Hello Erik,
Nice to see you on this list again :)
On 21 Nov 2022, at 10:22, Erik Kapfer erik.kapfer@ipfire.org wrote:
Since OpenSSL-3.x will remove all 64 bit block-cipher but also OpenVPNs changelog for version 2.5.8 gives hints to get rid of BF-CBC for default configuations, a warning will be displayed in the WUI if the user is running BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to change as soon as possible to another more secure algorithm.
Well, this does not sound like good news. It is yet another change that would break *lots* of existing OpenVPN setups.
Although the patch looks fine, I am not sure if this is the best way to go, because if we tell people that their setup won’t be supported much longer, what alternatives are there?
Resetting to the default options, throwing away their CA and start from scratch is not an option. Even 20 connections are too many to manually update.
If they would actually do this, we will be back to square one really soon, because we still don’t have cipher negotiation.
We are also just accumulating warning messages at the top of the page which cannot be fixed. For years, we are showing some certificate warning and I am not sure why that actually is and what people can do about it?!
So, I fear that we will have to keep supporting those really outdated (and yes, potentially dangerously insecure) setups for the lifetime of IPFire 2. If it isn’t an option to move forward to the latest version of OpenVPN we would be in *very* big trouble.
Best, -Michael
The call of the pkiconfigcheck function is now located in the status page section.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
html/cgi-bin/ovpnmain.cgi | 38 ++++++++++++++++++++++++++++++++++++-- langs/de/cgi-bin/de.pl | 3 +++ langs/en/cgi-bin/en.pl | 3 +++ 3 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dc429d90c..5c34a5f4d 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; -# Perform crypto and configration test -&pkiconfigcheck;
# Add CCD files if not already presant unless (-e $routes_push_file) { @@ -240,6 +238,39 @@ sub pkiconfigcheck } }
- # Warning for Roadwarrior if deprecated 64-bit-block ciphers or weak HMAC is in usage
- if (-f "${General::swroot}/ovpn/server.conf") {
- my $oldciphers = "${General::swroot}/ovpn/server.conf";
- open(FH, $oldciphers);
- while(my $cipherstring = <FH>) {
- if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) {
- my @tempcipherstring = split(" ", $cipherstring);
- $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block cipher'}";
- goto CRYPTO_WARNING;
- }
- }
- close(FH);
- }
- # Warning for Net-to-Net connections if deprecated 64-bit-block ciphers or HMAC is in usage
- if (-f "${General::swroot}/ovpn/ovpnconfig") {
- my $oldciphers = "${General::swroot}/ovpn/ovpnconfig";
- open(FH, $oldciphers);
- while(my $cipherstring = <FH>) {
- if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC/) {
- my @tempcipherstring = split(",", $cipherstring);
- $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>";
- goto CRYPTO_WARNING;
- }
- if ($cipherstring =~ /SHA1/) {
- my @tempcipherstring = split(",", $cipherstring);
- $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>";
- goto CRYPTO_WARNING;
- }
- }
- }
CRYPTO_WARNING: }
@@ -5056,6 +5087,9 @@ END my @status = <FILE>; close(FILE);
- # Perform crypto and configration test
- &pkiconfigcheck;
- if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { my $ipaddr = <IPADDR>; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index abfba5d5e..bb675ec34 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1982,6 +1982,9 @@ 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', 'ovpn tls auth' => 'TLS-Kanalabsicherung:', +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte Ändern Sie dies auf beiden Seiten (Server und Client) so schnell wie möglich!</br>', +'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert', +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung', 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index bf18b22a2..9aaf3e765 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2035,6 +2035,9 @@ 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', 'ovpn tls auth' => 'TLS Channel Protection:', +'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this on both sides (server and client) as soon as possible!</br>', +'ovpn warning algorithm' => 'The following algorithm was configured', +'ovpn warning algorithm n2n' => 'For the Net-to-Net connection', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', -- 2.35.1