Check has been integrated that the OpenSSL maximum of '999999' valid days can not be exceeded. Check for needed entry in 'Valid til days' field has been integrated. Asterisk for 'Valid til days' field has been set to mark it as required field.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index eac962e..99d39a9 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -3980,6 +3980,16 @@ if ($cgiparams{'TYPE'} eq 'net') { goto VPNCONF_ERROR; }
+ # Check for N2N that OpenSSL maximum of valid days will not be exceeded + if ($cgiparams{'TYPE'} eq 'net') { + if ($cgiparams{'DAYS_VALID'} >= '999999') { + $errormessage = $Lang::tr{'invalid input for valid till days'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + } + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { $errormessage = $Lang::tr{'invalid input'}; goto VPNCONF_ERROR; @@ -4157,11 +4167,19 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'passwords do not match'}; goto VPNCONF_ERROR; } - if ($cgiparams{'DAYS_VALID'} ne '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) { + if ($cgiparams{'DAYS_VALID'} eq '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) { $errormessage = $Lang::tr{'invalid input for valid till days'}; goto VPNCONF_ERROR; }
+ # Check for RW that OpenSSL maximum of valid days will not be exceeded + if ($cgiparams{'TYPE'} eq 'host') { + if ($cgiparams{'DAYS_VALID'} >= '999999') { + $errormessage = $Lang::tr{'invalid input for valid till days'}; + goto VPNCONF_ERROR; + } + } + # Replace empty strings with a . (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/./; (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/./; @@ -4813,7 +4831,7 @@ END if ($cgiparams{'TYPE'} eq 'host') { print <<END; </select></td></tr> - <td> </td><td class='base'>$Lang::tr{'valid till'} (days):</td> + <td> </td><td class='base'>$Lang::tr{'valid till'} (days): <img src='/blob.gif' alt='*' /</td> <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr> <tr><td> </td> <td class='base'>$Lang::tr{'pkcs12 file password'}:</td> @@ -4828,7 +4846,7 @@ END }else{ print <<END; </select></td></tr> - <td> </td><td class='base'>$Lang::tr{'valid till'} (days):</td> + <td> </td><td class='base'>$Lang::tr{'valid till'} (days): <img src='/blob.gif' alt='*' /</td> <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr> <tr><td> </td><td> </td><td> </td></tr> <tr><td> </td><td> </td><td> </td></tr>
Have seen it too late to announce it in the commit message but this patch solves also Bug #11715
Best,
Erik
Hello,
can we also set a good default value for this?
This can be a little bit confusing for new users and it would be good to have some guidance. It can be a separate patch.
Best, -Michael
On Fri, 2018-06-15 at 14:59 +0200, ummeegge wrote:
Have seen it too late to announce it in the commit message but this patch solves also Bug #11715
Best,
Erik
Hi Michael, yes but the needs in there can differs a lot so the question arises what is a good default ? Another idea might be to add another (or a range of possible days) text for that field ? May the error message if an entry triggers one can also be extended.
Greetings,
Erik
Am Sonntag, den 17.06.2018, 19:14 +0100 schrieb Michael Tremer:
Hello,
can we also set a good default value for this?
This can be a little bit confusing for new users and it would be good to have some guidance. It can be a separate patch.
Best, -Michael
On Fri, 2018-06-15 at 14:59 +0200, ummeegge wrote:
Have seen it too late to announce it in the commit message but this patch solves also Bug #11715
Best,
Erik
I’d suggest that most users likely want the longest lifetime for their certs that they can get, so as to avoid the need to frequently replace expired certificates.
This is especially true because there is no way to recreate certs in the WUI when they expire, so you have to delete the entry and recreate it when that happens.
https://bugzilla.ipfire.org/show_bug.cgi?id=11742
My $0.02,
Tom
On Jun 18, 2018, at 3:56 AM, ummeegge ummeegge@ipfire.org wrote:
Hi Michael, yes but the needs in there can differs a lot so the question arises what is a good default ? Another idea might be to add another (or a range of possible days) text for that field ? May the error message if an entry triggers one can also be extended.
Greetings,
Erik
Am Sonntag, den 17.06.2018, 19:14 +0100 schrieb Michael Tremer:
Hello,
can we also set a good default value for this?
This can be a little bit confusing for new users and it would be good to have some guidance. It can be a separate patch.
Best, -Michael
On Fri, 2018-06-15 at 14:59 +0200, ummeegge wrote:
Have seen it too late to announce it in the commit message but this patch solves also Bug #11715
Best,
Erik
-
Erik Kapfer -
Michael Tremer -
Tom Rymes -
ummeegge