Since OpenVPN-2.4.x, a lot of changes has been introduced. This patch should help the users for better understanding of errors in the cryptography. It includes also potential warnings for upcoming changes and needed adjustments in the system. This can also be extended in the future for upcoming configuration changes.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 53 ++++++++++++++++++++++++++++++++++++++++++++++- langs/de/cgi-bin/de.pl | 5 +++++ langs/en/cgi-bin/en.pl | 5 +++++ 3 files changed, 62 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 4bc3473..c9d36d7 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -64,6 +64,8 @@ my %cahash=(); my %selected=(); my $warnmessage = ''; my $errormessage = ''; +my $cryptoerror = ''; +my $cryptowarning = ''; my %settings=(); my $routes_push_file = ''; my $confighost="${General::swroot}/fwhosts/customhosts"; @@ -1069,7 +1071,42 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General close(CLIENTCONF);
} - + +### +### Check for cryptography problems +### + +# Warning if DH parameter is 1024 bit +if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { + my $dhlenght = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; + if ($dhlenght =~ /1024 bit/) { + $cryptoerror = "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } +} + +# Warning if md5 is in usage +if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($signature =~ /md5WithRSAEncryption/) { + $cryptoerror = "$Lang::tr{'ovpn error md5'}"; + goto CRYPTO_ERROR; + } +} + +CRYPTO_ERROR: + +# Warning if certificate is not compliant to RFC3280 TLS rules +if (-f "${General::swroot}/ovpn/openssl/ovpn.cnf") { + my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($extendkeyusage =~ /TLS Web Server Authentication/) { + $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}"; + goto CRYPTO_WARNING; + } +} + +CRYPTO_WARNING: + ### ### Save main settings ### @@ -5135,6 +5172,20 @@ END &Header::closebox(); }
+ if ($cryptoerror) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'}); + print "<class name='base'>$cryptoerror"; + print " </class>"; + &Header::closebox(); + } + + if ($cryptowarning) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'}); + print "<class name='base'>$cryptowarning"; + print " </class>"; + &Header::closebox(); + } + if ($warnmessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); print "$warnmessage<br>"; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 630d9b2..e1e9c97 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -661,6 +661,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'Cron-Server', +'crypto error' => 'Kryptografiefehler', +'crypto warning' => 'Kryptografiewarnungen', 'current' => 'Aktuell', 'current aliases' => 'Aktuelle Alias-Adresse', 'current class' => 'Aktuelle Klasse', @@ -1817,6 +1819,8 @@ 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', +'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>', +'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', 'ovpn ha' => 'Hash-Algorithmus', 'ovpn hmac' => 'HMAC-Optionen', @@ -1841,6 +1845,7 @@ 'ovpn subnet' => 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', +'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', 'ovpn_mssfix' => 'MSSFIX-Grösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 8ec5bf4..d3847c9 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -682,6 +682,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'CRON Server', +'crypto error' => 'Cryptographic error', +'crypto warning' => 'Cryptographic warning', 'current' => 'Current', 'current aliases' => 'Current aliases', 'current class' => 'Current class', @@ -1850,6 +1852,8 @@ 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', +'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>', +'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.', 'ovpn ha' => 'Hash algorithm', 'ovpn hmac' => 'HMAC options', @@ -1874,6 +1878,7 @@ 'ovpn subnet' => 'OpenVPN subnet:', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', +'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', 'ovpn_mtudisc' => 'MTU-Discovery',
Changes includes: Own crypto warning and error message in WUI (can be extended to configuration too). Check if DH-parameter is < 2048 bit with an error message and howto fix it. Check if md5 is still in use with an error message and suggestion how to proceed further to fix it. Check for soon needed RFC3280 TLS rules compliants and suggestion how to proceed further to fix it. Disabled 1024 bit DH-parameter upload. Changed de and en language files for DH-parameter upload (deleted 1024 bit). Added explanations to de and en language files for the above changes. Fixed Typo in en language file.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 61 +++++++++++++++++++++++++++++++++++++++++++++-- langs/de/cgi-bin/de.pl | 9 +++++-- langs/en/cgi-bin/en.pl | 11 ++++++--- 3 files changed, 74 insertions(+), 7 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 4bc3473..d16c753 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -64,6 +64,8 @@ my %cahash=(); my %selected=(); my $warnmessage = ''; my $errormessage = ''; +my $cryptoerror = ''; +my $cryptowarning = ''; my %settings=(); my $routes_push_file = ''; my $confighost="${General::swroot}/fwhosts/customhosts"; @@ -97,6 +99,8 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; +# Perform crypto and configration test +&pkiconfigcheck;
# Add CCD files if not already presant unless (-e $routes_push_file) { @@ -199,6 +203,45 @@ sub deletebackupcert } }
+### +### Check for PKI and configure problems +### + +sub pkiconfigcheck +{ + # Warning if DH parameter is 1024 bit + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`; + my @dhbit = ($dhparameter =~ /(\d+)/); + if ($1 < 2048) { + $cryptoerror = "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } + } + + # Warning if md5 is in usage + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($signature =~ /md5WithRSAEncryption/) { + $cryptoerror = "$Lang::tr{'ovpn error md5'}"; + goto CRYPTO_ERROR; + } + } + + CRYPTO_ERROR: + + # Warning if certificate is not compliant to RFC3280 TLS rules + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($extendkeyusage !~ /TLS Web Server Authentication/) { + $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}"; + goto CRYPTO_WARNING; + } + } + + CRYPTO_WARNING: +} + sub writeserverconf { my %sovpnsettings = (); my @temp = (); @@ -1069,7 +1112,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General close(CLIENTCONF);
} - + ### ### Save main settings ### @@ -1336,7 +1379,7 @@ END goto UPLOADCA_ERROR; } my $temp = `/usr/bin/openssl dhparam -text -in $filename`; - if ($temp !~ /DH Parameters: ((1024|2048|3072|4096) bit)/) { + if ($temp !~ /DH Parameters: ((2048|3072|4096) bit)/) { $errormessage = $Lang::tr{'not a valid dh key'}; unlink ($filename); goto UPLOADCA_ERROR; @@ -5135,6 +5178,20 @@ END &Header::closebox(); }
+ if ($cryptoerror) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'}); + print "<class name='base'>$cryptoerror"; + print " </class>"; + &Header::closebox(); + } + + if ($cryptowarning) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'}); + print "<class name='base'>$cryptowarning"; + print " </class>"; + &Header::closebox(); + } + if ($warnmessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); print "$warnmessage<br>"; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 630d9b2..1fee282 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -661,6 +661,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'Cron-Server', +'crypto error' => 'Kryptografiefehler', +'crypto warning' => 'Kryptografiewarnungen', 'current' => 'Aktuell', 'current aliases' => 'Aktuelle Alias-Adresse', 'current class' => 'Aktuelle Klasse', @@ -730,7 +732,7 @@ 'devices on blue' => 'Geräte auf BLAU', 'dh' => 'Diffie-Hellman-Parameter', 'dh key move failed' => 'Verschieben der Diffie-Hellman-Parameter fehlgeschlagen.', -'dh key warn' => 'Das Generieren der DH-Parameter mit 1024 oder 2048 Bit dauert üblicherweise mehrere Minuten. Schlüssellängen von 3072 oder 4096 Bit beanspruchen mehrere Stunden. Bitte haben Sie etwas Geduld.', +'dh key warn' => 'Das Generieren eines DH-Parameter mit 2048 Bit dauert üblicherweise mehrere Minuten. Schlüssellängen von 3072 oder 4096 Bit beanspruchen mehrere Stunden. Bitte haben Sie etwas Geduld.', 'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen lange Diffie-Hellman-Parameter über die Upload-Funktion hochzuladen.', 'dh parameter' => 'Diffie-Hellman-Parameter', 'dhcp advopt add' => 'DHCP Option hinzufügen', @@ -1708,7 +1710,7 @@ 'nonetworkname' => 'Kein Netzwerkname wurde eingegeben', 'noservicename' => 'Kein Dienstname wurde eingegeben', 'not a valid ca certificate' => 'Kein gültiges CA Zertifikat.', -'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 1024, 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.', +'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.', 'not enough disk space' => 'Nicht genügend Plattenplatz vorhanden', 'not present' => '<B>Nicht</B> vorhanden', 'not running' => 'nicht gestartet', @@ -1817,6 +1819,8 @@ 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', +'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>', +'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', 'ovpn ha' => 'Hash-Algorithmus', 'ovpn hmac' => 'HMAC-Optionen', @@ -1840,6 +1844,7 @@ 'ovpn server status' => 'OpenVPN-Server-Status', 'ovpn subnet' => 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', +'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 8ec5bf4..3ec5af5 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -682,6 +682,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'CRON Server', +'crypto error' => 'Cryptographic error', +'crypto warning' => 'Cryptographic warning', 'current' => 'Current', 'current aliases' => 'Current aliases', 'current class' => 'Current class', @@ -752,7 +754,7 @@ 'devices on blue' => 'Devices on BLUE', 'dh' => 'Diffie-Hellman parameters', 'dh key move failed' => 'Diffie-Hellman parameters move failed.', -'dh key warn' => 'Creating DH-parameters with lengths of 1024 or 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.', +'dh key warn' => 'Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.', 'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.', 'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".', 'dh parameter' => 'Diffie-Hellman parameters', @@ -1740,7 +1742,7 @@ 'nonetworkname' => 'No Network Name entered', 'noservicename' => 'No Service Name entered', 'not a valid ca certificate' => 'Not a valid CA certificate.', -'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 1024, 2048, 3072 or 4096 bits and the PKCS#3 format.', +'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.', 'not enough disk space' => 'Not enough disk space', 'not present' => '<b>Not</b> present', 'not running' => 'not running', @@ -1850,7 +1852,9 @@ 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', -'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.', +'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>', +'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', +'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.', 'ovpn ha' => 'Hash algorithm', 'ovpn hmac' => 'HMAC options', 'ovpn log' => 'OVPN-Log', @@ -1874,6 +1878,7 @@ 'ovpn subnet' => 'OpenVPN subnet:', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', +'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', 'ovpn_mtudisc' => 'MTU-Discovery',