Fixes: #11964 and #12157
If slow boards or/and boards with low entropy needs too long to generate the DH-parameter, ovpnmain.cgi can get into a "Script timed out before returning headers" and no further OpenSSl commands will be executed after dhparam is finished. Since the ta.key are created after the DH-parameter, it won´t be produced in that case. To prevent this, the DH-parameter will now be generated at the end.
Signed-off-by: Erik Kapfer ummeegge@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 439390228..5de80b269 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1947,6 +1947,13 @@ END # } else { # &cleanssldatabase(); } + # Create ta.key for tls-auth + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + &cleanssldatabase(); + goto ROOTCERT_ERROR; + } # Create Diffie Hellmann Parameter system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { @@ -1961,13 +1968,6 @@ END # } else { # &cleanssldatabase(); } - # Create ta.key for tls-auth - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - &cleanssldatabase(); - goto ROOTCERT_ERROR; - } goto ROOTCERT_SUCCESS; } ROOTCERT_ERROR: