This patch adds the option to download a client package
that comes with a regular PEM and key file instead of a
PKCS12 file which is easier to use with clients that
don't support PKCS12 (like iOS) opposed to converting
the file manually.
This requires that the connection is created without
using a password for the certificate. Then the certificate
is already stored in an insecure way.
This patch also adds this to the Core Update 95 updater.
Fixes: #10966
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
CC: Alexander Marx <alexander.marx(a)ipfire.org>
---
config/rootfiles/core/95/filelists/files | 1 +
html/cgi-bin/ovpnmain.cgi | 56 +++++++++++++++++++++++++++++---
langs/de/cgi-bin/de.pl | 1 +
langs/en/cgi-bin/en.pl | 1 +
4 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core/95/filelists/files
index dfecbaf..b886200 100644
--- a/config/rootfiles/core/95/filelists/files
+++ b/config/rootfiles/core/95/filelists/files
@@ -8,6 +8,7 @@ srv/web/ipfire/cgi-bin/connections.cgi
srv/web/ipfire/cgi-bin/dhcp.cgi
srv/web/ipfire/cgi-bin/firewall.cgi
srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
srv/web/ipfire/cgi-bin/pppsetup.cgi
srv/web/ipfire/cgi-bin/routing.cgi
srv/web/ipfire/cgi-bin/vpnmain.cgi
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 9e252a9..7c9ff95 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2265,9 +2265,38 @@ else
print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
}
+ my $file_crt = new File::Temp( UNLINK => 1 );
+ my $file_key = new File::Temp( UNLINK => 1 );
+
if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
- print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
- $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+ if ($cgiparams{'MODE'} eq 'insecure') {
+ # Add the CA
+ print CLIENTCONF "ca cacert.pem\r\n";
+ $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
+
+ # Extract the certificate
+ system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
+ if ($?) {
+ die "openssl error: $?";
+ }
+
+ $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
+ print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
+
+ # Extract the key
+ system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
+ if ($?) {
+ die "openssl error: $?";
+ }
+
+ $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
+ print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
+ } else {
+ print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
+ $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
+ }
} else {
print CLIENTCONF "ca cacert.pem\r\n";
print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
@@ -4251,6 +4280,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
$confighash{$key}[39] = $cgiparams{'DAUTH'};
$confighash{$key}[40] = $cgiparams{'DCIPHER'};
+ if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
+ $confighash{$key}[41] = "no-pass";
+ }
+
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
if ($cgiparams{'CHECK1'} ){
@@ -5127,7 +5160,7 @@ END
<th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
<th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
<th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
- <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th>
+ <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
</tr>
END
}
@@ -5141,7 +5174,7 @@ END
<th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
<th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
<th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
- <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th>
+ <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
</tr>
END
}
@@ -5240,6 +5273,21 @@ END
</td></form>
END
;
+
+ if ($confighash{$key}[41] eq "no-pass") {
+ print <<END;
+ <form method='post' name='frm${key}g'><td align='center' $col>
+ <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
+ alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
+ <input type='hidden' name='MODE' value='insecure' />
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form>
+END
+ } else {
+ print "<td $col> </td>";
+ }
+
if ($confighash{$key}[4] eq 'cert') {
print <<END;
<form method='post' name='frm${key}b'><td align='center' $col>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index cf04d3d..305db0b 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -731,6 +731,7 @@
'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen',
'display webinterface effects' => 'Überblendeffekte einschalten',
'dl client arch' => 'Client Paket herunterladen (zip)',
+'dl client arch insecure' => 'Ungesichertes Client-Paket herunterladen (zip)',
'dmz' => 'DMZ',
'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches',
'dmz pinhole rule added' => 'Regel für DMZ-Schlupfloch hinzugefügt; Starte DMZ-Schlupfloch neu',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 56238ed..4c52392 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -756,6 +756,7 @@
'display traffic at home' => 'Display calculated traffic on startpage',
'display webinterface effects' => 'Activate effects',
'dl client arch' => 'Download Client Package (zip)',
+'dl client arch insecure' => 'Download insecure Client Package (zip)',
'dmz' => 'DMZ',
'dmz pinhole configuration' => 'DMZ pinhole configuration',
'dmz pinhole rule added' => 'DMZ pinhole rule added; restarting DMZ pinhole',
--
2.4.4