[PATCH] OpenVPN: Clarify fundamental crypto errors but also warnings in WUI

21 Jun 2018

Since OpenVPN-2.4.x, a lot of changes has been introduced. This patch should help the users for better understanding of errors in the cryptography.
It includes also potential warnings for upcoming changes and needed adjustments in the system.
This can also be extended in the future for upcoming configuration changes.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
---
 html/cgi-bin/ovpnmain.cgi | 53 ++++++++++++++++++++++++++++++++++++++++++++++-
 langs/de/cgi-bin/de.pl    |  5 +++++
 langs/en/cgi-bin/en.pl    |  5 +++++
 3 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 4bc3473..c9d36d7 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -64,6 +64,8 @@ my %cahash=();
 my %selected=();
 my $warnmessage = '';
 my $errormessage = '';
+my $cryptoerror = '';
+my $cryptowarning = '';
 my %settings=();
 my $routes_push_file = '';
 my $confighost="${General::swroot}/fwhosts/customhosts";
@@ -1069,7 +1071,42 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   close(CLIENTCONF);
}
-  
+
+###
+### Check for cryptography problems
+###
+
+# Warning if DH parameter is 1024 bit
+if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
+	my $dhlenght = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`;
+	if ($dhlenght =~ /1024 bit/) {
+		$cryptoerror = "$Lang::tr{'ovpn error dh'}";
+		goto CRYPTO_ERROR;
+	}
+}
+
+# Warning if md5 is in usage
+if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+	my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+	if ($signature =~ /md5WithRSAEncryption/) {
+		$cryptoerror = "$Lang::tr{'ovpn error md5'}";
+		goto CRYPTO_ERROR;
+	}
+}
+
+CRYPTO_ERROR:
+
+# Warning if certificate is not compliant to RFC3280 TLS rules
+if (-f "${General::swroot}/ovpn/openssl/ovpn.cnf") {
+	my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+	if ($extendkeyusage =~ /TLS Web Server Authentication/) {
+		$cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+		goto CRYPTO_WARNING;
+	}
+}
+
+CRYPTO_WARNING:
+
 ###
 ### Save main settings
 ###
@@ -5135,6 +5172,20 @@ END
    &Header::closebox();
     }
+	if ($cryptoerror) {
+		&Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
+		print "<class name='base'>$cryptoerror";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+
+	if ($cryptowarning) {
+		&Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
+		print "<class name='base'>$cryptowarning";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+
    if ($warnmessage) {
    	&Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
    	print "$warnmessage<br>";
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 630d9b2..e1e9c97 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -661,6 +661,8 @@
 'credits' => 'Credits',
 'crl' => 'Certificate Revocation List',
 'cron server' => 'Cron-Server',
+'crypto error' => 'Kryptografiefehler',
+'crypto warning' => 'Kryptografiewarnungen',
 'current' => 'Aktuell',
 'current aliases' => 'Aktuelle Alias-Adresse',
 'current class' => 'Aktuelle Klasse',
@@ -1817,6 +1819,8 @@
 'ovpn engines' => 'Krypto Engine',
 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
+'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>',
+'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.',
 'ovpn ha' => 'Hash-Algorithmus',
 'ovpn hmac' => 'HMAC-Optionen',
@@ -1841,6 +1845,7 @@
 'ovpn subnet' => 'OpenVPN-Subnetz:',
 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.',
 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit  ',
+'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_fragment' => 'Fragmentgrösse',
 'ovpn_mssfix' => 'MSSFIX-Grösse',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 8ec5bf4..d3847c9 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -682,6 +682,8 @@
 'credits' => 'Credits',
 'crl' => 'Certificate Revocation List',
 'cron server' => 'CRON Server',
+'crypto error' => 'Cryptographic error',
+'crypto warning' => 'Cryptographic warning',
 'current' => 'Current',
 'current aliases' => 'Current aliases',
 'current class' => 'Current class',
@@ -1850,6 +1852,8 @@
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
+'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>',
+'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.',
 'ovpn ha' => 'Hash algorithm',
 'ovpn hmac' => 'HMAC options',
@@ -1874,6 +1878,7 @@
 'ovpn subnet' => 'OpenVPN subnet:',
 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
+'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_mssfix' => 'MSSFIX Size',
 'ovpn_mtudisc' => 'MTU-Discovery',
-- 
2.7.4


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

[PATCH] OpenVPN: Clarify fundamental crypto errors but also warnings in WUI