This patch adds the option to download a client package that comes with a regular PEM and key file instead of a PKCS12 file which is easier to use with clients that don't support PKCS12 (like iOS) opposed to converting the file manually.
This requires that the connection is created without using a password for the certificate. Then the certificate is already stored in an insecure way.
This patch also adds this to the Core Update 95 updater.
Fixes: #10966
Signed-off-by: Michael Tremer michael.tremer@ipfire.org CC: Alexander Marx alexander.marx@ipfire.org --- config/rootfiles/core/95/filelists/files | 1 + html/cgi-bin/ovpnmain.cgi | 56 +++++++++++++++++++++++++++++--- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 4 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core/95/filelists/files index dfecbaf..b886200 100644 --- a/config/rootfiles/core/95/filelists/files +++ b/config/rootfiles/core/95/filelists/files @@ -8,6 +8,7 @@ srv/web/ipfire/cgi-bin/connections.cgi srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/firewall.cgi srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat +srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/pppsetup.cgi srv/web/ipfire/cgi-bin/routing.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9e252a9..7c9ff95 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2265,9 +2265,38 @@ else print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } + my $file_crt = new File::Temp( UNLINK => 1 ); + my $file_key = new File::Temp( UNLINK => 1 ); + if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { - print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + if ($cgiparams{'MODE'} eq 'insecure') { + # Add the CA + print CLIENTCONF "ca cacert.pem\r\n"; + $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; + + # Extract the certificate + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; + print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; + + # Extract the key + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; + print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; + } else { + print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + } } else { print CLIENTCONF "ca cacert.pem\r\n"; print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; @@ -4251,6 +4280,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'};
+ if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] = "no-pass"; + } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", %confighash); if ($cgiparams{'CHECK1'} ){ @@ -5127,7 +5160,7 @@ END <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> - <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th> + <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th> </tr> END } @@ -5141,7 +5174,7 @@ END <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> - <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th> + <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th> </tr> END } @@ -5240,6 +5273,21 @@ END </td></form> END ; + + if ($confighash{$key}[41] eq "no-pass") { + print <<END; + <form method='post' name='frm${key}g'><td align='center' $col> + <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png' + alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' /> + <input type='hidden' name='MODE' value='insecure' /> + <input type='hidden' name='KEY' value='$key' /> + </td></form> +END + } else { + print "<td $col> </td>"; + } + if ($confighash{$key}[4] eq 'cert') { print <<END; <form method='post' name='frm${key}b'><td align='center' $col> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index cf04d3d..305db0b 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -731,6 +731,7 @@ 'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen', 'display webinterface effects' => 'Überblendeffekte einschalten', 'dl client arch' => 'Client Paket herunterladen (zip)', +'dl client arch insecure' => 'Ungesichertes Client-Paket herunterladen (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches', 'dmz pinhole rule added' => 'Regel für DMZ-Schlupfloch hinzugefügt; Starte DMZ-Schlupfloch neu', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 56238ed..4c52392 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -756,6 +756,7 @@ 'display traffic at home' => 'Display calculated traffic on startpage', 'display webinterface effects' => 'Activate effects', 'dl client arch' => 'Download Client Package (zip)', +'dl client arch insecure' => 'Download insecure Client Package (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'DMZ pinhole configuration', 'dmz pinhole rule added' => 'DMZ pinhole rule added; restarting DMZ pinhole',