Since OpenSSL-3.x will remove all 64 bit block-cipher but also OpenVPNs changelog for version 2.5.8 gives hints to get rid of BF-CBC for default configuations, a warning will be displayed in the WUI if the user is running BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to change as soon as possible to another more secure algorithm.
The call of the pkiconfigcheck function is now located in the status page section.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 38 ++++++++++++++++++++++++++++++++++++-- langs/de/cgi-bin/de.pl | 3 +++ langs/en/cgi-bin/en.pl | 3 +++ 3 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dc429d90c..5c34a5f4d 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; -# Perform crypto and configration test -&pkiconfigcheck;
# Add CCD files if not already presant unless (-e $routes_push_file) { @@ -240,6 +238,39 @@ sub pkiconfigcheck } }
+ # Warning for Roadwarrior if deprecated 64-bit-block ciphers or weak HMAC is in usage + if (-f "${General::swroot}/ovpn/server.conf") { + my $oldciphers = "${General::swroot}/ovpn/server.conf"; + open(FH, $oldciphers); + while(my $cipherstring = <FH>) { + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) { + my @tempcipherstring = split(" ", $cipherstring); + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block cipher'}"; + goto CRYPTO_WARNING; + } + } + close(FH); + } + + # Warning for Net-to-Net connections if deprecated 64-bit-block ciphers or HMAC is in usage + if (-f "${General::swroot}/ovpn/ovpnconfig") { + my $oldciphers = "${General::swroot}/ovpn/ovpnconfig"; + open(FH, $oldciphers); + while(my $cipherstring = <FH>) { + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC/) { + my @tempcipherstring = split(",", $cipherstring); + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>"; + goto CRYPTO_WARNING; + } + if ($cipherstring =~ /SHA1/) { + my @tempcipherstring = split(",", $cipherstring); + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>"; + goto CRYPTO_WARNING; + } + } + } + + CRYPTO_WARNING: }
@@ -5056,6 +5087,9 @@ END my @status = <FILE>; close(FILE);
+ # Perform crypto and configration test + &pkiconfigcheck; + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { my $ipaddr = <IPADDR>; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index abfba5d5e..bb675ec34 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1982,6 +1982,9 @@ 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', 'ovpn tls auth' => 'TLS-Kanalabsicherung:', +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte Ändern Sie dies auf beiden Seiten (Server und Client) so schnell wie möglich!</br>', +'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert', +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung', 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index bf18b22a2..9aaf3e765 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2035,6 +2035,9 @@ 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', 'ovpn tls auth' => 'TLS Channel Protection:', +'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this on both sides (server and client) as soon as possible!</br>', +'ovpn warning algorithm' => 'The following algorithm was configured', +'ovpn warning algorithm n2n' => 'For the Net-to-Net connection', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size',