Initial patch: https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=2ccc799f...
Minor adjustments to make it apply to the current state of "next", and removal of chown operation in OpenSSL's LFS file, which would have lead to the Diffie-Hellman group file being writable by nobody, for which there is no necessity.
Fixes: #12632 From: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/common/openssl | 1 + html/cgi-bin/ovpnmain.cgi | 185 ++------------------------------ langs/de/cgi-bin/de.pl | 16 --- langs/en/cgi-bin/en.pl | 17 --- langs/fr/cgi-bin/fr.pl | 17 --- langs/it/cgi-bin/it.pl | 16 --- langs/tr/cgi-bin/tr.pl | 16 --- lfs/openssl | 3 + 8 files changed, 11 insertions(+), 260 deletions(-)
diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index bb7e6f65c..ae9716eea 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -2,6 +2,7 @@ #etc/ssl/certs #etc/ssl/ct_log_list.cnf #etc/ssl/ct_log_list.cnf.dist +etc/ssl/ffdhe4096.pem #etc/ssl/misc #etc/ssl/misc/CA.pl #etc/ssl/misc/tsget diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index f85d610d8..dc429d90c 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -78,6 +78,7 @@ my $name; my $col=""; my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; +my $dhparameter = "/etc/ssl/ffdhe4096.pem";
&General::readhash("${General::swroot}/ethernet/settings", %netsettings); $cgiparams{'ENABLED'} = 'off'; @@ -89,8 +90,6 @@ $cgiparams{'COMPRESSION'} = 'off'; $cgiparams{'ONLY_PROPOSED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; -$cgiparams{'DH_NAME'} = 'dh1024.pem'; -$cgiparams{'DHLENGHT'} = ''; $cgiparams{'DHCP_DOMAIN'} = ''; $cgiparams{'DHCP_DNS'} = ''; $cgiparams{'DHCP_WINS'} = ''; @@ -221,28 +220,6 @@ sub deletebackupcert
sub pkiconfigcheck { - # Warning if DH parameter is 1024 bit - if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); - my $dhbit; - - # Loop through the output and search for the DH bit lenght. - foreach my $line (@dhparameter) { - if ($line =~ (/(\d+)/)) { - # Assign match to dhbit value. - $dhbit = $1; - - last; - } - } - - # Check if the used key lenght is at least 2048 bit. - if ($dhbit < 2048) { - $cryptoerror = "$Lang::tr{'ovpn error dh'}"; - goto CRYPTO_ERROR; - } - } - # Warning if md5 is in usage if (-f "${General::swroot}/ovpn/certs/servercert.pem") { my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); @@ -290,7 +267,7 @@ sub writeserverconf { print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; - print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; + print CONF "dh $dhparameter\n"; my @tempovpnsubnet = split("/",$sovpnsettings{'DOVPN_SUBNET'}); print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push "route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}"\n"; @@ -1358,102 +1335,6 @@ END exit (0);
### -### Generate DH key step 2 -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') { - # Delete if old key exists - if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; - } - # Create Diffie Hellmann Parameter - # The system call is safe, because all arguments are passed as an array. - system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); - } - -### -### Generate DH key step 1 -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ovpn'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:"); - print <<END; - <table width='100%'> - <tr> - <td width='20%'> </td> <td width='15%'></td> <td width='65%'></td> - </tr> - <tr> - <td class='base'>$Lang::tr{'ovpn dh'}:</td> - <td align='center'> - <form method='post'><input type='hidden' name='AREUSURE' value='yes' /> - <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> - <select name='DHLENGHT'> - <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option> - <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option> - <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option> - </select> - </td> - </tr> - <tr><td colspan='4'><br></td></tr> - </table> - <table width='100%'> - <tr> - <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'dh key warn'} - </tr> - <tr> - <td class='base'>$Lang::tr{'dh key warn1'}</td> - </tr> - <tr><td colspan='2'><br></td></tr> - <tr> - <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td> - </form> - </tr> - </table> - -END - ; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit (0); - -### -### Upload DH key -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) { - unless (ref ($cgiparams{'FH'})) { - $errormessage = $Lang::tr{'there was no file upload'}; - goto UPLOADCA_ERROR; - } - # Move uploaded dh key to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto UPLOADCA_ERROR; - } - my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename"); - if ( ! grep(/DH Parameters: ((2048|3072|4096) bit)/, @temp)) { - $errormessage = $Lang::tr{'not a valid dh key'}; - unlink ($filename); - goto UPLOADCA_ERROR; - } else { - # Delete if old key exists - if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; - } - - unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}")) { - $errormessage = "$Lang::tr{'dh key move failed'}: $!"; - unlink ($filename); - goto UPLOADCA_ERROR; - } - } -### ### Upload CA Certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) { @@ -2028,21 +1909,6 @@ END &cleanssldatabase(); goto ROOTCERT_ERROR; } - # Create Diffie Hellmann Parameter - # The system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); - unlink ("${General::swroot}/ovpn/certs/servercert.pem"); - unlink ("${General::swroot}/ovpn/ca/cacert.pem"); - unlink ("${General::swroot}/ovpn/crls/cacrl.pem"); - unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); - &cleanssldatabase(); - goto ROOTCERT_ERROR; -# } else { -# &cleanssldatabase(); - } goto ROOTCERT_SUCCESS; } ROOTCERT_ERROR: @@ -2092,14 +1958,6 @@ END } print <<END; </select></td> - <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td> - <td class='base'><select name='DHLENGHT'> - <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option> - <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option> - <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option> - </select> - </td> - </tr>
<tr><td> </td> <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td> @@ -2107,16 +1965,6 @@ END <tr><td class='base' colspan='4' align='left'> <img src='/blob.gif' valign='top' alt='*' /> $Lang::tr{'required field'}</td></tr> <tr><td colspan='2'><br></td></tr> - <table width='100%'> - <tr> - <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'ovpn generating the root and host certificates'} - <td class='base'>$Lang::tr{'dh key warn'}</td> - </tr> - <tr> - <td class='base'>$Lang::tr{'dh key warn1'}</td> - </tr> - <tr><td colspan='2'><br></td></tr> - <tr> </table>
<table width='100%'> @@ -2681,14 +2529,14 @@ END ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) {
- if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") { + if (! -e "$dhparameter") { $errormessage = $Lang::tr{'not present'}; } else { &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:"); - my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); + my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter"); my $output = &Header::cleanhtml(join("", @output) ,"y"); print "<pre>$output</pre>\n"; &Header::closebox(); @@ -5447,7 +5295,7 @@ END print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />"; if (( -e "${General::swroot}/ovpn/ca/cacert.pem" && - -e "${General::swroot}/ovpn/ca/dh1024.pem" && + -e "$dhparameter" && -e "${General::swroot}/ovpn/certs/servercert.pem" && -e "${General::swroot}/ovpn/certs/serverkey.pem") && (( $cgiparams{'ENABLED'} eq 'on') || @@ -5838,8 +5686,8 @@ END }
# Adding DH parameter to chart - if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { - my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); + if (-f "$dhparameter") { + my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter"); my $dhsubject;
foreach my $line (@dhsubject) { @@ -5996,25 +5844,6 @@ END <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td> </tr> </table> - - <br> - - <table border='0' width='100%'> - <tr> - <td colspan='4'><b>$Lang::tr{'ovpn dh parameters'}</b></td> - </tr> - - <tr> - <td width='40%'>$Lang::tr{'ovpn dh upload'}:</td> - <td width='30%'><input type='file' name='FH' size='25'> - <td width='30%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload dh key'}'></td> - </tr> - - <tr> - <td width='40%'>$Lang::tr{'ovpn dh new key'}:</td> - <td colspan='2' width='60%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td> - </tr> - </table> </form>
<br><hr> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index db7d117b0..f64fbb6fa 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -760,11 +760,6 @@ 'details' => 'Mehr', 'device' => 'Gerät', 'devices on blue' => 'Geräte auf BLAU', -'dh' => 'Diffie-Hellman-Parameter', -'dh key move failed' => 'Verschieben der Diffie-Hellman-Parameter fehlgeschlagen.', -'dh key warn' => 'Das Erzeugen eines Diffie-Hellman-Parameters mit 2048 Bit dauert üblicherweise einige Minuten. Parameter von 3072 oder 4096 Bit Länge beanspruchen gegebenenfalls mehrere Stunden. Bitte haben Sie etwas Geduld.', -'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen, lange Diffie-Hellman-Parameter über die Upload-Funktion hochzuladen.', -'dh parameter' => 'Diffie-Hellman-Parameter', 'dhcp advopt add' => 'DHCP Option hinzufügen', 'dhcp advopt added' => 'DHCP Option hinzugefügt', 'dhcp advopt blank value' => 'Wert für DHCP Option darf nicht leer sein', @@ -898,7 +893,6 @@ 'download' => 'herunterladen', 'download ca certificate' => 'CA-Zertifikat herunterladen', 'download certificate' => 'Datei herunterladen', -'download dh parameter' => 'Diffie-Hellman-Parameter herunterladen', 'download host certificate' => 'Host-Zertifikat herunterladen', 'download new ruleset' => 'Neuen Regelsatz herunterladen', 'download pkcs12 file' => 'PKCS12-Datei herunterladen', @@ -1313,11 +1307,9 @@ 'fwhost wo subnet' => '(Ohne Subnetz)', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', -'gen dh' => 'Neuen Diffie-Hellman-Parameter erzeugen', 'gen static key' => 'Statischen Schlüssel erzeugen', 'generate' => 'Root/Host-Zertifikate generieren', 'generate a certificate' => 'Erzeuge ein Zertifikat:', -'generate dh key' => 'Diffie-Hellman Key generieren', 'generate iso' => 'ISO erstellen', 'generate ptr' => 'PTR erzeugen', 'generate root/host certificates' => 'Erzeuge Root/Host-Zertifikate', @@ -1860,7 +1852,6 @@ 'nonetworkname' => 'Kein Netzwerkname wurde eingegeben', 'noservicename' => 'Kein Dienstname wurde eingegeben', 'not a valid ca certificate' => 'Kein gültiges CA Zertifikat.', -'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.', 'not affected' => 'Nicht betroffen', 'not enough disk space' => 'Nicht genügend Plattenplatz vorhanden', 'not present' => '<B>Nicht</B> vorhanden', @@ -1961,15 +1952,10 @@ 'ovpn connection name' => 'Verbindungs-Name', 'ovpn crypt options' => 'Kryptografieoptionen', 'ovpn device' => 'OpenVPN-Gerät', -'ovpn dh' => 'Diffie-Hellman-Parameter-Länge', -'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen', -'ovpn dh parameters' => 'Diffie-Hellman-Parameter Optionen', -'ovpn dh upload' => 'Neuen Diffie-Hellman-Parameter hochladen', 'ovpn dl' => 'OVPN-Konfiguration downloaden', 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', -'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>', 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', 'ovpn ha' => 'Hash-Algorithmus', @@ -2270,7 +2256,6 @@ 'show ca certificate' => 'CA Zertifikat anzeigen', 'show certificate' => 'Datei anzeigen', 'show crl' => 'Certificate Revocation List anzeigen', -'show dh' => 'Diffie-Hellman-Parameter anzeigen', 'show host certificate' => 'Host-Zertifikat anzeigen', 'show last x lines' => 'die letzten x Zeilen anzeigen', 'show otp qrcode' => 'Zeige OTP QRCode', @@ -2645,7 +2630,6 @@ 'upload a certificate' => 'Ein Zertifikat hochladen:', 'upload a certificate request' => 'Eine Zertifikatsanfrage hochladen:', 'upload ca certificate' => 'CA-Zertifikat hochladen', -'upload dh key' => 'Diffie-Hellman-Parameter hochladen', 'upload file' => 'Datei zum Hochladen', 'upload new ruleset' => 'Neuen Regelsatz hochladen', 'upload p12 file' => 'PKCS12-Datei hochladen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 60dca5be4..deafcf660 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -794,12 +794,6 @@ 'details' => 'Details', 'device' => 'Device', 'devices on blue' => 'Devices on BLUE', -'dh' => 'Diffie-Hellman parameters', -'dh key move failed' => 'Diffie-Hellman parameters move failed.', -'dh key warn' => 'Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.', -'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.', -'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".', -'dh parameter' => 'Diffie-Hellman parameters', 'dhcp advopt add' => 'Add a DHCP option', 'dhcp advopt added' => 'DHCP option added', 'dhcp advopt blank value' => 'DHCP Option value cannot be empty.', @@ -939,7 +933,6 @@ 'download apple profile' => 'Download Apple Configuration Profile', 'download ca certificate' => 'Download CA certificate', 'download certificate' => 'Download file', -'download dh parameter' => 'Download Diffie-Hellman parameters', 'download host certificate' => 'Download host certificate', 'download new ruleset' => 'Download new ruleset', 'download pkcs12 file' => 'Download PKCS12 file', @@ -1358,11 +1351,9 @@ 'g.lite' => 'TO BE REMOVED', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway IP', -'gen dh' => 'Generate new Diffie-Hellman parameters', 'gen static key' => 'Generate a static key', 'generate' => 'Generate root/host zertifikate', 'generate a certificate' => 'Generate a certificate:', -'generate dh key' => 'Generate Diffie-Hellman parameters', 'generate iso' => 'Generate ISO', 'generate ptr' => 'Generate PTR', 'generate root/host certificates' => 'Generate root/host certificates', @@ -1911,7 +1902,6 @@ 'nonetworkname' => 'No Network Name entered', 'noservicename' => 'No Service Name entered', 'not a valid ca certificate' => 'Not a valid CA certificate.', -'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.', 'not affected' => 'Not Affected', 'not enough disk space' => 'Not enough disk space', 'not present' => '<b>Not</b> present', @@ -2015,15 +2005,10 @@ 'ovpn connection name' => 'Connection Name', 'ovpn crypt options' => 'Cryptographic options', 'ovpn device' => 'OpenVPN device:', -'ovpn dh' => 'Diffie-Hellman parameters length', -'ovpn dh new key' => 'Generate new Diffie-Hellman parameters', -'ovpn dh parameters' => 'Diffie-Hellman parameters options', -'ovpn dh upload' => 'Upload new Diffie-Hellman parameters', 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', -'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>', 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.', 'ovpn ha' => 'Hash algorithm', @@ -2327,7 +2312,6 @@ 'show ca certificate' => 'Show CA certificate', 'show certificate' => 'Show file', 'show crl' => 'Show certificate revocation list', -'show dh' => 'Show Diffie-Hellman parameters', 'show host certificate' => 'Show host certificate', 'show last x lines' => 'Show last x lines', 'show lines' => 'Show lines', @@ -2710,7 +2694,6 @@ 'upload a certificate' => 'Upload a certificate:', 'upload a certificate request' => 'Upload a certificate request:', 'upload ca certificate' => 'Upload CA certificate', -'upload dh key' => 'Upload Diffie-Hellman parameters', 'upload fcdsl.o' => 'TO BE REMOVED', 'upload file' => 'Upload file', 'upload new ruleset' => 'Upload new ruleset', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index a1643557e..ee5c40025 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -799,12 +799,6 @@ 'details' => 'Détails', 'device' => 'Périphérique', 'devices on blue' => 'Périphériques sur BLEU', -'dh' => 'Paramètres Diffie-Hellman', -'dh key move failed' => 'Le déplacement des paramètres Diffie-Hellman a échoué.', -'dh key warn' => 'La création de paramètres DH avec des longueurs de 1024 ou 2048 bits prend plusieurs minutes. Des longueurs de 3072 ou 4096 bits peuvent nécessiter plusieurs heures. Soyez patient.', -'dh key warn1' => 'Pour des systèmes faibles ou avec peu d'entropie, il est recommandé de télécharger les paramètres Diffie-Hellman longs en utilisant la fonction de téléchargement.', -'dh name is invalid' => 'Le nom est invalide, veuillez utiliser "dh1024.pem".', -'dh parameter' => 'Paramètres Diffie-Hellman', 'dhcp advopt add' => 'Ajouter une option DHCP', 'dhcp advopt added' => 'Option DHCP ajoutée', 'dhcp advopt blank value' => 'La valeur de l'option DHCP ne peut pas être vide.', @@ -944,7 +938,6 @@ 'download apple profile' => 'Télécharger le profil de configuration Apple', 'download ca certificate' => 'Télécharger le certificat CA', 'download certificate' => 'Télécharger le certificat', -'download dh parameter' => 'Télécharger paramètres Diffie-Hellman', 'download host certificate' => 'Télécharger le certificat de l'hôte', 'download new ruleset' => 'Télécharger de nouvelles règles', 'download pkcs12 file' => 'Télécharger le fichier PKCS12', @@ -1360,11 +1353,9 @@ 'fwhost wo subnet' => '(sans sous-réseau)', 'gateway' => 'Passerelle ', 'gateway ip' => 'IP passerelle', -'gen dh' => 'Générer nouveaux paramètres Diffie-Hellman ', 'gen static key' => 'Générer une clef statique', 'generate' => 'Générer un certificat racine / hôte', 'generate a certificate' => 'Générer un certificat :', -'generate dh key' => 'Générer paramètres Diffie-Hellman', 'generate iso' => 'Générer ISO', 'generate ptr' => 'Générer PTR ', 'generate root/host certificates' => 'Générer des certificats root / hôte', @@ -1917,7 +1908,6 @@ 'nonetworkname' => 'Aucun nom de réseau saisi', 'noservicename' => 'Aucun nom de service saisi', 'not a valid ca certificate' => 'Le certificat CA n'est pas valide.', -'not a valid dh key' => 'Ce n'est pas un fichier de paramètres Diffie-Hellman valide. Veuillez choisir une longueur de 1024, 2048, 3072 ou 4096 bits et le format PKCS#3.', 'not affected' => 'Non affecté', 'not enough disk space' => 'Pas assez d'espace sur le disque', 'not present' => '<b>Absent</b>', @@ -2021,15 +2011,10 @@ 'ovpn connection name' => 'Nom de la connexion ', 'ovpn crypt options' => 'Options cryptographiques', 'ovpn device' => 'Périphérique OpenVPN :', -'ovpn dh' => 'Longueur de paramètres Diffie-Hellman ', -'ovpn dh new key' => 'Générer de nouveaux paramètres Diffie-Hellman ', -'ovpn dh parameters' => 'Options de paramètres Diffie-Hellman', -'ovpn dh upload' => 'Mettre à jour nouveaux paramètres Diffie-Hellman ', 'ovpn dl' => 'Télécharger Config OVPN', 'ovpn engines' => 'Moteur Crypto', 'ovpn errmsg green already pushed' => 'La route pour le réseau VERT est toujours activée', 'ovpn errmsg invalid ip or mask' => 'Adresse ou masque de sous-réseau invalide', -'ovpn error dh' => 'Le paramètre Diffie-Hellman doit être au minimum à 2048 bits ! <br>Veuillez générer ou télécharger un nouveau paramètre Diffie-Hellman, cela peut être fait ci-dessous dans la section "Options de paramètres Diffie-Hellman".</br>', 'ovpn error md5' => 'Votre certificat hôte utilise MD5 pour la signature qui n'est plus acceptée. <br>Veuillez mettre à jour la dernière version d'IPFire et générez un nouveau certificat racine et hôte..</br><br>Tous les clients OpenVPN doivent ensuite être renouvelés!</br>', 'ovpn generating the root and host certificates' => 'La génération du certificat racine et hôte peut prendre du temps.', 'ovpn ha' => 'Algorithme de hashage', @@ -2335,7 +2320,6 @@ 'show ca certificate' => 'Afficher le certificat CA', 'show certificate' => 'Afficher le certificat', 'show crl' => 'Montrer la liste de révocation des certificats', -'show dh' => 'Afficher les paramètres Diffie-Hellman', 'show host certificate' => 'Afficher le certificat hôte', 'show last x lines' => 'Montrer les dernières x lignes', 'show lines' => 'Montrer les lignes', @@ -2718,7 +2702,6 @@ 'upload a certificate' => 'Envoyer un certificat :', 'upload a certificate request' => 'Envoyer une demande de certificat :', 'upload ca certificate' => 'Envoyer un certificat CA', -'upload dh key' => 'Télécharger paramètres Diffie-Hellman', 'upload file' => 'Envoyer un fichier', 'upload new ruleset' => 'Télécharger un nouveau réglement', 'upload p12 file' => 'Envoyer fichier PKCS12', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index cf58bea90..87a86946f 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -681,12 +681,6 @@ 'details' => 'Dettagli', 'device' => 'Device', 'devices on blue' => 'Devices on Blu', -'dh' => 'Diffie-Hellman parameters', -'dh key move failed' => 'Diffie-Hellman parameters move failed.', -'dh key warn' => 'Creating DH-parameters with lengths of 1024 or 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.', -'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.', -'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".', -'dh parameter' => 'Diffie-Hellman parameters', 'dhcp advopt add' => 'Aggiungere un opzione DHCP', 'dhcp advopt added' => 'Opzione DHCP aggiunto', 'dhcp advopt blank value' => 'DHCP opzione non può essere vuoto.', @@ -796,7 +790,6 @@ 'download' => 'download', 'download ca certificate' => 'Download CA certificate', 'download certificate' => 'Download certificate', -'download dh parameter' => 'Download Diffie-Hellman parameters', 'download host certificate' => 'Download host certificate', 'download new ruleset' => 'Scarica il nuovo set di regole', 'download pkcs12 file' => 'Download PKCS12 file', @@ -1158,11 +1151,9 @@ 'g.lite' => 'TO BE REMOVED', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway IP', -'gen dh' => 'Generate new Diffie-Hellman parameters', 'gen static key' => 'Generate a static key', 'generate' => 'Generate root/host zertifikate', 'generate a certificate' => 'Generate a certificate:', -'generate dh key' => 'Generate Diffie-Hellman parameters', 'generate iso' => 'Genera file ISO', 'generate root/host certificates' => 'Generate root/host certificates', 'generate tripwire keys and init' => 'generate tripwire keys and init', @@ -1594,7 +1585,6 @@ 'nonetworkname' => 'No Network Name entered', 'noservicename' => 'No Service Name entered', 'not a valid ca certificate' => 'Not a valid CA certificate.', -'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 1024, 2048, 3072 or 4096 bits and the PKCS#3 format.', 'not enough disk space' => 'Spazio su disco insufficiente', 'not present' => '<b>Non</b> presente', 'not running' => 'not running', @@ -1684,10 +1674,6 @@ 'ovpn config' => 'OVPN-Config', 'ovpn crypt options' => 'Cryptographic options', 'ovpn device' => 'OpenVPN device:', -'ovpn dh' => 'Diffie-Hellman parameters length', -'ovpn dh new key' => 'Generate new Diffie-Hellman parameters', -'ovpn dh parameters' => 'Diffie-Hellman parameters options', -'ovpn dh upload' => 'Upload new Diffie-Hellman parameters', 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for Verde network is always set', @@ -1958,7 +1944,6 @@ 'show ca certificate' => 'Show CA certificate', 'show certificate' => 'Show file', 'show crl' => 'Show certificate revocation list', -'show dh' => 'Show Diffie-Hellman parameters', 'show host certificate' => 'Show host certificate', 'show last x lines' => 'Show last x lines', 'show lines' => 'Show lines', @@ -2298,7 +2283,6 @@ 'upload a certificate' => 'Upload a certificate:', 'upload a certificate request' => 'Upload a certificate request:', 'upload ca certificate' => 'Upload CA certificate', -'upload dh key' => 'Upload Diffie-Hellman parameters', 'upload fcdsl.o' => 'TO BE REMOVED', 'upload file' => 'Upload file', 'upload new ruleset' => 'Upload new ruleset', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index bc2eead9a..ad5567ce1 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -746,12 +746,6 @@ 'details' => 'Detaylar', 'device' => 'Aygıt', 'devices on blue' => 'Mavi üzerindeki aygıtlar', -'dh' => 'Diffie-Hellman parametreleri', -'dh key move failed' => 'Diffie-Hellman parametreleri taşınamadı.', -'dh key warn' => '1024 veya 2048 bit uzunluğundaki Diffie-Hellman parametrelerini oluşturma birkaç dakika sürebilir. 3072 veya 4096 bit uzunluğundaki parametreleri oluşturmak ise birkaç saate ihtiyaç olabilir. Lütfen sabırlı olun.', -'dh key warn1' => 'Zayıf veya entropileri küçük olan sistemler için bu yükleme fonksiyonun kullanımı ile uzun Diffie-Hellman parametrelerini yükleme tavsiye edilir.', -'dh name is invalid' => 'Geçersiz ad, lütfen "dh1024.pem" şeklinde kullanın.', -'dh parameter' => 'Diffie-Hellman parametreleri', 'dhcp advopt add' => 'DHCP seçeneği ekle', 'dhcp advopt added' => 'DHCP seçeneği eklendi', 'dhcp advopt blank value' => 'DHCP seçeneği değeri boş olamaz.', @@ -868,7 +862,6 @@ 'download' => 'İndir', 'download ca certificate' => 'CA sertifikası indir', 'download certificate' => 'Sertifika indir', -'download dh parameter' => 'Diffie-Hellman parametrelerini indir', 'download host certificate' => 'Ana bilgisayar belgesi indir', 'download new ruleset' => 'Yeni Kural Kümesi İndir', 'download pkcs12 file' => 'PKCS12 dosyasını indir', @@ -1269,11 +1262,9 @@ 'g.lite' => 'KALDIRILACAK', 'gateway' => 'Ağ geçidi', 'gateway ip' => 'Ağ Geçidi IP Adresi', -'gen dh' => 'Yeni Diffie-Hellman parametrelerini oluşturun', 'gen static key' => 'Statik bir anahtar oluştur', 'generate' => 'Yönetici/Sunucu Sertifikası Oluştur', 'generate a certificate' => 'Sertifika oluştur:', -'generate dh key' => 'Diffie-Hellman parametrelerini oluşturun', 'generate iso' => 'ISO oluştur', 'generate root/host certificates' => 'Yönetici/Sunucu Sertifikası Oluştur', 'generate tripwire keys and init' => 'tripwire anahtarları ve init oluştur', @@ -1731,7 +1722,6 @@ 'nonetworkname' => 'Ağ adı girilmedi', 'noservicename' => 'Hizmet adı girilmedi', 'not a valid ca certificate' => 'Geçerli bir CA sertifikası değil.', -'not a valid dh key' => 'Geçerli bir Diffie-Hellman parametre dosyası yok. 1024, 2048, 3072 veya 4096 bit uzunluğunda ve PKCS#3 biçimini kullanın.', 'not enough disk space' => 'Yeterli disk alanı yok', 'not present' => 'Mevcut <b>değil</b>', 'not running' => 'çalışmıyor', @@ -1828,10 +1818,6 @@ 'ovpn config' => 'OVPN-Yapılandırması', 'ovpn crypt options' => 'Şifreleme seçenekleri', 'ovpn device' => 'OpenVPN aygıtı:', -'ovpn dh' => 'Diffie-Hellman parametre uzunluğu', -'ovpn dh new key' => 'Yeni Diffie-Hellman parametrelerini oluşturun', -'ovpn dh parameters' => 'Diffie-Hellman parametre seçenekleri', -'ovpn dh upload' => 'Yeni Diffie-Hellman parametreleri yükle', 'ovpn dl' => 'OVPN-Yapılandırması İndir', 'ovpn engines' => 'Şifreleme motoru', 'ovpn errmsg green already pushed' => 'Yeşil ağ için her zaman bir yol ayarla', @@ -2111,7 +2097,6 @@ 'show ca certificate' => 'CA sertifikalarını göster', 'show certificate' => 'Sertifika göster', 'show crl' => 'Sertifika İptal Listesini Göster', -'show dh' => 'Diffie-Hellman parametrelerini göster', 'show host certificate' => 'Ana bilgisayar sertifikalarını göster', 'show last x lines' => 'Son x satırlarını göster', 'show lines' => 'Satırları göster', @@ -2462,7 +2447,6 @@ 'upload a certificate' => 'Sertifika yükle:', 'upload a certificate request' => 'Sertifika isteği yükle:', 'upload ca certificate' => 'CA Sertifikası Yükle', -'upload dh key' => 'Diffie-Hellman parametreleri yükle', 'upload fcdsl.o' => 'KALDIRILACAK', 'upload file' => 'Dosya yükle', 'upload new ruleset' => 'Yeni kurallar yükle', diff --git a/lfs/openssl b/lfs/openssl index 28a92a6b3..0431203f0 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -123,5 +123,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make install install -m 0644 $(DIR_SRC)/config/ssl/openssl.cnf /etc/ssl
+ # Install RFC 7919 defined standard group ffdhe4096 + install -m 0644 $(DIR_SRC)/config/ssl/ffdhe4096.pem /etc/ssl + @rm -rf $(DIR_APP) @$(POSTBUILD)
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/ssl/ffdhe4096.pem | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 config/ssl/ffdhe4096.pem
diff --git a/config/ssl/ffdhe4096.pem b/config/ssl/ffdhe4096.pem new file mode 100644 index 000000000..3cf0fcbc0 --- /dev/null +++ b/config/ssl/ffdhe4096.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS-----
Inspired by https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=2ccc799f....
Cc: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/172/filelists/files | 1 + config/rootfiles/core/172/update.sh | 18 +++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/config/rootfiles/core/172/filelists/files b/config/rootfiles/core/172/filelists/files index d73430dae..8b820d594 100644 --- a/config/rootfiles/core/172/filelists/files +++ b/config/rootfiles/core/172/filelists/files @@ -1,3 +1,4 @@ +etc/ssl/ffdhe4096.pem usr/lib/firewall/rules.pl usr/local/bin/addonctrl usr/local/bin/openvpnctrl diff --git a/config/rootfiles/core/172/update.sh b/config/rootfiles/core/172/update.sh index f3c77fbfb..eebe37456 100644 --- a/config/rootfiles/core/172/update.sh +++ b/config/rootfiles/core/172/update.sh @@ -33,6 +33,8 @@ done
# Stop services /etc/rc.d/init.d/ipsec stop +/usr/local/bin/openvpnctrl -k +/usr/local/bin/openvpnctrl -kn2n /etc/rc.d/init.d/sshd stop /etc/rc.d/init.d/unbound stop
@@ -70,7 +72,8 @@ rm -rvf \ /usr/lib/python3.10/site-packages/setuptools/_vendor/pyparsing.py \ /usr/lib/python3.10/site-packages/setuptools/config.py \ /usr/lib/python3.10/site-packages/setuptools_rust/utils.py \ - /usr/libexec/ipsec/scepclient + /usr/libexec/ipsec/scepclient \ + /var/ipfire/ca/dh1024.pem
# Remove powertop add-on, if installed if [ -e "/opt/pakfire/db/installed/meta-powertop" ]; then @@ -98,11 +101,24 @@ ldconfig # Apply local configuration to sshd_config /usr/local/bin/sshctrl
+# Replace existing OpenVPN Diffie-Hellman parameter by ffdhe4096, as specified in RFC 7919 +if [ -f /var/ipfire/ovpn/server.conf ]; then + sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/server.conf +fi + +if [ -f "/var/ipfire/ovpn/n2nconf/*/*.conf" ]; then + sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/n2nconf/*/*.conf +fi + # Start services /etc/init.d/unbound start if grep -q "ENABLE_SSH=on" /var/ipfire/remote/settings; then /etc/init.d/sshd start fi +if grep -q "ENABLED=on" /var/ipfire/ovpn/settings; then + /usr/local/bin/openvpnctrl -s + /usr/local/bin/openvpnctrl -sn2n +fi if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then /etc/init.d/ipsec start fi
-
Peter Müller