We tested the backup of the settings but did NOT test the ISO backup. Will try this later today to confirm the issue with the ISO backup.
We had regenerated the keys during the 120 Core update. We did not see the cryptographic warnings that you did.
Fred
From: Paul Titjen <paul.titjen@ministc.com>
Sent: 28 August, 2018 13:12
To: development@lists.ipfire.org
Subject: Testing core update 123
Hi all,
I too am testing core update 123.
My version of ipfire was a new install of 2.21 core update 122 followed by a restore of an .ipf backup from last 2.19. This was then moved up to Core Update 123.
So far stable and have only two issues unresolved so far.
Backup.
Generate ISO is still not working for me. I still have a size of 0.00 MB. Web gui shows "Backup from ipfire-2.21.x86_64-full-core123.iso Size 0.00 MB"
The normal backup to generate an ".ipf" file does work. Web gui shows "Backup from 20180823-1150.ipf Size 14.38 MB"
Downloading these backups confirms the sizes shown.
OpenVPN
Initially had the two crypto warnings so deleted all the cert data and then generated new DH parameters with 3076 value. Then generated new certificate data using the 3076 value. This removed the DH size warning but still leaves the following:
Cryptographic warning
Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.
All OpenVPN clients needs then to be renewed!
I looked for any settings that I could apply in web GUI to set extendkeyusage with TLS Web Server Authentication in the cert generation to make the warning go away but could not find a way to do this.
+ # Warning if certificate is not compliant to RFC3280 TLS rules
+ if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+ $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+ goto CRYPTO_WARNING;
+ }
+ }
+
+ CRYPTO_WARNING:
Is OpenVPN going to require critical extends on the certs in the future?
Hope this somewhat limited testing information helps.
Regards,
Paul