From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH 2/3] backup.pl: Remove the previous code for adding legacty provider to n2n Date: Sun, 11 Jun 2023 15:17:15 +0200 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0736996744938814222==" List-Id: --===============0736996744938814222== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On 10/06/2023 13:28, Michael Tremer wrote: > Hello, >=20 >> On 10 Jun 2023, at 12:16, Adolf Belka wrote: >> >> Hi Michael, >> >> On 10/06/2023 12:16, Michael Tremer wrote: >>> I did not merge this, as I believe we need this, because: >>> We won=E2=80=99t rewrite the OpenVPN configuration files on update, so it= might be a good idea to just add the line and if someone edits the connectio= n it might be removed. >> The code in the backup.pl put the line into the config irrespective of the= certificate being legacy or not. >> >> With the ovpnmain.cgi code patch of this patch set, it now only adds the p= roviders legacy default to the config file if the cert is legacy when downloa= ding the connection set. This is now done for both n2n and roadwarrior connec= tion sets. >=20 > Yes, this is true, but we won=E2=80=99t run the CGI during the update. >=20 > Any connections that have legacy certificates won=E2=80=99t work after inst= alling the new version of OpenSSL. So we need the legacy provider enabled (ju= st to be safe). Okay, understand where you are coming from.Good catch. I have also now tested out a n2n connection created with openssl-3.x with and= without the providers legacy default line in the client conf. Can confirm that it works in both cases, so having the legacy line added dose= not cause any problems with the openssl-3.x n2n client connection working. >=20 >>> That should work I believe and -legacy should not have any side effects w= hen enabled but not needed. >> That is something I have not tested out but I think you are correct, it sh= ouldn't have any side affects. >> >> I think it is good to go now and I can always do any additional minor tuni= ngs later in CU176 and onwards, otherwise we will be here for ever. >=20 > I would rather like to get it right than being fast, but at this point I do= n=E2=80=99t know what else we can do. So *fingers crossed*. >=20 > Let=E2=80=99s release either tomorrow or Monday. Depending on how much I am= going to enjoy the nice weather this weekend :) Enjoy the nice weather. Regards, Adolf. >=20 > -Michael >=20 >> >> Regards, >> >> Adolf. >>> Best, >>> -Michael >>>> On 7 Jun 2023, at 15:21, Adolf Belka wrote: >>>> >>>> - This code is no longer needed with the code in the ovpnmain.cgi patch = in this patch set. >>>> >>>> Tested-by: Adolf Belka >>>> Signed-off-by: Adolf Belka >>>> --- >>>> config/backup/backup.pl | 15 --------------- >>>> 1 file changed, 15 deletions(-) >>>> >>>> diff --git a/config/backup/backup.pl b/config/backup/backup.pl >>>> index 8d990c0f1..60138a58a 100644 >>>> --- a/config/backup/backup.pl >>>> +++ b/config/backup/backup.pl >>>> @@ -190,21 +190,6 @@ restore_backup() { >>>> # Update OpenVPN CRL >>>> /etc/fcron.daily/openvpn-crl-updater >>>> >>>> - # Update OpenVPN N2N Client Configs >>>> - ## Add providers legacy default line to n2n client config files >>>> - # Check if ovpnconfig exists and is not empty >>>> - if [ -s /var/ipfire/ovpn/ovpnconfig ]; then >>>> - # Identify all n2n connections >>>> - for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnc= onfig); do >>>> - # Add the legacy option to all N2N client conf files if it d= oes not already exist >>>> - if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/= ${y}.conf) -eq 1 ] ; then >>>> - if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y= }/${y}.conf) -eq 0 ] ; then >>>> - echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.= conf >>>> - fi >>>> - fi >>>> - done >>>> - fi >>>> - >>>> return 0 >>>> } >>>> >>>> --=20 >>>> 2.40.1 >>>> >> >> --=20 >> Sent from my laptop >=20 >=20 --===============0736996744938814222==--