Fixes: #11964 and #12157
If slow boards or/and boards with low entropy needs too long to generate the DH-parameter, ovpnmain.cgi can get into a "Script timed out before returning headers" and no further OpenSSl commands will be executed after dhparam is finished. Since the ta.key are created after the DH-parameter, it won´t be produced in that case. To prevent this, the DH-parameter will now be generated at the end.
Signed-off-by: Erik Kapfer ummeegge@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 439390228..5de80b269 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1947,6 +1947,13 @@ END # } else { # &cleanssldatabase(); } + # Create ta.key for tls-auth + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + &cleanssldatabase(); + goto ROOTCERT_ERROR; + } # Create Diffie Hellmann Parameter system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { @@ -1961,13 +1968,6 @@ END # } else { # &cleanssldatabase(); } - # Create ta.key for tls-auth - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - &cleanssldatabase(); - goto ROOTCERT_ERROR; - } goto ROOTCERT_SUCCESS; } ROOTCERT_ERROR:
Since Core 132 the 'TLS Channel Protection' is part of the global settings, the ta.key generation check should also be in the main section otherwise it won´t be created if not present.
Signed-off-by: Erik Kapfer ummeegge@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5de80b269..5b8ca9731 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -898,17 +898,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; goto ADV_ERROR; } - # Create ta.key for tls-auth if not presant - if ($cgiparams{'TLSAUTH'} eq 'on') { - if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - goto ADV_ERROR; - } - } - } - &General::writehash("${General::swroot}/ovpn/settings", %vpnsettings); &writeserverconf();#hier ok } @@ -1189,6 +1178,17 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; }
+ # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto SETTINGS_ERROR; + } + } + } + $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
Sorry for sending in this patches so late but i thought it makes sense to solve some open bugs in this topic.
Should i send it in again after Core 136 release ?
Best,
Erik
On Mi, 2019-09-18 at 07:03 +0200, Erik Kapfer wrote:
Since Core 132 the 'TLS Channel Protection' is part of the global settings, the ta.key generation check should also be in the main section otherwise it won´t be created if not present.
Signed-off-by: Erik Kapfer ummeegge@ipfire.org
html/cgi-bin/ovpnmain.cgi | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5de80b269..5b8ca9731 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -898,17 +898,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv- options'}) { $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; goto ADV_ERROR; }
- # Create ta.key for tls-auth if not presant
- if ($cgiparams{'TLSAUTH'} eq 'on') {
- if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
system('/usr/sbin/openvpn', '--genkey', '--secret',"${General::swroot}/ovpn/certs/ta.key");
if ($?) {$errormessage = "$Lang::tr{'openssl produced anerror'}: $?";
goto ADV_ERROR;}- }
- }
- &General::writehash("${General::swroot}/ovpn/settings",
%vpnsettings); &writeserverconf();#hier ok } @@ -1189,6 +1178,17 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; }
- # Create ta.key for tls-auth if not presant
- if ($cgiparams{'TLSAUTH'} eq 'on') {
if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
if ($?) {$errormessage = "$Lang::tr{'opensslproduced an error'}: $?";
goto SETTINGS_ERROR;}}- }
- $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
-
Erik Kapfer -
ummeegge