script-security: The support for the 'system' flag has been removed due to security implications with shell expansions when executing scripts via system() call. For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .
ncp-disable: Negotiable crypto parameters has been disabled for the first.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 0a18ec7..a7daf89 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -216,7 +216,7 @@ sub writeserverconf { print CONF "dev tun\n"; print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; - print CONF "script-security 3 system\n"; + print CONF "script-security 3\n"; print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; print CONF "tls-server\n"; @@ -289,6 +289,7 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; + print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; if ($sovpnsettings{'DAUTH'} eq '') { print CONF "";
Hi,
this looks good. I will merge this soon.
How do we convert existing configuration files?
-Michael
On Thu, 2018-02-15 at 05:43 +0100, Erik Kapfer wrote:
script-security: The support for the 'system' flag has been removed due to security implications with shell expansions when executing scripts via system() call. For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn2 4ManPage .
ncp-disable: Negotiable crypto parameters has been disabled for the first.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
html/cgi-bin/ovpnmain.cgi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 0a18ec7..a7daf89 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -216,7 +216,7 @@ sub writeserverconf { print CONF "dev tun\n"; print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
- print CONF "script-security 3 system\n";
- print CONF "script-security 3\n"; print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db
3600\n"; print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; print CONF "tls-server\n"; @@ -289,6 +289,7 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n";
- print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; if ($sovpnsettings{'DAUTH'} eq '') { print CONF "";
Hi Michael,
Am Donnerstag, den 15.02.2018, 10:40 +0000 schrieb Michael Tremer:
Hi,
this looks good. I will merge this soon.
How do we convert existing configuration files?
i would do it like this:
#!/bin/bash
# Changed and new OpenVPN-2.4 directives will wrote to server.conf and renew CRL while update an core update if [ -e /var/ipfire/ovpn/server.conf ]; then if pgrep openvpn >/dev/null; then openvpnctrl -k sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf openvpnctrl -s else sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf fi fi
# EOF
which includes also an update of the CRL to stay save also in that manner
Best,
Erik
Hi,
okay, that's fine. I will add this to the update script of that core update then.
-Michael
On Thu, 2018-02-15 at 11:56 +0100, ummeegge wrote:
Hi Michael,
Am Donnerstag, den 15.02.2018, 10:40 +0000 schrieb Michael Tremer:
Hi,
this looks good. I will merge this soon.
How do we convert existing configuration files?
i would do it like this:
#!/bin/bash
# Changed and new OpenVPN-2.4 directives will wrote to server.conf and renew CRL while update an core update if [ -e /var/ipfire/ovpn/server.conf ]; then if pgrep openvpn >/dev/null; then openvpnctrl -k sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf openvpnctrl -s else sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf fi fi
# EOF
which includes also an update of the CRL to stay save also in that manner
Best,
Erik
Am Donnerstag, den 15.02.2018, 11:00 +0000 schrieb Michael Tremer:
Hi,
okay, that's fine. I will add this to the update script of that core update then.
Great thanks. I think we should be then OpenVPN-2.4 ready for the first...
-Michael
On Thu, 2018-02-15 at 11:56 +0100, ummeegge wrote:
Hi Michael,
Am Donnerstag, den 15.02.2018, 10:40 +0000 schrieb Michael Tremer:
Hi,
this looks good. I will merge this soon.
How do we convert existing configuration files?
i would do it like this:
#!/bin/bash
# Changed and new OpenVPN-2.4 directives will wrote to server.conf and renew CRL while update an core update if [ -e /var/ipfire/ovpn/server.conf ]; then if pgrep openvpn >/dev/null; then openvpnctrl -k sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf openvpnctrl -s else sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf fi fi
# EOF
which includes also an update of the CRL to stay save also in that manner
Best,
Erik
-
Erik Kapfer -
Michael Tremer -
ummeegge