The user will be warned in the WUI if he uses BF, CAST, DES* or SHA1 since those algorithms will "soon be removed".
Signed-off-by: ummeegge erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 17 +++++++++++++++++ langs/de/cgi-bin/de.pl | 2 ++ langs/en/cgi-bin/en.pl | 2 ++ langs/es/cgi-bin/es.pl | 4 ++++ langs/fr/cgi-bin/fr.pl | 2 ++ langs/it/cgi-bin/it.pl | 4 ++++ langs/nl/cgi-bin/nl.pl | 5 +++++ langs/pl/cgi-bin/pl.pl | 4 ++++ langs/ru/cgi-bin/ru.pl | 4 ++++ langs/tr/cgi-bin/tr.pl | 4 ++++ 10 files changed, 48 insertions(+)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dbf8a8d2e..7a2f8a5a3 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -250,6 +250,20 @@ sub pkiconfigcheck } }
+ # Warning if deprecated 64-bit-block ciphers or weak HMAC is in usage + if (-f "${General::swroot}/ovpn/server.conf") { + my $oldciphers = "${General::swroot}/ovpn/server.conf"; + open(FH, $oldciphers); + while(my $cipherstring = <FH>) { + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) { + my @tempcipherstring = split(" ", $cipherstring); + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block cipher'}"; + goto CRYPTO_WARNING; + } + } + close(FH); + } + CRYPTO_WARNING: }
@@ -5242,6 +5256,9 @@ END
my @status = `/bin/cat /var/run/ovpnserver.log`;
+ # Perform crypto and configration test to display warnings or errors + &pkiconfigcheck; + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { my $ipaddr = <IPADDR>; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 08827b08a..ae05d5e55 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1948,6 +1948,8 @@ 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', 'ovpn tls auth' => 'TLS-Kanalabsicherung:', +'ovpn warning 64 bit block cipher' => 'Diser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte ändern Sie dies so schnell wie möglich!</br>', +'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert', 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 880cae5f7..321503d67 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1980,6 +1980,8 @@ 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', 'ovpn tls auth' => 'TLS Channel Protection:', +'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this as soon as possible!</br>', +'ovpn warning algorithm' => 'You configured the algorithm', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index c86580e81..752093552 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -552,6 +552,8 @@ 'credits' => 'Creditos', 'crl' => 'Lista de revocación de certificados', 'cron server' => 'Servidor CRON', +'crypto error' => 'Error de criptografía', +'crypto warning' => 'Advertencias sobre la criptografía', 'current' => 'Actual', 'current aliases' => 'Alias actuales', 'current class' => 'Clase actual', @@ -1345,6 +1347,8 @@ 'ovpn subnet' => 'Subred de OpenVPN (ej. 10.0.10.0/255.255.255.0', 'ovpn subnet is invalid' => 'Subred de OpenVPN no es válida.', 'ovpn subnet overlap' => 'La subred de OpenVPN se traslapa con:', +'ovpn warning 64 bit block cipher' => 'Este algoritmo de cifrado del está roto y pronto se eliminará. <br>¡Por favor, cambie esto lo antes posible!</br>', +'ovpn warning algorithm' => 'Se configuró el siguiente algoritmo', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Tamaño de Fragmento', 'ovpn_mssfix' => 'Tamaño MSSFIX', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index 1a1f37cbe..f931bc70e 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1981,6 +1981,8 @@ 'ovpn subnet is invalid' => 'Sous-réseau OpenVPN non valide.', 'ovpn subnet overlap' => 'Le sous-réseau OpenVPN se chevauche avec : ', 'ovpn tls auth' => 'Protection du canal TLS :', +'ovpn warning 64 bit block cipher' => 'Ce L'algorithme de chiffage du n'est plus sûr et sera bientôt supprimé. <br>Veuillez changer cela dès que possible!</br>', +'ovpn warning algorithm' => 'L'algorithme suivant a été configuré', 'ovpn warning rfc3280' => 'Votre certificat d'hôte n'est pas conforme avec la RFC3280.<br>Veuillez mettre à jour la dernière version d'IPFire et générer dès que possible un nouveau certificat racine et hôte.</br><br>Tous les clients OpenVPN doivent ensuite être renouvelés !</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Taille du fragment', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 2c1dc9559..3779de3f6 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -622,6 +622,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'CRON Server', +'crypto error' => 'Errore di crittografia', +'crypto warning' => 'Avvertenze di crittografia', 'current' => 'Current', 'current aliases' => 'Current aliases', 'current class' => 'Current class', @@ -1733,6 +1735,8 @@ 'ovpn subnet' => 'OpenVPN subnet (e.g. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', +'ovpn warning 64 bit block cipher' => 'L'algoritmo di crittografia è insicuro e verrà presto disinstallato.<br>Si prega di cambiare il più presto possibile!</br>', +'ovpn warning algorithm' => 'È stato configurato il seguente algoritmo', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', 'ovpn_mtudisc' => 'MTU-Discovery', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index 635cbd3b8..dc9ea350f 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -616,6 +616,8 @@ 'credits' => 'Credits', 'crl' => 'Certificaatintrekkingslijst', 'cron server' => 'CRON Server', +'crypto error' => 'Cryptografische fout', +'crypto warning' => 'Cryptografie waarschuwingen', 'current' => 'Huidig', 'current aliases' => 'Huidige aliassen:', 'current class' => 'Huidige klasse', @@ -1686,6 +1688,9 @@ 'ovpn subnet' => 'OpenVPN subnet (bijv. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'OpenVPN subnet is ongeldig.', 'ovpn subnet overlap' => 'OpenVPN subnet overlapt met : ', +'ovpn warning 64 bit block cipher' => 'Dit encryptie algoritme is verbroken en zal binnenkort worden verwijderd. <br>Verander dit zo snel mogelijk!</br>', +'ovpn warning algorithm' => 'U hebt het algoritme geconfigureerd', +'ovpn warning rfc3280' => 'Uw gastheercertificaat is niet RFC3280-conform. <br>Please-update naar de nieuwste IPFire-versie en genereer zo snel mogelijk een nieuw root- en host-certificaat.</br><br>Alle OpenVPN-clients moeten dan vernieuwd worden!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrootte', 'ovpn_mssfix' => 'MSSFIX-grootte', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index 4ceaeef8a..96e9a95ae 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -553,6 +553,8 @@ 'credits' => 'Credits', 'crl' => 'Lista odwołań certyfikatów', 'cron server' => 'Serwer CRON', +'crypto error' => 'Błąd kryptograficzny', +'crypto warning' => 'Ostrzeżenia kryptograficzne', 'current' => 'Aktualne', 'current aliases' => 'Aktualne alias:', 'current class' => 'Aktualna klasa', @@ -1357,6 +1359,8 @@ 'ovpn subnet' => 'Podsieć OpenVPN (np. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'Podsieć OpenVPN jest niepoprawna.', 'ovpn subnet overlap' => 'Podsieć OpenVPN zachodzi na : ', +'ovpn warning 64 bit block cipher' => 'Szyfr danych wymaga co najmniej jednego szyfru. <br>Proszę to zmienić jak najszybciej!</br>', +'ovpn warning algorithm' => 'Skonfigurowałeś algorytm', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Rozmiar fragmentu', 'ovpn_mssfix' => 'MSSFIX Size', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 1d81eb62c..5ba44ce29 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -551,6 +551,8 @@ 'credits' => 'О Проекте', 'crl' => 'Список отозванных сертификатов', 'cron server' => 'CRON Сервер', +'crypto error' => 'Ошибка криптографии', +'crypto warning' => 'крипто-предупреждение', 'current' => 'Current', 'current aliases' => 'Действующие псевдонимы:', 'current class' => 'Текущий класс', @@ -1352,6 +1354,8 @@ 'ovpn subnet' => 'Подсеть OpenVPN (e.g. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'Подсеть OpenVPN задана неверно.', 'ovpn subnet overlap' => 'Подсеть OpenVPN пересекается с: ', +'ovpn warning 64 bit block cipher' => 'Этот алгоритм шифрования сломан и вскоре будет удален. <br>Пожалуйста, измените это как можно скорее!</br>', +'ovpn warning algorithm' => 'Вы настроили алгоритм', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentsize', 'ovpn_mssfix' => 'MSSFIX Size', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 5fbd9f3d3..b459401c9 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -682,6 +682,8 @@ 'credits' => 'Yazarlar', 'crl' => 'Sertifika İptal Listesi', 'cron server' => 'CRON Sunucusu', +'crypto error' => 'Kriptografi hatası', +'crypto warning' => 'Kriptografi uyarıları', 'current' => 'Geçerli', 'current aliases' => 'Geçerli takma adlar:', 'current class' => 'Geçerli sınıflar', @@ -1878,6 +1880,8 @@ 'ovpn subnet' => 'OpenVPN alt ağı (örneğin 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'Geçersiz OpenVPN alt ağı.', 'ovpn subnet overlap' => 'OpenVPN alt ağı ile örtüşenler: ', +'ovpn warning 64 bit block cipher' => 'Bu şifreleme algoritması bozuldu ve yakında kaldırılacak. <br> Lütfen bunu mümkün olan en kısa sürede değiştirin!</br>', +'ovpn warning algorithm' => 'Algoritmayı sen yapılandırdın', 'ovpn_fastio' => 'Hızlı-IO', 'ovpn_mssfix' => 'MSSFIX Boyutu', 'ovpn_mtudisc' => 'MTU-Keşfi',