bu y=C3=BCkleme fonksiyonun kullan=C4=B1m=C4=B1 ile uzun D= iffie-Hellman parametrelerini y=C3=BCkleme tavsiye edilir.', -'dh name is invalid' =3D> 'Ge=C3=A7ersiz ad, l=C3=BCtfen "dh1024.pem" =C5=9F= eklinde kullan=C4=B1n.', -'dh parameter' =3D> 'Diffie-Hellman parametreleri', 'dhcp advopt add' =3D> 'DHCP se=C3=A7ene=C4=9Fi ekle', 'dhcp advopt added' =3D> 'DHCP se=C3=A7ene=C4=9Fi eklendi', 'dhcp advopt blank value' =3D> 'DHCP se=C3=A7ene=C4=9Fi de=C4=9Feri bo=C5=9F= olamaz.', @@ -868,7 +862,6 @@ 'download' =3D> '=C4=B0ndir', 'download ca certificate' =3D> 'CA sertifikas=C4=B1 indir', 'download certificate' =3D> 'Sertifika indir', -'download dh parameter' =3D> 'Diffie-Hellman parametrelerini indir', 'download host certificate' =3D> 'Ana bilgisayar belgesi indir', 'download new ruleset' =3D> 'Yeni Kural K=C3=BCmesi =C4=B0ndir', 'download pkcs12 file' =3D> 'PKCS12 dosyas=C4=B1n=C4=B1 indir', @@ -1269,11 +1262,9 @@ 'g.lite' =3D> 'KALDIRILACAK', 'gateway' =3D> 'A=C4=9F ge=C3=A7idi', 'gateway ip' =3D> 'A=C4=9F Ge=C3=A7idi IP Adresi', -'gen dh' =3D> 'Yeni Diffie-Hellman parametrelerini olu=C5=9Fturun', 'gen static key' =3D> 'Statik bir anahtar olu=C5=9Ftur', 'generate' =3D> 'Y=C3=B6netici/Sunucu Sertifikas=C4=B1 Olu=C5=9Ftur', 'generate a certificate' =3D> 'Sertifika olu=C5=9Ftur:', -'generate dh key' =3D> 'Diffie-Hellman parametrelerini olu=C5=9Fturun', 'generate iso' =3D> 'ISO olu=C5=9Ftur', 'generate root/host certificates' =3D> 'Y=C3=B6netici/Sunucu Sertifikas=C4= =B1 Olu=C5=9Ftur', 'generate tripwire keys and init' =3D> 'tripwire anahtarlar=C4=B1 ve init ol= u=C5=9Ftur', @@ -1731,7 +1722,6 @@ 'nonetworkname' =3D> 'A=C4=9F ad=C4=B1 girilmedi', 'noservicename' =3D> 'Hizmet ad=C4=B1 girilmedi', 'not a valid ca certificate' =3D> 'Ge=C3=A7erli bir CA sertifikas=C4=B1 de= =C4=9Fil.', -'not a valid dh key' =3D> 'Ge=C3=A7erli bir Diffie-Hellman parametre dosyas= =C4=B1 yok. 1024, 2048, 3072 veya 4096 bit uzunlu=C4=9Funda ve PKCS#3 bi=C3= =A7imini kullan=C4=B1n.', 'not enough disk space' =3D> 'Yeterli disk alan=C4=B1 yok', 'not present' =3D> 'Mevcut de=C4=9Fil', 'not running' =3D> '=C3=A7al=C4=B1=C5=9Fm=C4=B1yor', @@ -1828,10 +1818,6 @@ 'ovpn config' =3D> 'OVPN-Yap=C4=B1land=C4=B1rmas=C4=B1', 'ovpn crypt options' =3D> '=C5=9Eifreleme se=C3=A7enekleri', 'ovpn device' =3D> 'OpenVPN ayg=C4=B1t=C4=B1:', -'ovpn dh' =3D> 'Diffie-Hellman parametre uzunlu=C4=9Fu', -'ovpn dh new key' =3D> 'Yeni Diffie-Hellman parametrelerini olu=C5=9Fturun', -'ovpn dh parameters' =3D> 'Diffie-Hellman parametre se=C3=A7enekleri', -'ovpn dh upload' =3D> 'Yeni Diffie-Hellman parametreleri y=C3=BCkle', 'ovpn dl' =3D> 'OVPN-Yap=C4=B1land=C4=B1rmas=C4=B1 =C4=B0ndir', 'ovpn engines' =3D> '=C5=9Eifreleme motoru', 'ovpn errmsg green already pushed' =3D> 'Ye=C5=9Fil a=C4=9F i=C3=A7in her za= man bir yol ayarla', @@ -2111,7 +2097,6 @@ 'show ca certificate' =3D> 'CA sertifikalar=C4=B1n=C4=B1 g=C3=B6ster', 'show certificate' =3D> 'Sertifika g=C3=B6ster', 'show crl' =3D> 'Sertifika =C4=B0ptal Listesini G=C3=B6ster', -'show dh' =3D> 'Diffie-Hellman parametrelerini g=C3=B6ster', 'show host certificate' =3D> 'Ana bilgisayar sertifikalar=C4=B1n=C4=B1 g=C3= =B6ster', 'show last x lines' =3D> 'Son x sat=C4=B1rlar=C4=B1n=C4=B1 g=C3=B6ster', 'show lines' =3D> 'Sat=C4=B1rlar=C4=B1 g=C3=B6ster', @@ -2462,7 +2447,6 @@ 'upload a certificate' =3D> 'Sertifika y=C3=BCkle:', 'upload a certificate request' =3D> 'Sertifika iste=C4=9Fi y=C3=BCkle:', 'upload ca certificate' =3D> 'CA Sertifikas=C4=B1 Y=C3=BCkle', -'upload dh key' =3D> 'Diffie-Hellman parametreleri y=C3=BCkle', 'upload fcdsl.o' =3D> 'KALDIRILACAK', 'upload file' =3D> 'Dosya y=C3=BCkle', 'upload new ruleset' =3D> 'Yeni kurallar y=C3=BCkle', diff --git a/lfs/openssl b/lfs/openssl index 28a92a6b3..0431203f0 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -123,5 +123,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make install install -m 0644 $(DIR_SRC)/config/ssl/openssl.cnf /etc/ssl =20 + # Install RFC 7919 defined standard group ffdhe4096 + install -m 0644 $(DIR_SRC)/config/ssl/ffdhe4096.pem /etc/ssl + @rm -rf $(DIR_APP) @$(POSTBUILD) --=20 2.35.3 --===============2471038300488650518==--