- The whole crypto section has been outsorted from the global section to an extra page. - Since --cipher is deprecated and will be handled via --data-cipher-fallback, the VAR name and the index has been kept but renamed from --cipher to --data-cipher-fallback. Old default AES-256-CBC has also been kept. - The new directive --data-ciphers has been introduced for RWs which negotiates now between the GCM family and the new CHACHA20-POLY1305. All ciphers can be combined. - The new directive --data-ciphers substitutes --ncp-disable, there --ncp-disable has been removed which fixes the deprecation warning in the updated OpenVPN-2.5.0. - While client generation the client version can be set which enables, if client is >=2.5.0 a full cipher negotiation. Existing clients can also subsequently be enhanced via edit. - The new ciphers and HMACs as been completely integrated into N2N environment without further modification.
Code for update process via update.sh needs to be integrated: /usr/local/bin/openvpnctrl -k > /dev/null if grep -q 'cipher' /var/ipfire/ovpn/server.conf; then sed -i 's/cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf fi /usr/local/bin/openvpnctrl -s > /dev/null
Signed-off-by: ummeegge erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 330 ++++++++++++++++++++++++++++---------- langs/de/cgi-bin/de.pl | 11 +- langs/en/cgi-bin/en.pl | 11 +- 3 files changed, 269 insertions(+), 83 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 68a70d147..fc4c6193a 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -75,6 +75,7 @@ my $name; my $col=""; my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; +my @advcipherchar=();
&General::readhash("${General::swroot}/ethernet/settings", %netsettings); $cgiparams{'ENABLED'} = 'off'; @@ -98,6 +99,7 @@ $cgiparams{'number'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; +$cgiparams{'DATACIPHERS'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -325,8 +327,16 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; - print CONF "cipher $sovpnsettings{DCIPHER}\n"; + print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n"; + + # Data channel encryption + # Set seperator for data ciphers + @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/|/:/g); + # Add also algorithm from --cipher directive + if ($sovpnsettings{'DATACIPHERS'} ne '') { + print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -911,6 +921,28 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { &writeserverconf();#hier ok }
+### +### Save Advanced encryption +### + +if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + &General::readhash("${General::swroot}/ovpn/settings", %vpnsettings); + + $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; + $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; + + # --data-ciphers needs at least one cipher + if ($cgiparams{'DATACIPHERS'} eq '') { + $errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'}; + goto ADV_ENC_ERROR; + } + + &General::writehash("${General::swroot}/ovpn/settings", %vpnsettings); + &writeserverconf(); +} + +### End Save advanced encryption + ### # m.a.d net2net ### @@ -982,10 +1014,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "# Cipher\n"; print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
- # If GCM cipher is used, do not use --auth + # If AEAD cipher is used, do not use --auth if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || - ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') || + ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) { print SERVERCONF unless "# HMAC algorithm\n"; print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { @@ -1087,10 +1120,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
- # If GCM cipher is used, do not use --auth + # If AEAD cipher is used, do not use --auth if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || - ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') || + ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) { print CLIENTCONF unless "# HMAC algorithm\n"; print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { @@ -1214,7 +1248,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; - $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable @@ -2344,7 +2377,15 @@ else $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } - print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + + # Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0 + if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') { + @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/|/:/g); + print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n"; + } else { + print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2859,7 +2900,169 @@ END &Header::closebigbox(); &Header::closepage(); exit(0); - + +### +### Advanced encryption settings +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn advanced encryption'}) { + %cgiparams = (); + %confighash = (); + my @temp=(); + my $disabled; + &General::readhash("${General::swroot}/ovpn/settings", %cgiparams); + + my $key = $cgiparams{'KEY'}; + if (! $key) { + $key = &General::findhasharraykey (%confighash); + foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; } + } + $confighash{$key}[40] = $cgiparams{'DCIPHER'}; + $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; + +ADV_ENC_ERROR: + + # Set default for data-cipher-fallback (the old --cipher directive) + if ($cgiparams{'DCIPHER'} eq '') { + $cgiparams{'DCIPHER'} = 'AES-256-CBC'; #[40] + } + $checked{'DCIPHER'}{'AES-256-CBC'} = ''; + $checked{'DCIPHER'}{'AES-192-CBC'} = ''; + $checked{'DCIPHER'}{'AES-128-CBC'} = ''; + $checked{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $checked{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; + $checked{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; + $checked{'DCIPHER'}{'SEED-CBC'} = ''; + $checked{'DCIPHER'}{'DES-EDE3-CBC'} = ''; + $checked{'DCIPHER'}{'DESX-CBC'} = ''; + $checked{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $checked{'DCIPHER'}{'BF-CBC'} = ''; + $checked{'DCIPHER'}{'CAST5-CBC'} = ''; + @temp = split('|', $cgiparams{'DCIPHER'}); + foreach my $key (@temp) {$checked{'DCIPHER'}{$key} = "selected='selected'"; } + + # Set default data channel ciphers + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; #[42]; + } + $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = ''; + $checked{'DATACIPHERS'}{'AES-256-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-192-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-128-GCM'} = ''; + @temp = split('|', $cgiparams{'DATACIPHERS'}); + foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + + # Save settings and display default if not configured + if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'}; + $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; + } else { + $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'}; + $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; + } + +ADV_ENC_ERROR: + + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage"; + print " </class>"; + &Header::closebox(); + } + if ($warnmessage) { + &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:"); + print "<class name='base'>$warnmessage"; + print " </class>"; + &Header::closebox(); + } + print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>"; + &Header::openbox('100%', 'left', "$Lang::tr{'ovpn advanced encryption'}:"); + print<<END + + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + + <table width='100%'> + <thead> + <tr> + <th width="15%"></th> + <th>$Lang::tr{'ovpn data channel'}</th> + <th>$Lang::tr{'ovpn data channel fallback'}</th> + </tr> + </thead> + <tbody> + <tr> + <td class='boldbase' width="27%">$Lang::tr{'ovpn data encryption'}</td> + <td class='boldbase'> + <select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'> + <option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option> + <option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option> + <option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option> + <option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option> + </select> + </td> + + <td class='boldbase'> + <select name='DCIPHER' size='6' style='width: 100%'> + <option value='AES-256-CBC' $checked{'DCIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option> + <option value='AES-192-CBC' $checked{'DCIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option> + <option value='AES-128-CBC' $checked{'DCIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option> + <option value='CAMELLIA-256-CBC' $checked{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option> + <option value='CAMELLIA-192-CBC' $checked{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} CAMELLIA-CBC</option> + <option value='CAMELLIA-128-CBC' $checked{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option> + <option value='SEED-CBC' $checked{'DCIPHER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option> + <option value='DES-EDE3-CBC' $checked{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='DESX-CBC' $checked{'DCIPHER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='DES-EDE-CBC' $checked{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='BF-CBC' $checked{'DCIPHER'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='CAST5-CBC' $checked{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option> + </select> + </td> + </tr> + </tbody> + </table> + <hr> +END +; + if ( -e "/var/run/openvpn.pid") { + print" <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>$Lang::tr{'server restart'}<br><br><hr>"; + print<<END; + <table width='100%'> + <tr> + <td> </td> + <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' disabled='disabled' /></td> + <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td> + <td> </td> + </tr> + </table> + </form> +END +; + + } else { + print<<END; + <table width='100%'> + <tr> + <td> </td> + <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' /></td> + <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td> + <td> </td> + </tr> + </table> + </form> +END +; + + } + + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit(0); + +### END advanced encryption
# A.Marx CCD Add,delete or edit CCD net
@@ -3595,6 +3798,8 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; + # Index from [39] to [44] has been reserved by advanced encryption + $cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); @@ -4338,6 +4543,8 @@ if ($cgiparams{'TYPE'} eq 'net') { if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { $confighash{$key}[41] = "no-pass"; } + # Index from [39] to [44] has been reserved by advanced encryption + $confighash{$key}[45] = $cgiparams{'CLIENTVERSION'};
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", %confighash); @@ -4508,28 +4715,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- $selected{'DCIPHER'}{'AES-256-GCM'} = ''; - $selected{'DCIPHER'}{'AES-192-GCM'} = ''; - $selected{'DCIPHER'}{'AES-128-GCM'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; - $selected{'DCIPHER'}{'AES-256-CBC'} = ''; - $selected{'DCIPHER'}{'AES-192-CBC'} = ''; - $selected{'DCIPHER'}{'AES-128-CBC'} = ''; - $selected{'DCIPHER'}{'DESX-CBC'} = ''; - $selected{'DCIPHER'}{'SEED-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; - $selected{'DCIPHER'}{'CAST5-CBC'} = ''; - $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'DES-CBC'} = ''; - # If no cipher has been chossen yet, select - # the old default (AES-256-CBC) for compatiblity reasons. - if ($cgiparams{'DCIPHER'} eq '') { - $cgiparams{'DCIPHER'} = 'AES-256-CBC'; - } - $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; $selected{'DAUTH'}{'whirlpool'} = ''; $selected{'DAUTH'}{'SHA512'} = ''; $selected{'DAUTH'}{'SHA384'} = ''; @@ -4595,11 +4780,12 @@ if ($cgiparams{'TYPE'} eq 'net') { print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>"; }
- # If GCM ciphers are in usage, HMAC menu is disabled + # If AEAD ciphers are in usage, HMAC menu is disabled my $hmacdisabled; if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') || ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') || - ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) { + ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM') || + ($confighash{$cgiparams{'KEY'}}[40] eq 'ChaCha20-Poly1305')) { $hmacdisabled = "disabled='disabled'"; };
@@ -4673,9 +4859,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
<tr><td class='boldbase'>$Lang::tr{'cipher'}</td> <td><select name='DCIPHER' id="n2ncipher" required> - <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option> - <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option> - <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option> + <option value='ChaCha20-Poly1305' $selected{'DCIPHER'}{'ChaCha20-Poly1305'}>CHACHA20-POLY1305 (256 $Lang::tr{'bit'})</option> + <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option> + <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option> + <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option> <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option> <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option> <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option> @@ -4693,10 +4880,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td> <td><select name='DAUTH' id="n2nhmac" $hmacdisabled> - <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> + <option value='BLAKE2b512' $selected{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option> + <option value='BLAKE2s256' $selected{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option> + <option value='SHA3-512' $selected{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option> + <option value='SHA3-384' $selected{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option> + <option value='SHA3-256' $selected{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option> <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option> <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option> <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option> + <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> @@ -4713,7 +4905,7 @@ print<<END; <script> var disable_options = false; document.getElementById('n2ncipher').onchange = function () { - if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) { + if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM"||this.value == "CHACHA20-POLY1305")) { document.getElementById('n2nhmac').setAttribute('disabled', true); } else { document.getElementById('n2nhmac').removeAttribute('disabled'); @@ -4749,6 +4941,7 @@ if ($cgiparams{'TYPE'} eq 'host') { print"</td></tr></table><br><br>"; my $name=$cgiparams{'CHECK1'}; $checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED'; + $checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED'; if (! -z "${General::swroot}/ovpn/ccd.conf"){ print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>"; @@ -4884,7 +5077,13 @@ if ($cgiparams{'TYPE'} eq 'host') { print <<END; <table border='0' width='100%'> - <tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr> + + <tr><td width='30%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr> + <tr> + <td width='30%'>$Lang::tr{'ovpn client version 25 cipher negotiation'}:</td> + <td colspan='3'><input type='checkbox' name='CLIENTVERSION' $checked{'CLIENTVERSION'}{'on'} /> + <font color='red'> $Lang::tr{'ovpn client version 25 warning'}</font></td> + </tr> <tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr> <tr><td colspan='4'> </td></tr> <tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'> @@ -5061,9 +5260,6 @@ END }
#default setzen - if ($cgiparams{'DCIPHER'} eq '') { - $cgiparams{'DCIPHER'} = 'AES-256-CBC'; - } if ($cgiparams{'DDEST_PORT'} eq '') { $cgiparams{'DDEST_PORT'} = '1194'; } @@ -5105,24 +5301,6 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
- $selected{'DCIPHER'}{'AES-256-GCM'} = ''; - $selected{'DCIPHER'}{'AES-192-GCM'} = ''; - $selected{'DCIPHER'}{'AES-128-GCM'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; - $selected{'DCIPHER'}{'AES-256-CBC'} = ''; - $selected{'DCIPHER'}{'AES-192-CBC'} = ''; - $selected{'DCIPHER'}{'AES-128-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; - $selected{'DCIPHER'}{'DESX-CBC'} = ''; - $selected{'DCIPHER'}{'SEED-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; - $selected{'DCIPHER'}{'CAST5-CBC'} = ''; - $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'DES-CBC'} = ''; - $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; - $selected{'DAUTH'}{'whirlpool'} = ''; $selected{'DAUTH'}{'SHA512'} = ''; $selected{'DAUTH'}{'SHA384'} = ''; @@ -5138,6 +5316,13 @@ END $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
+ if ($cgiparams{'CLIENTVERSION'} = '' ) { + $cgiparams{'CLIENTVERSION'} = 'off'; + } + $checked{'CLIENTVERSION'}{'off'} = ''; + $checked{'CLIENTVERSION'}{'on'} = ''; + $checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED'; + # m.a.d $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; @@ -5245,26 +5430,6 @@ END <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> - - <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td> - <td><select name='DCIPHER'> - <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option> - <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option> - <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option> - <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option> - <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option> - <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option> - <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option> - <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option> - <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option> - <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option> - <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - </select> - </td> </tr>
<tr><td colspan='4'><br></td></tr> @@ -5280,12 +5445,14 @@ END if ( $srunning eq "yes" ) { print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />"; - print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />"; + print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />"; + print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>"; } else{ print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />"; + print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />"; if (( -e "${General::swroot}/ovpn/ca/cacert.pem" && -e "${General::swroot}/ovpn/ca/dh1024.pem" && -e "${General::swroot}/ovpn/certs/servercert.pem" && @@ -5818,3 +5985,4 @@ END
&Header::closepage();
+ diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 2fb46e741..614f8a16c 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1901,10 +1901,17 @@ 'override mtu' => 'Überschreibe Standard-MTU', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Erweiterte Konfiguration', +'ovpn advanced encryption' => 'Erweiterte Kryptografie Einstellung', +'ovpn client version 25 cipher negotiation' => 'Verschlüsselung aushandeln', +'ovpn client version 25 warning' => 'Erst ab Client Version 2.5.0 verfügbar', 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik', 'ovpn config' => 'OVPN-Konfiguration', 'ovpn connection name' => 'Verbindungs-Name', 'ovpn crypt options' => 'Kryptografieoptionen', +'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', +'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation', +'ovpn data channel' => 'Daten-Kanal', +'ovpn data channel fallback' => 'Daten-Kanal Fallback', 'ovpn device' => 'OpenVPN-Gerät', 'ovpn dh' => 'Diffie-Hellman-Parameter-Länge', 'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen', @@ -1913,6 +1920,7 @@ 'ovpn dl' => 'OVPN-Konfiguration downloaden', 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', +'ovpn errmsg invalid data cipher input' => 'Der Daten-Kanal benötigt mindestens einen Algorithmus', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', 'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>', 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', @@ -2163,6 +2171,7 @@ 'save error' => 'Konfigurationsarchiv-Datei konnte nicht gespeichert werden', 'save settings' => 'Einstellungen speichern', 'save-adv-options' => 'Erweiterte Optionen speichern', +'save-enc-options' => 'Kryptografie Optionen speichern', 'script name' => 'Skriptname:', 'search' => 'Suchen', 'secondary dns' => 'Sekundärer DNS-Server:', @@ -2853,7 +2862,7 @@ 'vpn subjectaltname missing' => 'SubjectAlternativeName darf nicht leer bleiben.', 'vpn wait' => 'WARTE', 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).', -'vpn weak' => 'schwach', +'vpn weak' => 'Unsicher', 'vulnerability' => 'Verwundbarkeit', 'vulnerable' => 'Verwundbar', 'waiting to synchronize clock' => 'Bitte warten, die Uhr wird synchronisiert', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index b5284effa..714d7c81e 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1933,10 +1933,17 @@ 'override mtu' => 'Override default MTU', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Additional configuration', +'ovpn advanced encryption' => 'Advanced encryption settings', +'ovpn client version 25 cipher negotiation' => 'Negotiate encryption', +'ovpn client version 25 warning' => 'Available with client version 2.5.0 and higher', 'ovpn con stat' => 'OpenVPN Connection Statistics', 'ovpn config' => 'OVPN-Config', 'ovpn connection name' => 'Connection Name', 'ovpn crypt options' => 'Cryptographic options', +'ovpn data encryption' => 'Data-Channel encryption', +'ovpn data channel authentication' => 'Data and channel authentication', +'ovpn data channel' => 'Data-Channel', +'ovpn data channel fallback' => 'Data-Channel fallback', 'ovpn device' => 'OpenVPN device:', 'ovpn dh' => 'Diffie-Hellman parameters length', 'ovpn dh new key' => 'Generate new Diffie-Hellman parameters', @@ -1945,6 +1952,7 @@ 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', +'ovpn errmsg invalid data cipher input' => 'The data cipher needs at least one cipher', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', 'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>', 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', @@ -2196,6 +2204,7 @@ 'save error' => 'Unable to save configuration archive file', 'save settings' => 'Save settings', 'save-adv-options' => 'Save advanced options', +'save-enc-options' => 'Save encryption options', 'script name' => 'Script name:', 'search' => 'Search', 'secondary dns' => 'Secondary DNS:', @@ -2897,7 +2906,7 @@ 'vpn subjectaltname missing' => 'SubjectAlternativeName cannot be emtpy.', 'vpn wait' => 'WAITING', 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).', -'vpn weak' => 'Weak', +'vpn weak' => 'Insecure', 'vulnerability' => 'Vulnerability', 'vulnerable' => 'Vulnerable', 'waiting to synchronize clock' => 'Waiting to synchronize clock',
- The --tls-ciphers for the control channel TLSv2 crypto can now be combined for negotiation. - The --tls-ciphersuite crypto does the same but with TLSv3 and can also be combined for negotiation. There are no defaults for both, so this features are deactivated unless the user decides to use them. - The --tls-ciphersuite directive will only be printed into client.ovpn if the client is >=2.5.0 ready.
Signed-off-by: ummeegge erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 109 ++++++++++++++++++++++++++++++++++++++ langs/de/cgi-bin/de.pl | 3 ++ langs/en/cgi-bin/en.pl | 3 ++ 3 files changed, 115 insertions(+)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index fc4c6193a..f2b8b79da 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -100,6 +100,8 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $cgiparams{'DATACIPHERS'} = ''; +$cgiparams{'CHANNELCIPHERS'} = ''; +$cgiparams{'NCHANNELCIPHERS'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -337,6 +339,20 @@ sub writeserverconf { print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; }
+ # Control channel encryption TLSv2 needs own line cause directive differs + if ($sovpnsettings{'CHANNELCIPHERS'} ne '') { + # Set seperator for TLSv2 channel ciphers + @advcipherchar = ($sovpnsettings{'CHANNELCIPHERS'} =~ s/|/:/g); + print CONF "tls-cipher $sovpnsettings{'CHANNELCIPHERS'}\n"; + } + + # Controll channel encryption >= TLSv3 + if ($sovpnsettings{'NCHANNELCIPHERS'} ne '') { + # Set seperator for TLSv3 channel ciphers + @advcipherchar = ($sovpnsettings{'NCHANNELCIPHERS'} =~ s/|/:/g); + print CONF "tls-ciphersuites $sovpnsettings{'NCHANNELCIPHERS'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -937,6 +953,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { goto ADV_ENC_ERROR; }
+ # If no value for --tls-cipher has been set, delete setting + if ($cgiparams{'CHANNELCIPHERS'} eq '') { + delete $vpnsettings{'CHANNELCIPHERS'}; + } else { + $vpnsettings{'CHANNELCIPHERS'} = $cgiparams{'CHANNELCIPHERS'}; + } + + # If no value for --tls-ciphersuites has been set, delete setting + if ($cgiparams{'NCHANNELCIPHERS'} eq '') { + delete $vpnsettings{'NCHANNELCIPHERS'}; + } else { + $vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'}; + } + &General::writehash("${General::swroot}/ovpn/settings", %vpnsettings); &writeserverconf(); } @@ -2380,12 +2410,30 @@ else
# Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0 if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') { + # Set seperator for --data-ciphers algorithms @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/|/:/g); print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n"; } else { print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; }
+ # Set --tls-cipher TLSv2 if configured + if ($vpnsettings{'CHANNELCIPHERS'} ne '') { + # Set seperator for TLSv2 channel ciphers + @advcipherchar = ($vpnsettings{'CHANNELCIPHERS'} =~ s/|/:/g); + print CLIENTCONF "tls-cipher $vpnsettings{'CHANNELCIPHERS'}\r\n"; + } + + # Print new tls-ciphersuites TLSv3 only if client is >=2.5.0 + if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') { + # Set --tls-ciphersuites TLSv3 if configured + if ($vpnsettings{'NCHANNELCIPHERS'} ne '') { + # Set seperator for TLSv3 channel ciphers + @advcipherchar = ($vpnsettings{'NCHANNELCIPHERS'} =~ s/|/:/g); + print CLIENTCONF "tls-ciphersuites $vpnsettings{'NCHANNELCIPHERS'}\r\n"; + } + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2918,6 +2966,8 @@ END } $confighash{$key}[40] = $cgiparams{'DCIPHER'}; $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; + $confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'}; + $confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'};
ADV_ENC_ERROR:
@@ -2951,13 +3001,37 @@ ADV_ENC_ERROR: @temp = split('|', $cgiparams{'DATACIPHERS'}); foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+ # No default settings for --tls-cipher so OpenVPN makes his own choice + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'} = ''; + @temp = split('|', $cgiparams{'CHANNELCIPHERS'}); + foreach my $key (@temp) {$checked{'CHANNELCIPHERS'}{$key} = "selected='selected'"; } + + # No default settings for --tls-ciphersuites so OpenVPN makes his own choice + $checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'} = ''; + $checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'} = ''; + $checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'} = ''; + @temp = split('|', $cgiparams{'NCHANNELCIPHERS'}); + foreach my $key (@temp) {$checked{'NCHANNELCIPHERS'}{$key} = "selected='selected'"; } + # Save settings and display default if not configured if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'}; $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; + $confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'}; + $confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'}; } else { $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'}; $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; + $cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'}; + $cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'}; }
ADV_ENC_ERROR: @@ -3021,8 +3095,43 @@ ADV_ENC_ERROR: </select> </td> </tr> + + <tr> + <th width="15%"></th> + <th>$Lang::tr{'ovpn control channel v3'}</th> + <th>$Lang::tr{'ovpn control channel v2'}</th> + </tr> + + <tr> + </td> + <td class='boldbase' width="27%">$Lang::tr{'ovpn channel encryption'}</td> + <td class='boldbase'> + <select name='NCHANNELCIPHERS' multiple='multiple' size='6' style='width: 100%'> + <option value='TLS_AES_256_GCM_SHA384' $checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'}>256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option> + <option value='TLS_CHACHA20_POLY1305_SHA256' $checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'}>256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option> + <option value='TLS_AES_128_GCM_SHA256' $checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'}>128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option> + </select> + </td> + + <td class='boldbase'> + <select name='CHANNELCIPHERS' multiple='multiple' size='6' style='width: 100%' style="margin-right:-17px" size="11"> + <option value='TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'}>TLS-ECDHE-ECDSA 256 $Lang::tr{'bit'} AES-GCM SHA384</option> + <option value='TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-ECDHE-ECDSA 256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option> + <option value='TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'}>TLS-ECDHE-ECDSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option> + <option value='TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'}>TLS-ECDHE-RSA 256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option> + <option value='TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-ECDHE-RSA 256 $Lang::tr{'bit'} CHACHA20_POLY1305 SHA256</option> + <option value='TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'}>TLS-ECDHE-RSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option> + <option value='TLS-DHE-RSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'}>TLS-DHE-RSA 256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option> + <option value='TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-DHE-RSA 256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option> + <option value='TLS-DHE-RSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'}>TLS-DHE-RSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option> + </select> + </td> + </tr> </tbody> </table> + + <br><br> + <hr> END ; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 614f8a16c..cc7755018 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1908,6 +1908,9 @@ 'ovpn config' => 'OVPN-Konfiguration', 'ovpn connection name' => 'Verbindungs-Name', 'ovpn crypt options' => 'Kryptografieoptionen', +'ovpn channel encryption' => 'Kontroll-Kanal Verschlüsselung', +'ovpn control channel v2' => 'Kontroll-Kanal TLSv2', +'ovpn control channel v3' => 'Kontroll-Kanal TLSv3', 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', 'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation', 'ovpn data channel' => 'Daten-Kanal', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 714d7c81e..3dcb8d46e 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1940,6 +1940,9 @@ 'ovpn config' => 'OVPN-Config', 'ovpn connection name' => 'Connection Name', 'ovpn crypt options' => 'Cryptographic options', +'ovpn channel encryption' => 'Control-Channel encryption', +'ovpn control channel v2' => 'Control-Channel TLSv2', +'ovpn control channel v3' => 'Control-Channel TLSv3', 'ovpn data encryption' => 'Data-Channel encryption', 'ovpn data channel authentication' => 'Data and channel authentication', 'ovpn data channel' => 'Data-Channel',
- The --auth directive has been enhanced with the Keccak (SHA3) family but also BLAKE2 has been integrated. - The TLS authentication has been enhanced with --tls-crypt and with OpenVPN version 2.5.0 new introduced --tls-crypt-v2 . - New keys will be shown and can partly be downloaded over the "Certificate Authorities and -Keys" table. - The global section has been completely cleaned up from encryption settings which follows the IPSec WUI style.
Signed-off-by: ummeegge erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 367 +++++++++++++++++++++++++++++--------- langs/de/cgi-bin/de.pl | 10 +- langs/en/cgi-bin/en.pl | 12 +- 3 files changed, 298 insertions(+), 91 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index f2b8b79da..455b0a8a4 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -357,9 +357,19 @@ sub writeserverconf { # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n";
- if ($sovpnsettings{'TLSAUTH'} eq 'on') { - print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; - } + # TLS control channel authentication + if ($sovpnsettings{'TLSAUTH'} ne 'off') { + if ($sovpnsettings{'TLSAUTH'} eq 'on') { + print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt') { + print CONF "tls-crypt ${General::swroot}/ovpn/certs/tc.key\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') { + print CONF "tls-crypt-v2 ${General::swroot}/ovpn/certs/tc-v2-server.key\n"; + } + } + if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; } @@ -944,6 +954,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { &General::readhash("${General::swroot}/ovpn/settings", %vpnsettings);
+ $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; + $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
@@ -967,6 +979,39 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { $vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'}; }
+ # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ENC_ERROR; + } + } + } + + # Create tc.key for tls-crypt if not presant + if ($cgiparams{'TLSAUTH'} eq 'tls-crypt') { + if ( ! -e "${General::swroot}/ovpn/certs/tc.key") { + system('/usr/sbin/openvpn', '--genkey', 'tls-crypt', "${General::swroot}/ovpn/certs/tc.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ENC_ERROR; + } + } + } + + # Create tc-v2-server.key for tls-crypt-v2 server if not presant + if ($cgiparams{'TLSAUTH'} eq 'tls-crypt-v2') { + if ( ! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") { + system('/usr/sbin/openvpn', '--genkey', 'tls-crypt-v2-server', "${General::swroot}/ovpn/certs/tc-v2-server.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ENC_ERROR; + } + } + } + &General::writehash("${General::swroot}/ovpn/settings", %vpnsettings); &writeserverconf(); } @@ -1257,17 +1302,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; }
- # Create ta.key for tls-auth if not presant - if ($cgiparams{'TLSAUTH'} eq 'on') { - if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - goto SETTINGS_ERROR; - } - } - } - $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; @@ -1278,8 +1312,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; - $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; - $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable
if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} @@ -1708,14 +1740,36 @@ END ### ### Download tls-auth key ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) { +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) { if ( -f "${General::swroot}/ovpn/certs/ta.key" ) { - print "Content-Type: application/octet-stream\r\n"; - print "Content-Disposition: filename=ta.key\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; - exit(0); + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=ta.key\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + exit(0); }
+### +### Download tls-crypt key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt key'}) { + if ( -f "${General::swroot}/ovpn/certs/tc.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=tc.key\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/tc.key`; + exit(0); + } + +### +### Download tls-crypt-v2 key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt-v2 key'}) { + if ( -f "${General::swroot}/ovpn/certs/tc-v2-server.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=tc-v2-server.key\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`; + exit(0); + } + ### ### Form for generating a root certificate ### @@ -2443,6 +2497,29 @@ else print CLIENTCONF "tls-auth ta.key\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; } + + # Add tls-crypt to client ovpn + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } + print CLIENTCONF "tls-crypt tc.key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/tc.key", "tc.key") or die "Can't add file tc.key\n"; + } + + # Add client specific tls-crypt-v2 key to client.ovpn + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } + print CLIENTCONF "tls-crypt-v2 tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\r\n"; + # Generate individual tls-crypt-v2 client key + my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key"; + system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile"); + # Add individual tls-crypt-v2 client key to client package + $zip->addFile( "$cryptfile", "tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key") or die "Can't add file tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\n"; + } + if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; } @@ -2499,6 +2576,20 @@ else print CLIENTCONF "</key>\r\n\r\n"; close(FILE);
+ # Create individual tls-crypt-v2 client key and print it to client.conf + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') { + my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key"; + system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile"); + open(FILE, "<$cryptfile"); + print CLIENTCONF "<tls-crypt-v2>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</tls-crypt-v2>\r\n\r\n"; + close(FILE); + } + # TLS auth if ($vpnsettings{'TLSAUTH'} eq 'on') { open(FILE, "<${General::swroot}/ovpn/certs/ta.key"); @@ -2680,7 +2771,7 @@ else &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:"); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}"); my $output = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; $output = &Header::cleanhtml($output,"y"); print "<pre>$output</pre>\n"; @@ -2691,6 +2782,50 @@ else exit(0); }
+### +### Display tls-crypt key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt key'}) { + + if (! -e "${General::swroot}/ovpn/certs/tc.key") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'tc key'}"); + my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`; + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + +### +### Display tls-crypt-v2 server key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt-v2 key'}) { + + if (! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'tc v2 key'}"); + my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`; + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + ### ### Display Certificate Revoke List ### @@ -2743,9 +2878,6 @@ ADV_ERROR: if ($cgiparams{'LOG_VERB'} eq '') { $cgiparams{'LOG_VERB'} = '3'; } - if ($cgiparams{'TLSAUTH'} eq '') { - $cgiparams{'TLSAUTH'} = 'off'; - } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED'; @@ -2964,13 +3096,43 @@ END $key = &General::findhasharraykey (%confighash); foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; } } + $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; + $confighash{$key}[41] = $cgiparams{'TLSAUTH'}; $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; $confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'}; $confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'};
ADV_ENC_ERROR:
+ # Set default for hash message authentication code + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} = 'SHA512'; #[39]; + } + $checked{'DAUTH'}{'BLAKE2b512'} = ''; + $checked{'DAUTH'}{'BLAKE2s256'} = ''; + $checked{'DAUTH'}{'SHA3-512'} = ''; + $checked{'DAUTH'}{'SHA3-384'} = ''; + $checked{'DAUTH'}{'SHA3-256'} = ''; + $checked{'DAUTH'}{'SHA512'} = ''; + $checked{'DAUTH'}{'SHA384'} = ''; + $checked{'DAUTH'}{'SHA256'} = ''; + $checked{'DAUTH'}{'whirlpool'} = ''; + $checked{'DAUTH'}{'SHA1'} = ''; + @temp = split('|', $cgiparams{'DAUTH'}); + foreach my $key (@temp) {$checked{'DAUTH'}{$key} = "selected='selected'"; } + + # Set default for TLS control authentication + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'tls-crypt'; #[41] + } + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'tls-crypt'} = ''; + $checked{'TLSAUTH'}{'tls-crypt-v2'} = ''; + @temp = split('|', $cgiparams{'TLSAUTH'}); + foreach my $key (@temp) {$checked{'TLSAUTH'}{$key} = "selected='selected'"; } + # Set default for data-cipher-fallback (the old --cipher directive) if ($cgiparams{'DCIPHER'} eq '') { $cgiparams{'DCIPHER'} = 'AES-256-CBC'; #[40] @@ -3023,12 +3185,16 @@ ADV_ENC_ERROR:
# Save settings and display default if not configured if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + $confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'DAUTH'}; $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'}; + $confighash{$cgiparams{'KEY'}}[41] = $cgiparams{'TLSAUTH'}; $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; $confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'}; $confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'}; } else { + $cgiparams{'DAUTH'} = $vpnsettings{'DAUTH'}; $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'}; + $cgiparams{'TLSAUTH'} = $vpnsettings{'TLSAUTH'}; $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; $cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'}; $cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'}; @@ -3132,6 +3298,44 @@ ADV_ENC_ERROR:
<br><br>
+ <h2>$Lang::tr{'ovpn crypt options'}:</h2> + + <table width="100%"> + <thead> + <tr> + <th width="15%"></th> + <th>$Lang::tr{'ovpn ha'}</th> + <th>$Lang::tr{'ovpn tls auth'}</th> + </tr> + </thead> + <tbody> + <tr> + <td width="27%">$Lang::tr{'ovpn data channel authentication'}</td> + <td class='boldbase'> + <select name='DAUTH' size='6' style='width: 100%'> + <option value='BLAKE2b512' $checked{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option> + <option value='BLAKE2s256' $checked{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option> + <option value='SHA3-512' $checked{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option> + <option value='SHA3-384' $checked{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option> + <option value='SHA3-256' $checked{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option> + <option value='SHA512' $checked{'DAUTH'}{'SHA512'}>SHA2 512 $Lang::tr{'bit'}</option> + <option value='SHA384' $checked{'DAUTH'}{'SHA384'}>SHA2 384 $Lang::tr{'bit'}</option> + <option value='SHA256' $checked{'DAUTH'}{'SHA256'}>SHA2 256 $Lang::tr{'bit'}</option> + <option value='whirlpool' $checked{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> + <option value='SHA1' $checked{'DAUTH'}{'SHA1'}>SHA1 160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option> + </select> + + <td class='boldbase'> + <select name='TLSAUTH' size='6' style='width: 100%' style="margin-right:-17px" size="11"> + <option value='tls-crypt-v2' $checked{'TLSAUTH'}{'tls-crypt-v2'}>TLS-Crypt-v2</option> + <option value='tls-crypt' $checked{'TLSAUTH'}{'tls-crypt'}>TLS-Crypt</option> + <option value='on' $checked{'TLSAUTH'}{'on'}>TLS-Auth</option> + <option value='off' $checked{'TLSAUTH'}{'off'}>Off</option> + </select> + </td> + </tr> + </tbody> + </table> <hr> END ; @@ -3906,7 +4110,6 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; - $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; # Index from [39] to [44] has been reserved by advanced encryption $cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { @@ -4824,16 +5027,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- $selected{'DAUTH'}{'whirlpool'} = ''; - $selected{'DAUTH'}{'SHA512'} = ''; - $selected{'DAUTH'}{'SHA384'} = ''; - $selected{'DAUTH'}{'SHA256'} = ''; - $selected{'DAUTH'}{'SHA1'} = ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; - $checked{'TLSAUTH'}{'off'} = ''; - $checked{'TLSAUTH'}{'on'} = ''; - $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; - if (1) { &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); @@ -5378,21 +5571,6 @@ END if ($cgiparams{'MSSFIX'} eq '') { $cgiparams{'MSSFIX'} = 'off'; } - if ($cgiparams{'DAUTH'} eq '') { - if (-z "${General::swroot}/ovpn/ovpnconfig") { - $cgiparams{'DAUTH'} = 'SHA512'; - } - foreach my $key (keys %confighash) { - if ($confighash{$key}[3] ne 'host') { - $cgiparams{'DAUTH'} = 'SHA512'; - } else { - $cgiparams{'DAUTH'} = 'SHA1'; - } - } - } - if ($cgiparams{'TLSAUTH'} eq '') { - $cgiparams{'TLSAUTH'} = 'off'; - } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } @@ -5410,17 +5588,6 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
- $selected{'DAUTH'}{'whirlpool'} = ''; - $selected{'DAUTH'}{'SHA512'} = ''; - $selected{'DAUTH'}{'SHA384'} = ''; - $selected{'DAUTH'}{'SHA256'} = ''; - $selected{'DAUTH'}{'SHA1'} = ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; - - $checked{'TLSAUTH'}{'off'} = ''; - $checked{'TLSAUTH'}{'on'} = ''; - $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; - $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; @@ -5523,30 +5690,6 @@ END <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td> </tr>
- <tr><td colspan='4'><br></td></tr> - <tr> - <td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td> - </tr> - <tr><td colspan='1'><br></td></tr> - - <tr> - <td class='base'>$Lang::tr{'ovpn ha'}</td> - <td><select name='DAUTH'> - <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> - <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option> - <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option> - <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option> - <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - </select> - </td> - </tr> - - <tr><td colspan='4'><br></td></tr> - <tr> - <td class='base'>$Lang::tr{'ovpn tls auth'}</td> - <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td> - </tr> - <tr><td colspan='4'><br><br></td></tr> END ; @@ -5845,6 +5988,10 @@ END my $col3="bgcolor='$color{'color22'}'"; # ta.key line my $col4="bgcolor='$color{'color20'}'"; + # tc-v2.key line + my $col5="bgcolor='$color{'color22'}'"; + # tc.key + my $col6="bgcolor='$color{'color20'}'";
if (-f "${General::swroot}/ovpn/ca/cacert.pem") { my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; @@ -5974,7 +6121,7 @@ END # Nothing print <<END; <tr> - <td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td> + <td width='25%' class='base' $col4>$Lang::tr{'ta key'}</td> <td class='base' $col4>$Lang::tr{'not present'}</td> <td colspan='3' $col4> </td> </tr> @@ -5982,6 +6129,52 @@ END ; }
+ # Adding tc-v2.key to chart + if (-f "${General::swroot}/ovpn/certs/tc-v2-server.key") { + my $tcvsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`; + $tcvsubject =~ /-----BEGIN (.*)-----[\n]/; + $tcvsubject = $1; + print <<END; + + <tr> + <td class='base' $col5>$Lang::tr{'tc v2 key'}</td> + <td class='base' $col5>$tcvsubject</td> + <form method='post' name='frmtcv2key'><td width='3%' align='center' $col5> + <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt-v2 key'}' /> + <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt-v2 key'}' title='$Lang::tr{'show tls-crypt-v2 key key'}' width='20' height='20' border='0' /> + </form> + <form method='post' name='frmtckey'><td width='3%' align='center' $col5> + <td width='4%' $col5> </td> + </tr> +END +; + } + + # Adding tc.key to chart + if (-f "${General::swroot}/ovpn/certs/tc.key") { + my $tcsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`; + $tcsubject =~ /# (.*)[\n]/; + $tcsubject = $1; + print <<END; + + <tr> + <td class='base' $col6>$Lang::tr{'tc key'}</td> + <td class='base' $col6>$tcsubject</td> + <form method='post' name='frmtckey'><td width='3%' align='center' $col6> + <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt key'}' /> + <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt key'}' title='$Lang::tr{'show tls-crypt key'}' width='20' height='20' border='0' /> + </form> + <form method='post' name='frmtckey'><td width='3%' align='center' $col6> + <input type='image' name='$Lang::tr{'download tls-crypt key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-crypt key'}' title='$Lang::tr{'download tls-crypt key'}' border='0' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'download tls-crypt key'}' /> + </form> + <td width='4%' $col6> </td> + </tr> +END +; + } + + if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { print "<tr><td colspan='5' align='center'><form method='post'>"; print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />"; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index cc7755018..9ffbbf432 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -894,6 +894,9 @@ 'download new ruleset' => 'Neuen Regelsatz herunterladen', 'download pkcs12 file' => 'PKCS12-Datei herunterladen', 'download root certificate' => 'Root-Zertifikat herunterladen', +'download tls-auth key' => 'TLS-Auth Schlüssel herunterladen', +'download tls-crypt key' => 'TLS-Crypt Schlüssel herunterladen', +'download tls-crypt-v2 key' => 'TLS-Crypt-v2 Schlüssel herunterladen', 'download tls-auth key' => 'tls-auth Key herunterladen', 'dpd action' => 'Aktion für Erkennung toter Gegenstellen (Dead Peer Detection)', 'dpd delay' => 'Verzögerung', @@ -1951,7 +1954,7 @@ 'ovpn subnet' => 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', -'ovpn tls auth' => 'TLS-Kanalabsicherung:', +'ovpn tls auth' => 'TLS-Kanalabsicherung', 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', @@ -2224,6 +2227,9 @@ 'show last x lines' => 'die letzten x Zeilen anzeigen', 'show root certificate' => 'Root-Zertifikat anzeigen', 'show share options' => 'Anzeige der Freigabeeinstellungen', +'show tls-auth key' => 'TLS-Auth Schlüssel anzeigen', +'show tls-crypt key' => 'TLS-Crypt Schlüssel anzeigen', +'show tls-crypt-v2 key' => 'TLS-Crypt-v2 Schlüssel anzeigen', 'shuffle' => 'Zufall', 'shutdown' => 'Herunterfahren', 'shutdown ask' => 'Herunterfahren?', @@ -2350,6 +2356,8 @@ 'system logs' => 'Systemprotokolldateien', 'system status information' => 'System-Statusinformationen', 'ta key' => 'TLS-Authentifizierungsschlüssel', +'tc key' => 'TLS-Kryptografie-Schlüssel', +'tc v2 key' => 'TLS-Kryptografie-Schlüssel-Version2', 'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2', 'tcp more reliable' => 'TCP (zuverlässiger)', 'telephone not set' => 'Telefonnummer nicht angegeben.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 3dcb8d46e..6707a3a71 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -918,7 +918,9 @@ 'download new ruleset' => 'Download new ruleset', 'download pkcs12 file' => 'Download PKCS12 file', 'download root certificate' => 'Download root certificate', -'download tls-auth key' => 'Download tls-auth key', +'download tls-auth key' => 'Download TLS-Auth key', +'download tls-crypt key' => 'Download TLS-Crypt key', +'download tls-crypt-v2 key' => 'Download TLS-Crypt-v2 server key', 'dpd action' => 'Action', 'dpd delay' => 'Delay', 'dpd timeout' => 'Timeout', @@ -1983,7 +1985,7 @@ 'ovpn subnet' => 'OpenVPN subnet:', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', -'ovpn tls auth' => 'TLS Channel Protection:', +'ovpn tls auth' => 'TLS Channel Protection', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', @@ -2260,7 +2262,9 @@ 'show lines' => 'Show lines', 'show root certificate' => 'Show root certificate', 'show share options' => 'Show shares options', -'show tls-auth key' => 'Show tls-auth key', +'show tls-auth key' => 'Show TLS-Auth key', +'show tls-crypt key' => 'Show TLS-Crypt key', +'show tls-crypt-v2 key' => 'Show TLS-Crypt-v2 key', 'shuffle' => 'Shuffle', 'shutdown' => 'Shutdown', 'shutdown ask' => 'Shutdown?', @@ -2388,6 +2392,8 @@ 'system logs' => 'System Logs', 'system status information' => 'System Status Information', 'ta key' => 'TLS-Authentification-Key', +'tc key' => 'TLS-Cryptografic-Key', +'tc v2 key' => 'TLS-Cryptografic-Key-version2', 'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2', 'tcp more reliable' => 'TCP (more reliable)', 'telephone not set' => 'Telephone not set.',
Hi all, there are meanwhile some enhancements and one fix. - The are translations (human) in four languages available --> https://community.ipfire.org/t/please-for-help-to-translate-some-strings/394... Russian, Polish and Turkish are also there but machine translated. - There is a check for weak algorithms, also for the HMAC SHA1 with the warning to change this settings as soon as possible since they are deprecated. - A fix is included since tls-crypt wasn´t parsed into client.ovpn in 'insecure' mode.
I would send a version 2 with all changes but now may split into 4-5 patches ?
Best,
Erik
Hello,
On 8 Dec 2020, at 18:28, ummeegge ummeegge@ipfire.org wrote:
Hi all, there are meanwhile some enhancements and one fix.
- The are translations (human) in four languages available -->
https://community.ipfire.org/t/please-for-help-to-translate-some-strings/394... Russian, Polish and Turkish are also there but machine translated.
I appreciate involving the community, but translations should be done at the end, when we are no longer going to change anything. I am not sure if we are at that point, yet.
- There is a check for weak algorithms, also for the HMAC SHA1 with the
warning to change this settings as soon as possible since they are deprecated.
- A fix is included since tls-crypt wasn´t parsed into client.ovpn in
'insecure' mode.
I would send a version 2 with all changes but now may split into 4-5 patches ?
I still think that I did not get answers to my questions in the other email thread.
I do not think that it is worth it to review any patches just yet, when we still do not know what we want the whole thing to look like so that people can use it.
Do you have all your changes in a Git repository somewhere?
-Michael
Best,
Erik
- The whole crypto section will be sorted out from the global section to an extra page while this patchset and a set of defaults should handle the encryption also for not experienced users. The WUI style has been adopted from the IPSec WUI.
- The new directive '--data-ciphers algs' has been introduced for RWs with OpenVPN version 2.5.0. This directive negotiates with the clients the best but also available cipher. The selection for '--data-ciphers algs' is between the GCM family and the new CHACHA20-POLY1305. All ciphers can be combined with another. - The new directive '--data-ciphers algs' substitutes '--ncp-disable', therefor '--ncp-disable' has been removed which fixes the deprecation warning in the new OpenVPN-2.5.0 server instance. - While client generation the client version can be set via a checkbox which enables, if client is >=2.5.0 a full cipher negotiation by printing also the '--data-cipher algs' directive into the client.ovpn, if the client version <=2.5.0 (checkbox off), the old deprecated '--cipher alg' will be written. Existing clients can also subsequently be enhanced via editing the connection.
Signed-off-by: ummeegge erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 192 +++++++++++++++++++++++++++++++++++++- langs/de/cgi-bin/de.pl | 7 ++ langs/en/cgi-bin/en.pl | 7 ++ langs/es/cgi-bin/es.pl | 7 ++ langs/fr/cgi-bin/fr.pl | 7 ++ langs/it/cgi-bin/it.pl | 7 ++ langs/nl/cgi-bin/nl.pl | 7 ++ langs/pl/cgi-bin/pl.pl | 7 ++ langs/ru/cgi-bin/ru.pl | 7 ++ langs/tr/cgi-bin/tr.pl | 7 ++ 10 files changed, 251 insertions(+), 4 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 68a70d147..40ae58673 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -75,6 +75,7 @@ my $name; my $col=""; my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; +my @advcipherchar=();
&General::readhash("${General::swroot}/ethernet/settings", %netsettings); $cgiparams{'ENABLED'} = 'off'; @@ -98,6 +99,7 @@ $cgiparams{'number'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; +$cgiparams{'DATACIPHERS'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -325,8 +327,16 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; + + # Data channel encryption + # Set seperator for data ciphers + @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/|/:/g); + # Add also algorithm from --cipher directive + if ($sovpnsettings{'DATACIPHERS'} ne '') { + print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -911,6 +921,27 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { &writeserverconf();#hier ok }
+### +### Save Advanced encryption +### + +if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + &General::readhash("${General::swroot}/ovpn/settings", %vpnsettings); + + $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; + + # --data-ciphers needs at least one cipher + if ($cgiparams{'DATACIPHERS'} eq '') { + $errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'}; + goto ADV_ENC_ERROR; + } + + &General::writehash("${General::swroot}/ovpn/settings", %vpnsettings); + &writeserverconf(); +} + +### End Save advanced encryption + ### # m.a.d net2net ### @@ -2344,7 +2375,16 @@ else $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } - print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + + # Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0 in client.ovpn + if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') { + # Set seperator for --data-ciphers algorithms + @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/|/:/g); + print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n"; + } else { + print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2859,7 +2899,132 @@ END &Header::closebigbox(); &Header::closepage(); exit(0); - + +### +### Advanced encryption settings +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn advanced encryption'}) { + %cgiparams = (); + %confighash = (); + my @temp=(); + my $disabled; + &General::readhash("${General::swroot}/ovpn/settings", %cgiparams); + + my $key = $cgiparams{'KEY'}; + if (! $key) { + $key = &General::findhasharraykey (%confighash); + foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; } + } + $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; + +ADV_ENC_ERROR: + + # Set default data channel ciphers + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; #[42]; + } + $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = ''; + $checked{'DATACIPHERS'}{'AES-256-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-192-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-128-GCM'} = ''; + @temp = split('|', $cgiparams{'DATACIPHERS'}); + foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + + # Save settings and display default if not configured + if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; + } else { + $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; + } + +ADV_ENC_ERROR: + + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage"; + print " </class>"; + &Header::closebox(); + } + + if ($warnmessage) { + &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:"); + print "<class name='base'>$warnmessage"; + print " </class>"; + &Header::closebox(); + } + + print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>"; + &Header::openbox('100%', 'left', "$Lang::tr{'ovpn advanced encryption'}:"); + print<<END + + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + + <table width='100%'> + <thead> + <tr> + <th width="15%"></th> + <th>$Lang::tr{'ovpn data channel'}</th> + </tr> + </thead> + <tbody> + <tr> + <td class='boldbase' width="27%">$Lang::tr{'ovpn data encryption'}</td> + <td class='boldbase'> + <select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'> + <option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option> + <option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option> + <option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option> + <option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option> + </select> + </td> + </tr> + </tbody> + </table> + <hr> +END +; + + if ( -e "/var/run/openvpn.pid") { + print" <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>$Lang::tr{'server restart'}<br><br><hr>"; + print<<END; + <table width='100%'> + <tr> + <td> </td> + <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' disabled='disabled' /></td> + <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td> + <td> </td> + </tr> + </table> + </form> +END +; + + } else { + print<<END; + <table width='100%'> + <tr> + <td> </td> + <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' /></td> + <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td> + <td> </td> + </tr> + </table> + </form> +END +; + + } + + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit(0); + +### END advanced encryption
# A.Marx CCD Add,delete or edit CCD net
@@ -3595,6 +3760,8 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; + # Index from [39] to [44] has been reserved by advanced encryption + $cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); @@ -4338,6 +4505,8 @@ if ($cgiparams{'TYPE'} eq 'net') { if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { $confighash{$key}[41] = "no-pass"; } + # Index from [39] to [44] has been reserved by advanced encryption + $confighash{$key}[45] = $cgiparams{'CLIENTVERSION'};
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", %confighash); @@ -4749,6 +4918,7 @@ if ($cgiparams{'TYPE'} eq 'host') { print"</td></tr></table><br><br>"; my $name=$cgiparams{'CHECK1'}; $checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED'; + $checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED'; if (! -z "${General::swroot}/ovpn/ccd.conf"){ print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>"; @@ -4884,7 +5054,12 @@ if ($cgiparams{'TYPE'} eq 'host') { print <<END; <table border='0' width='100%'> - <tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr> + <tr><td width='30%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr> + <tr> + <td width='30%'>$Lang::tr{'ovpn client version 25 cipher negotiation'}:</td> + <td colspan='3'><input type='checkbox' name='CLIENTVERSION' $checked{'CLIENTVERSION'}{'on'} /> + <font color='red'> $Lang::tr{'ovpn client version 25 warning'}</font></td> + </tr> <tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr> <tr><td colspan='4'> </td></tr> <tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'> @@ -5138,6 +5313,13 @@ END $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
+ if ($cgiparams{'CLIENTVERSION'} = '' ) { + $cgiparams{'CLIENTVERSION'} = 'off'; + } + $checked{'CLIENTVERSION'}{'off'} = ''; + $checked{'CLIENTVERSION'}{'on'} = ''; + $checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED'; + # m.a.d $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; @@ -5281,11 +5463,13 @@ END print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />"; + print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>"; } else{ print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />"; print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />"; + print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />"; if (( -e "${General::swroot}/ovpn/ca/cacert.pem" && -e "${General::swroot}/ovpn/ca/dh1024.pem" && -e "${General::swroot}/ovpn/certs/servercert.pem" && diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 2fb46e741..0d0705845 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1901,10 +1901,15 @@ 'override mtu' => 'Überschreibe Standard-MTU', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Erweiterte Konfiguration', +'ovpn advanced encryption' => 'Erweiterte Kryptografie Einstellung', +'ovpn client version 25 cipher negotiation' => 'Verschlüsselung aushandeln', +'ovpn client version 25 warning' => 'Erst ab Client Version 2.5.0 verfügbar', 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik', 'ovpn config' => 'OVPN-Konfiguration', 'ovpn connection name' => 'Verbindungs-Name', 'ovpn crypt options' => 'Kryptografieoptionen', +'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', +'ovpn data channel' => 'Daten-Kanal', 'ovpn device' => 'OpenVPN-Gerät', 'ovpn dh' => 'Diffie-Hellman-Parameter-Länge', 'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen', @@ -1913,6 +1918,7 @@ 'ovpn dl' => 'OVPN-Konfiguration downloaden', 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', +'ovpn errmsg invalid data cipher input' => 'Der Daten-Kanal benötigt mindestens einen Algorithmus', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', 'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>', 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', @@ -2163,6 +2169,7 @@ 'save error' => 'Konfigurationsarchiv-Datei konnte nicht gespeichert werden', 'save settings' => 'Einstellungen speichern', 'save-adv-options' => 'Erweiterte Optionen speichern', +'save-enc-options' => 'Kryptografie Optionen speichern', 'script name' => 'Skriptname:', 'search' => 'Suchen', 'secondary dns' => 'Sekundärer DNS-Server:', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index b5284effa..affa43cd3 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1933,10 +1933,15 @@ 'override mtu' => 'Override default MTU', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Additional configuration', +'ovpn advanced encryption' => 'Advanced encryption settings', +'ovpn client version 25 cipher negotiation' => 'Negotiate encryption', +'ovpn client version 25 warning' => 'Available with client version 2.5.0 and higher', 'ovpn con stat' => 'OpenVPN Connection Statistics', 'ovpn config' => 'OVPN-Config', 'ovpn connection name' => 'Connection Name', 'ovpn crypt options' => 'Cryptographic options', +'ovpn data encryption' => 'Data-Channel encryption', +'ovpn data channel' => 'Data-Channel', 'ovpn device' => 'OpenVPN device:', 'ovpn dh' => 'Diffie-Hellman parameters length', 'ovpn dh new key' => 'Generate new Diffie-Hellman parameters', @@ -1945,6 +1950,7 @@ 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', +'ovpn errmsg invalid data cipher input' => 'The data cipher needs at least one cipher', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', 'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>', 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', @@ -2196,6 +2202,7 @@ 'save error' => 'Unable to save configuration archive file', 'save settings' => 'Save settings', 'save-adv-options' => 'Save advanced options', +'save-enc-options' => 'Save encryption options', 'script name' => 'Script name:', 'search' => 'Search', 'secondary dns' => 'Secondary DNS:', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index 93a15bba0..3d6efc21a 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -36,6 +36,9 @@ 'Number of IPs for the pie chart' => 'Número de IPS para la gráfica circular', 'Number of Ports for the pie chart' => 'Número de puerto para la gráfica circular', 'OVPN' => 'OpenVPN', +'ovpn advanced encryption' => 'Configuración avanzada de encriptación', +'ovpn client version 25 cipher negotiation' => 'Negociar encriptación', +'ovpn client version 25 warning' => 'Disponible con la versión de Cliente 2.5.0 y superior', 'OpenVPN' => 'OpenVPN', 'Pages' => 'Páginas', 'Ping' => 'Ping:', @@ -1328,7 +1331,10 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'Estadisticas de conexión OpenVPN', 'ovpn config' => 'Configruación de OVPN', +'ovpn data encryption' => 'Encriptación Data-Channel', +'ovpn data channel' => 'Canal-Datos', 'ovpn device' => 'Dispositivo OpenVPN', +'ovpn errmsg invalid data cipher input' => 'El cifrado de datos necesita al menos de un cifrado', 'ovpn dl' => 'Configuración de descargas OVPN', 'ovpn log' => 'Registro de log de OVPN', 'ovpn on blue' => 'OpenVPN en BLUE', @@ -1531,6 +1537,7 @@ 'save error' => 'Imposible grabar archivo de configuración', 'save settings' => 'Guardar configuraciones', 'save-adv-options' => 'Guardar configuraciones avanzadas', +'save-enc-options' => 'Guardar opciones de encriptado', 'script name' => 'Nombre de Script:', 'secondary dns' => 'DNS Secundario:', 'secondary ntp server' => 'Servidor NTP Secundario', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index a2d27939c..df19ef316 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1934,10 +1934,15 @@ 'override mtu' => 'Remplacer le MTU par défaut', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Configuration additionnelle', +'ovpn advanced encryption' => 'Paramètres de cryptage avancés', +'ovpn client version 25 cipher negotiation' => 'Négocier le cryptage', +'ovpn client version 25 warning' => 'Disponible avec le client version 2.5.0 et supérieur', 'ovpn con stat' => 'Statistiques de connexions OpenVPN', 'ovpn config' => 'Config OVPN', 'ovpn connection name' => 'Nom de la connexion ', 'ovpn crypt options' => 'Options cryptographiques', +'ovpn data encryption' => 'Chiffrage du canal de données', +'ovpn data channel' => 'Canal de données', 'ovpn device' => 'Périphérique OpenVPN :', 'ovpn dh' => 'Longueur de paramètres Diffie-Hellman ', 'ovpn dh new key' => 'Générer de nouveaux paramètres Diffie-Hellman ', @@ -1946,6 +1951,7 @@ 'ovpn dl' => 'Télécharger Config OVPN', 'ovpn engines' => 'Moteur Crypto', 'ovpn errmsg green already pushed' => 'La route pour le réseau VERT est toujours activée', +'ovpn errmsg invalid data cipher input' => 'Le chiffrage de données nécessite au moins un cryptogramme', 'ovpn errmsg invalid ip or mask' => 'Adresse ou masque de sous-réseau invalide', 'ovpn error dh' => 'Le paramètre Diffie-Hellman doit être au minimum à 2048 bits ! <br>Veuillez générer ou télécharger un nouveau paramètre Diffie-Hellman, cela peut être fait ci-dessous dans la section "Options de paramètres Diffie-Hellman".</br>', 'ovpn error md5' => 'Votre certificat hôte utilise MD5 pour la signature qui n'est plus acceptée. <br>Veuillez mettre à jour la dernière version d'IPFire et générez un nouveau certificat racine et hôte..</br><br>Tous les clients OpenVPN doivent ensuite être renouvelés!</br>', @@ -2200,6 +2206,7 @@ 'save error' => 'Impossible de sauvegarder le fichier archive de configuration', 'save settings' => 'Sauvegarder les paramètres', 'save-adv-options' => 'Sauvegarder les options avancées', +'save-enc-options' => 'Enregistrer les options de chiffrage', 'script name' => 'Nom du script :', 'search' => 'Recherche', 'secondary dns' => 'DNS secondaire :', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 14436de4b..1c190eff2 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -43,6 +43,11 @@ 'Number of IPs for the pie chart' => 'Numero di IP per il grafico a torta', 'Number of Ports for the pie chart' => 'Numero di porte per il grafico a torta', 'OVPN' => 'OpenVPN', +'ovpn data encryption' => 'Crittografia del canale dati', +'ovpn data channel' => 'Canale-Dati', +'ovpn advanced encryption' => 'Impostazioni avanzate di crittografia', +'ovpn client version 25 cipher negotiation' => 'Negozazione cirttografia', +'ovpn client version 25 warning' => 'Disponibile con client 2.5.0 o più recente', 'OpenVPN' => 'OpenVPN', 'Pages' => 'Pagine', 'Ping' => 'Ping :', @@ -1701,6 +1706,7 @@ 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for Verde network is always set', +'ovpn errmsg invalid data cipher input' => 'La crittografia dati necessita almeno un cifrario', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', 'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.', 'ovpn ha' => 'Hash algorithm', @@ -1928,6 +1934,7 @@ 'save error' => 'Unable to save configuration archive file', 'save settings' => 'Save settings', 'save-adv-options' => 'Save advanced options', +'save-enc-options' => 'Salva impostazioni di crittografia', 'script name' => 'Script name:', 'secondary dns' => 'DNS Secondario:', 'secondary ntp server' => 'NTP server secondario', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index 53341a6f8..8207399e2 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -43,6 +43,9 @@ 'Number of IPs for the pie chart' => 'Aantal IPs voor de taartdiagram', 'Number of Ports for the pie chart' => 'Aantal poorten voor de taartdiagram', 'OVPN' => 'OpenVPN', +'ovpn advanced encryption' => 'Geavanceerde versleuteling instellingen', +'ovpn client version 25 cipher negotiation' => 'Onderhandel over versleuteling', +'ovpn client version 25 warning' => 'Beschikbaar met clientversie 2.5.0 en hoger', 'OpenVPN' => 'OpenVPN', 'Pages' => 'Pagina's', 'Ping' => 'Ping :', @@ -1655,9 +1658,12 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'OpenVPN connectiestatistieken', 'ovpn config' => 'OVPN-Configuratie', +'ovpn data encryption' => 'Datakanaalversleuteling', +'ovpn data channel' => 'Data-kanaal', 'ovpn device' => 'OpenVPN apparaat:', 'ovpn dl' => 'OVPN-Configuratie download', 'ovpn errmsg green already pushed' => 'Route voor het groene netwerk is altijd aangezet', +'ovpn errmsg invalid data cipher input' => 'De gegevens codering heeft ten minste één codering nodig', 'ovpn errmsg invalid ip or mask' => 'Ongeldig netwerkadres of subnetmasker', 'ovpn log' => 'OVPN-Log', 'ovpn mgmt in root range' => 'Een poortnummer hoger dan 1024 is vereist.', @@ -1881,6 +1887,7 @@ 'save error' => 'Kan configuratie-archief niet opslaan', 'save settings' => 'Opslaan instellingen', 'save-adv-options' => 'Opslaan geavanceerde opties', +'save-enc-options' => 'Bewaar encryptie opties', 'script name' => 'Scriptnaam:', 'secondary dns' => 'Secondaire DNS:', 'secondary ntp server' => 'Secondaire NTP server', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index 63c8a1793..f9fbe57df 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -37,6 +37,9 @@ 'Number of IPs for the pie chart' => 'Liczba numerów IP na wykresie kołowym', 'Number of Ports for the pie chart' => 'Liczba portów na wykresie kołowym', 'OVPN' => 'OpenVPN', +'ovpn advanced encryption' => 'Zaawansowane ustawienia szyfrowania', +'ovpn client version 25 cipher negotiation' => 'Negocjowanie szyfrowania', +'ovpn client version 25 warning' => 'Dostępny z klientem w wersji 2.5.0 i wyższej', 'OpenVPN' => 'OpenVPN', 'Pages' => 'Stron', 'Ping' => 'Ping :', @@ -1340,8 +1343,11 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'Statystyki połączeń OpenVPN', 'ovpn config' => 'OVPN-Konfig', +'ovpn data encryption' => 'Szyfrowanie Kanału-Danych', +'ovpn data channel' => 'Kanał-Danych', 'ovpn device' => 'Urządzenie OpenVPN:', 'ovpn dl' => 'Pobierz konfig OVPN', +'ovpn errmsg invalid data cipher input' => 'Szyfr danych wymaga co najmniej jednego szyfru', 'ovpn log' => 'Log OVPN', 'ovpn on blue' => 'OpenVPN na int. BLUE', 'ovpn on orange' => 'OpenVPN na int. ORANGE', @@ -1543,6 +1549,7 @@ 'save error' => 'Nie można zapisać konfiguracji do pliku archiwum', 'save settings' => 'Zapisz ustawienia', 'save-adv-options' => 'Zapisz zaawansowane ustawienia', +'save-enc-options' => 'Zapisywanie opcji szyfrowania', 'script name' => 'Nazwa skryptu:', 'secondary dns' => 'Zapasowy DNS:', 'secondary ntp server' => 'Zapasowy serwer NTP', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 4f69dc47a..700a8d838 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -35,6 +35,9 @@ 'Number of IPs for the pie chart' => 'Число IP для круглых графиков', 'Number of Ports for the pie chart' => 'Число портов для круглых графиков', 'OVPN' => 'OpenVPN', +'ovpn advanced encryption' => 'Расширенные настройки шифрования', +'ovpn client version 25 cipher negotiation' => 'Обсудить шифрование', +'ovpn client version 25 warning' => 'Доступно с клиентской версией 2.5.0 и выше', 'OpenVPN' => 'OpenVPN', 'Pages' => 'Страницы', 'Ping' => 'Пинг :', @@ -1331,9 +1334,12 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'Статистика подключений OpenVPN', 'ovpn config' => 'Настройки OVPN', +'ovpn data encryption' => 'шифрование-каналов данных', +'ovpn data channel' => 'Информационный-канал', 'ovpn device' => 'Устройство OpenVPN:', 'ovpn dl' => 'Загрузка настроек OVPN', 'ovpn errmsg green already pushed' => 'Маршрут для зелёной сети всегда включён', +'ovpn errmsg invalid data cipher input' => 'Для шифра данных нужен хотя бы один шифр', 'ovpn errmsg invalid ip or mask' => 'Неправильный адрес или маска подсти', 'ovpn log' => 'Журнал OVPN', 'ovpn on blue' => 'OpenVPN на BLUE', @@ -1538,6 +1544,7 @@ 'save error' => 'Не получилось сохранить архив настроек', 'save settings' => 'Сохранить настройки', 'save-adv-options' => 'Сохранить дополнительные настройки', +'save-enc-options' => 'Сохранить параметры шифрования', 'script name' => 'Имя скрипта:', 'secondary dns' => 'Второй DNS:', 'secondary ntp server' => 'Второй NTP сервер', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 34e8bdcf7..0c64063c7 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -1835,9 +1835,14 @@ 'override mtu' => 'Varsayılan MTU seçeneğini geçersiz kıl', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Ek yapılandırma', +'ovpn advanced encryption' => 'Gelişmiş şifreleme ayarları', +'ovpn client version 25 cipher negotiation' => 'Şifrelemeyi görüşün', +'ovpn client version 25 warning' => 'İstemci sürümü 2.5.0 ve üstü ile mevcuttur', 'ovpn con stat' => 'OpenVPN Bağlantı İstatistiği', 'ovpn config' => 'OVPN-Yapılandırması', 'ovpn crypt options' => 'Şifreleme seçenekleri', +'ovpn data channel' => 'Veri-Kanalı', +'ovpn data encryption' => 'Veri-Kanalı şifreleme', 'ovpn device' => 'OpenVPN aygıtı:', 'ovpn dh' => 'Diffie-Hellman parametre uzunluğu', 'ovpn dh new key' => 'Yeni Diffie-Hellman parametrelerini oluşturun', @@ -1846,6 +1851,7 @@ 'ovpn dl' => 'OVPN-Yapılandırması İndir', 'ovpn engines' => 'Şifreleme motoru', 'ovpn errmsg green already pushed' => 'Yeşil ağ için her zaman bir yol ayarla', +'ovpn errmsg invalid data cipher input' => 'Veri şifresinin en az bir şifreye ihtiyacı var', 'ovpn errmsg invalid ip or mask' => 'Geçersiz ağ adresi veya alt ağ maskesi', 'ovpn generating the root and host certificates' => 'Root ve ana bilgisayar sertifika üretimi uzun zaman alabilir.', 'ovpn ha' => 'Hash algorithması', @@ -2080,6 +2086,7 @@ 'save error' => 'Yapılandırma arşiv dosyası kaydedilemiyor.', 'save settings' => 'Ayarları kaydet', 'save-adv-options' => 'Gelişmiş Seçenekleri Kaydet', +'save-enc-options' => 'Şifreleme Seçeneklerini Kaydedin', 'script name' => 'Komut adı:', 'search' => 'Ara', 'secondary dns' => 'İkincil DNS:',
- Since --cipher is with OpenVPN version 2.5.0 deprecated and will be handled via --data-cipher-fallback, the VAR name and the index has been kept but renamed from --cipher to --data-cipher-fallback. Old default AES-256-CBC has also been kept. - All old ciphers except the GCM familiy are included.
Code is needed to change in server.conf the directive from 'cipher' to 'data-cipher-fallback' for the update process in update.sh.
Code start block:
/usr/local/bin/openvpnctrl -k > /dev/null if grep -q 'cipher' /var/ipfire/ovpn/server.conf; then sed -i 's/cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf fi /usr/local/bin/openvpnctrl -s > /dev/null
Code block end
Signed-off-by: ummeegge erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 109 +++++++++++++++----------------------- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + langs/es/cgi-bin/es.pl | 1 + langs/fr/cgi-bin/fr.pl | 1 + langs/it/cgi-bin/it.pl | 1 + langs/nl/cgi-bin/nl.pl | 1 + langs/pl/cgi-bin/pl.pl | 1 + langs/ru/cgi-bin/ru.pl | 1 + langs/tr/cgi-bin/tr.pl | 1 + 10 files changed, 53 insertions(+), 65 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 40ae58673..dbf8a8d2e 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -327,7 +327,7 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "cipher $sovpnsettings{DCIPHER}\n"; + print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n";
# Data channel encryption # Set seperator for data ciphers @@ -928,6 +928,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { &General::readhash("${General::swroot}/ovpn/settings", %vpnsettings);
+ $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
# --data-ciphers needs at least one cipher @@ -1245,7 +1246,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; - $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable @@ -2915,10 +2915,30 @@ END $key = &General::findhasharraykey (%confighash); foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; } } + $confighash{$key}[40] = $cgiparams{'DCIPHER'}; $confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
ADV_ENC_ERROR:
+ # Set default for data-cipher-fallback (the old --cipher directive) + if ($cgiparams{'DCIPHER'} eq '') { + $cgiparams{'DCIPHER'} = 'AES-256-CBC'; #[40] + } + $checked{'DCIPHER'}{'AES-256-CBC'} = ''; + $checked{'DCIPHER'}{'AES-192-CBC'} = ''; + $checked{'DCIPHER'}{'AES-128-CBC'} = ''; + $checked{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $checked{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; + $checked{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; + $checked{'DCIPHER'}{'SEED-CBC'} = ''; + $checked{'DCIPHER'}{'DES-EDE3-CBC'} = ''; + $checked{'DCIPHER'}{'DESX-CBC'} = ''; + $checked{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $checked{'DCIPHER'}{'BF-CBC'} = ''; + $checked{'DCIPHER'}{'CAST5-CBC'} = ''; + @temp = split('|', $cgiparams{'DCIPHER'}); + foreach my $key (@temp) {$checked{'DCIPHER'}{$key} = "selected='selected'"; } + # Set default data channel ciphers if ($cgiparams{'DATACIPHERS'} eq '') { $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; #[42]; @@ -2932,8 +2952,10 @@ ADV_ENC_ERROR:
# Save settings and display default if not configured if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'}; $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; } else { + $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'}; $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; }
@@ -2968,6 +2990,7 @@ ADV_ENC_ERROR: <tr> <th width="15%"></th> <th>$Lang::tr{'ovpn data channel'}</th> + <th>$Lang::tr{'ovpn data channel fallback'}</th> </tr> </thead> <tbody> @@ -2981,7 +3004,25 @@ ADV_ENC_ERROR: <option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option> </select> </td> + + <td class='boldbase'> + <select name='DCIPHER' size='6' style='width: 100%'> + <option value='AES-256-CBC' $checked{'DCIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option> + <option value='AES-192-CBC' $checked{'DCIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option> + <option value='AES-128-CBC' $checked{'DCIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option> + <option value='CAMELLIA-256-CBC' $checked{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option> + <option value='CAMELLIA-192-CBC' $checked{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} CAMELLIA-CBC</option> + <option value='CAMELLIA-128-CBC' $checked{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option> + <option value='SEED-CBC' $checked{'DCIPHER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option> + <option value='DES-EDE3-CBC' $checked{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='DESX-CBC' $checked{'DCIPHER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='DES-EDE-CBC' $checked{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='BF-CBC' $checked{'DCIPHER'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='CAST5-CBC' $checked{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option> + </select> + </td> </tr> + </tbody> </table> <hr> @@ -4677,28 +4718,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- $selected{'DCIPHER'}{'AES-256-GCM'} = ''; - $selected{'DCIPHER'}{'AES-192-GCM'} = ''; - $selected{'DCIPHER'}{'AES-128-GCM'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; - $selected{'DCIPHER'}{'AES-256-CBC'} = ''; - $selected{'DCIPHER'}{'AES-192-CBC'} = ''; - $selected{'DCIPHER'}{'AES-128-CBC'} = ''; - $selected{'DCIPHER'}{'DESX-CBC'} = ''; - $selected{'DCIPHER'}{'SEED-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; - $selected{'DCIPHER'}{'CAST5-CBC'} = ''; - $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'DES-CBC'} = ''; - # If no cipher has been chossen yet, select - # the old default (AES-256-CBC) for compatiblity reasons. - if ($cgiparams{'DCIPHER'} eq '') { - $cgiparams{'DCIPHER'} = 'AES-256-CBC'; - } - $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; $selected{'DAUTH'}{'whirlpool'} = ''; $selected{'DAUTH'}{'SHA512'} = ''; $selected{'DAUTH'}{'SHA384'} = ''; @@ -5236,9 +5255,6 @@ END }
#default setzen - if ($cgiparams{'DCIPHER'} eq '') { - $cgiparams{'DCIPHER'} = 'AES-256-CBC'; - } if ($cgiparams{'DDEST_PORT'} eq '') { $cgiparams{'DDEST_PORT'} = '1194'; } @@ -5280,24 +5296,6 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
- $selected{'DCIPHER'}{'AES-256-GCM'} = ''; - $selected{'DCIPHER'}{'AES-192-GCM'} = ''; - $selected{'DCIPHER'}{'AES-128-GCM'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; - $selected{'DCIPHER'}{'AES-256-CBC'} = ''; - $selected{'DCIPHER'}{'AES-192-CBC'} = ''; - $selected{'DCIPHER'}{'AES-128-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; - $selected{'DCIPHER'}{'DESX-CBC'} = ''; - $selected{'DCIPHER'}{'SEED-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; - $selected{'DCIPHER'}{'CAST5-CBC'} = ''; - $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'DES-CBC'} = ''; - $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; - $selected{'DAUTH'}{'whirlpool'} = ''; $selected{'DAUTH'}{'SHA512'} = ''; $selected{'DAUTH'}{'SHA384'} = ''; @@ -5427,26 +5425,6 @@ END <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> - - <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td> - <td><select name='DCIPHER'> - <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option> - <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option> - <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option> - <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option> - <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option> - <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option> - <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option> - <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option> - <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option> - <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option> - <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - </select> - </td> </tr>
<tr><td colspan='4'><br></td></tr> @@ -6002,3 +5980,4 @@ END
&Header::closepage();
+ diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 0d0705845..08827b08a 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1910,6 +1910,7 @@ 'ovpn crypt options' => 'Kryptografieoptionen', 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', 'ovpn data channel' => 'Daten-Kanal', +'ovpn data channel fallback' => 'Daten-Kanal Fallback', 'ovpn device' => 'OpenVPN-Gerät', 'ovpn dh' => 'Diffie-Hellman-Parameter-Länge', 'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index affa43cd3..880cae5f7 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1942,6 +1942,7 @@ 'ovpn crypt options' => 'Cryptographic options', 'ovpn data encryption' => 'Data-Channel encryption', 'ovpn data channel' => 'Data-Channel', +'ovpn data channel fallback' => 'Data-Channel fallback', 'ovpn device' => 'OpenVPN device:', 'ovpn dh' => 'Diffie-Hellman parameters length', 'ovpn dh new key' => 'Generate new Diffie-Hellman parameters', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index 3d6efc21a..c86580e81 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -1333,6 +1333,7 @@ 'ovpn config' => 'Configruación de OVPN', 'ovpn data encryption' => 'Encriptación Data-Channel', 'ovpn data channel' => 'Canal-Datos', +'ovpn data channel fallback' => 'Retroceso Canal-Datos', 'ovpn device' => 'Dispositivo OpenVPN', 'ovpn errmsg invalid data cipher input' => 'El cifrado de datos necesita al menos de un cifrado', 'ovpn dl' => 'Configuración de descargas OVPN', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index df19ef316..1a1f37cbe 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1943,6 +1943,7 @@ 'ovpn crypt options' => 'Options cryptographiques', 'ovpn data encryption' => 'Chiffrage du canal de données', 'ovpn data channel' => 'Canal de données', +'ovpn data channel fallback' => 'Canal de données de repli', 'ovpn device' => 'Périphérique OpenVPN :', 'ovpn dh' => 'Longueur de paramètres Diffie-Hellman ', 'ovpn dh new key' => 'Générer de nouveaux paramètres Diffie-Hellman ', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 1c190eff2..2c1dc9559 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -45,6 +45,7 @@ 'OVPN' => 'OpenVPN', 'ovpn data encryption' => 'Crittografia del canale dati', 'ovpn data channel' => 'Canale-Dati', +'ovpn data channel fallback' => 'Canale-Dati di riserva', 'ovpn advanced encryption' => 'Impostazioni avanzate di crittografia', 'ovpn client version 25 cipher negotiation' => 'Negozazione cirttografia', 'ovpn client version 25 warning' => 'Disponibile con client 2.5.0 o più recente', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index 8207399e2..635cbd3b8 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -1660,6 +1660,7 @@ 'ovpn config' => 'OVPN-Configuratie', 'ovpn data encryption' => 'Datakanaalversleuteling', 'ovpn data channel' => 'Data-kanaal', +'ovpn data channel fallback' => 'Data-Kanaal terugval', 'ovpn device' => 'OpenVPN apparaat:', 'ovpn dl' => 'OVPN-Configuratie download', 'ovpn errmsg green already pushed' => 'Route voor het groene netwerk is altijd aangezet', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index f9fbe57df..4ceaeef8a 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -1345,6 +1345,7 @@ 'ovpn config' => 'OVPN-Konfig', 'ovpn data encryption' => 'Szyfrowanie Kanału-Danych', 'ovpn data channel' => 'Kanał-Danych', +'ovpn data channel fallback' => 'Awaria Kanału-Danych', 'ovpn device' => 'Urządzenie OpenVPN:', 'ovpn dl' => 'Pobierz konfig OVPN', 'ovpn errmsg invalid data cipher input' => 'Szyfr danych wymaga co najmniej jednego szyfru', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 700a8d838..1d81eb62c 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -1336,6 +1336,7 @@ 'ovpn config' => 'Настройки OVPN', 'ovpn data encryption' => 'шифрование-каналов данных', 'ovpn data channel' => 'Информационный-канал', +'ovpn data channel fallback' => 'Информационный-канал отступление', 'ovpn device' => 'Устройство OpenVPN:', 'ovpn dl' => 'Загрузка настроек OVPN', 'ovpn errmsg green already pushed' => 'Маршрут для зелёной сети всегда включён', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 0c64063c7..5fbd9f3d3 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -1842,6 +1842,7 @@ 'ovpn config' => 'OVPN-Yapılandırması', 'ovpn crypt options' => 'Şifreleme seçenekleri', 'ovpn data channel' => 'Veri-Kanalı', +'ovpn data channel fallback' => 'Veri-Kanalı geri dönüşü', 'ovpn data encryption' => 'Veri-Kanalı şifreleme', 'ovpn device' => 'OpenVPN aygıtı:', 'ovpn dh' => 'Diffie-Hellman parametre uzunluğu',
The user will be warned in the WUI if he uses BF, CAST, DES* or SHA1 since those algorithms will "soon be removed".
Signed-off-by: ummeegge erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 17 +++++++++++++++++ langs/de/cgi-bin/de.pl | 2 ++ langs/en/cgi-bin/en.pl | 2 ++ langs/es/cgi-bin/es.pl | 4 ++++ langs/fr/cgi-bin/fr.pl | 2 ++ langs/it/cgi-bin/it.pl | 4 ++++ langs/nl/cgi-bin/nl.pl | 5 +++++ langs/pl/cgi-bin/pl.pl | 4 ++++ langs/ru/cgi-bin/ru.pl | 4 ++++ langs/tr/cgi-bin/tr.pl | 4 ++++ 10 files changed, 48 insertions(+)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dbf8a8d2e..7a2f8a5a3 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -250,6 +250,20 @@ sub pkiconfigcheck } }
+ # Warning if deprecated 64-bit-block ciphers or weak HMAC is in usage + if (-f "${General::swroot}/ovpn/server.conf") { + my $oldciphers = "${General::swroot}/ovpn/server.conf"; + open(FH, $oldciphers); + while(my $cipherstring = <FH>) { + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) { + my @tempcipherstring = split(" ", $cipherstring); + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block cipher'}"; + goto CRYPTO_WARNING; + } + } + close(FH); + } + CRYPTO_WARNING: }
@@ -5242,6 +5256,9 @@ END
my @status = `/bin/cat /var/run/ovpnserver.log`;
+ # Perform crypto and configration test to display warnings or errors + &pkiconfigcheck; + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { my $ipaddr = <IPADDR>; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 08827b08a..ae05d5e55 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1948,6 +1948,8 @@ 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', 'ovpn tls auth' => 'TLS-Kanalabsicherung:', +'ovpn warning 64 bit block cipher' => 'Diser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte ändern Sie dies so schnell wie möglich!</br>', +'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert', 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 880cae5f7..321503d67 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1980,6 +1980,8 @@ 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', 'ovpn tls auth' => 'TLS Channel Protection:', +'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this as soon as possible!</br>', +'ovpn warning algorithm' => 'You configured the algorithm', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index c86580e81..752093552 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -552,6 +552,8 @@ 'credits' => 'Creditos', 'crl' => 'Lista de revocación de certificados', 'cron server' => 'Servidor CRON', +'crypto error' => 'Error de criptografía', +'crypto warning' => 'Advertencias sobre la criptografía', 'current' => 'Actual', 'current aliases' => 'Alias actuales', 'current class' => 'Clase actual', @@ -1345,6 +1347,8 @@ 'ovpn subnet' => 'Subred de OpenVPN (ej. 10.0.10.0/255.255.255.0', 'ovpn subnet is invalid' => 'Subred de OpenVPN no es válida.', 'ovpn subnet overlap' => 'La subred de OpenVPN se traslapa con:', +'ovpn warning 64 bit block cipher' => 'Este algoritmo de cifrado del está roto y pronto se eliminará. <br>¡Por favor, cambie esto lo antes posible!</br>', +'ovpn warning algorithm' => 'Se configuró el siguiente algoritmo', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Tamaño de Fragmento', 'ovpn_mssfix' => 'Tamaño MSSFIX', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index 1a1f37cbe..f931bc70e 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1981,6 +1981,8 @@ 'ovpn subnet is invalid' => 'Sous-réseau OpenVPN non valide.', 'ovpn subnet overlap' => 'Le sous-réseau OpenVPN se chevauche avec : ', 'ovpn tls auth' => 'Protection du canal TLS :', +'ovpn warning 64 bit block cipher' => 'Ce L'algorithme de chiffage du n'est plus sûr et sera bientôt supprimé. <br>Veuillez changer cela dès que possible!</br>', +'ovpn warning algorithm' => 'L'algorithme suivant a été configuré', 'ovpn warning rfc3280' => 'Votre certificat d'hôte n'est pas conforme avec la RFC3280.<br>Veuillez mettre à jour la dernière version d'IPFire et générer dès que possible un nouveau certificat racine et hôte.</br><br>Tous les clients OpenVPN doivent ensuite être renouvelés !</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Taille du fragment', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 2c1dc9559..3779de3f6 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -622,6 +622,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'CRON Server', +'crypto error' => 'Errore di crittografia', +'crypto warning' => 'Avvertenze di crittografia', 'current' => 'Current', 'current aliases' => 'Current aliases', 'current class' => 'Current class', @@ -1733,6 +1735,8 @@ 'ovpn subnet' => 'OpenVPN subnet (e.g. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', +'ovpn warning 64 bit block cipher' => 'L'algoritmo di crittografia è insicuro e verrà presto disinstallato.<br>Si prega di cambiare il più presto possibile!</br>', +'ovpn warning algorithm' => 'È stato configurato il seguente algoritmo', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', 'ovpn_mtudisc' => 'MTU-Discovery', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index 635cbd3b8..dc9ea350f 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -616,6 +616,8 @@ 'credits' => 'Credits', 'crl' => 'Certificaatintrekkingslijst', 'cron server' => 'CRON Server', +'crypto error' => 'Cryptografische fout', +'crypto warning' => 'Cryptografie waarschuwingen', 'current' => 'Huidig', 'current aliases' => 'Huidige aliassen:', 'current class' => 'Huidige klasse', @@ -1686,6 +1688,9 @@ 'ovpn subnet' => 'OpenVPN subnet (bijv. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'OpenVPN subnet is ongeldig.', 'ovpn subnet overlap' => 'OpenVPN subnet overlapt met : ', +'ovpn warning 64 bit block cipher' => 'Dit encryptie algoritme is verbroken en zal binnenkort worden verwijderd. <br>Verander dit zo snel mogelijk!</br>', +'ovpn warning algorithm' => 'U hebt het algoritme geconfigureerd', +'ovpn warning rfc3280' => 'Uw gastheercertificaat is niet RFC3280-conform. <br>Please-update naar de nieuwste IPFire-versie en genereer zo snel mogelijk een nieuw root- en host-certificaat.</br><br>Alle OpenVPN-clients moeten dan vernieuwd worden!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrootte', 'ovpn_mssfix' => 'MSSFIX-grootte', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index 4ceaeef8a..96e9a95ae 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -553,6 +553,8 @@ 'credits' => 'Credits', 'crl' => 'Lista odwołań certyfikatów', 'cron server' => 'Serwer CRON', +'crypto error' => 'Błąd kryptograficzny', +'crypto warning' => 'Ostrzeżenia kryptograficzne', 'current' => 'Aktualne', 'current aliases' => 'Aktualne alias:', 'current class' => 'Aktualna klasa', @@ -1357,6 +1359,8 @@ 'ovpn subnet' => 'Podsieć OpenVPN (np. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'Podsieć OpenVPN jest niepoprawna.', 'ovpn subnet overlap' => 'Podsieć OpenVPN zachodzi na : ', +'ovpn warning 64 bit block cipher' => 'Szyfr danych wymaga co najmniej jednego szyfru. <br>Proszę to zmienić jak najszybciej!</br>', +'ovpn warning algorithm' => 'Skonfigurowałeś algorytm', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Rozmiar fragmentu', 'ovpn_mssfix' => 'MSSFIX Size', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 1d81eb62c..5ba44ce29 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -551,6 +551,8 @@ 'credits' => 'О Проекте', 'crl' => 'Список отозванных сертификатов', 'cron server' => 'CRON Сервер', +'crypto error' => 'Ошибка криптографии', +'crypto warning' => 'крипто-предупреждение', 'current' => 'Current', 'current aliases' => 'Действующие псевдонимы:', 'current class' => 'Текущий класс', @@ -1352,6 +1354,8 @@ 'ovpn subnet' => 'Подсеть OpenVPN (e.g. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'Подсеть OpenVPN задана неверно.', 'ovpn subnet overlap' => 'Подсеть OpenVPN пересекается с: ', +'ovpn warning 64 bit block cipher' => 'Этот алгоритм шифрования сломан и вскоре будет удален. <br>Пожалуйста, измените это как можно скорее!</br>', +'ovpn warning algorithm' => 'Вы настроили алгоритм', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentsize', 'ovpn_mssfix' => 'MSSFIX Size', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 5fbd9f3d3..b459401c9 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -682,6 +682,8 @@ 'credits' => 'Yazarlar', 'crl' => 'Sertifika İptal Listesi', 'cron server' => 'CRON Sunucusu', +'crypto error' => 'Kriptografi hatası', +'crypto warning' => 'Kriptografi uyarıları', 'current' => 'Geçerli', 'current aliases' => 'Geçerli takma adlar:', 'current class' => 'Geçerli sınıflar', @@ -1878,6 +1880,8 @@ 'ovpn subnet' => 'OpenVPN alt ağı (örneğin 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'Geçersiz OpenVPN alt ağı.', 'ovpn subnet overlap' => 'OpenVPN alt ağı ile örtüşenler: ', +'ovpn warning 64 bit block cipher' => 'Bu şifreleme algoritması bozuldu ve yakında kaldırılacak. <br> Lütfen bunu mümkün olan en kısa sürede değiştirin!</br>', +'ovpn warning algorithm' => 'Algoritmayı sen yapılandırdın', 'ovpn_fastio' => 'Hızlı-IO', 'ovpn_mssfix' => 'MSSFIX Boyutu', 'ovpn_mtudisc' => 'MTU-Keşfi',
OpenVPN-2.5.0 delivers ChaCha20-Poly1305 for the data channel. The Checcak (SHA3) and Blake for the hash message authentication code are newely integrated fully into Net-to-Net .
Signed-off-by: ummeegge erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 7a2f8a5a3..71cba6d88 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1028,10 +1028,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "# Cipher\n"; print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
- # If GCM cipher is used, do not use --auth + # If AEAD cipher is used, do not use --auth if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || - ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') || + ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) { print SERVERCONF unless "# HMAC algorithm\n"; print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { @@ -1133,10 +1134,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
- # If GCM cipher is used, do not use --auth + # If AEAD cipher is used, do not use --auth if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || - ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') || + ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) { print CLIENTCONF unless "# HMAC algorithm\n"; print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { @@ -2264,10 +2266,11 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; }
- # If GCM cipher is used, do not use --auth + # If AEAD cipher is used, do not use --auth if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') || ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') || - ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) { + ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM') || + ($confighash{$cgiparams{'KEY'}}[40] eq 'ChaCha20-Poly1305')) { print CLIENTCONF unless "# HMAC algorithm\n"; print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n"; } else { @@ -4875,6 +4878,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
<tr><td class='boldbase'>$Lang::tr{'cipher'}</td> <td><select name='DCIPHER' id="n2ncipher" required> + <option value='ChaCha20-Poly1305' $selected{'DCIPHER'}{'ChaCha20-Poly1305'}>CHACHA20-POLY1305 (256 $Lang::tr{'bit'})</option> <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option> <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option> <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option> @@ -4895,10 +4899,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td> <td><select name='DAUTH' id="n2nhmac" $hmacdisabled> - <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> + <option value='BLAKE2b512' $selected{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option> + <option value='BLAKE2s256' $selected{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option> + <option value='SHA3-512' $selected{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option> + <option value='SHA3-384' $selected{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option> + <option value='SHA3-256' $selected{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option> <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option> <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option> <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option> + <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> @@ -4915,7 +4924,7 @@ print<<END; <script> var disable_options = false; document.getElementById('n2ncipher').onchange = function () { - if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) { + if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM"||this.value == "CHACHA20-POLY1305")) { document.getElementById('n2nhmac').setAttribute('disabled', true); } else { document.getElementById('n2nhmac').removeAttribute('disabled');
- The --tls-ciphers for the control channel TLSv2 crypto can now be combined for negotiation. - The --tls-ciphersuite crypto does the same but with TLSv3 and can also be combined for negotiation. There are no defaults for both and this feature is inactive unless the user decides to use them. - The --tls-ciphersuite directive will only be printed into client.ovpn if the client is >=2.5.0 ready.
Signed-off-by: ummeegge erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 106 ++++++++++++++++++++++++++++++++++++++ langs/de/cgi-bin/de.pl | 3 ++ langs/en/cgi-bin/en.pl | 3 ++ langs/es/cgi-bin/es.pl | 3 ++ langs/fr/cgi-bin/fr.pl | 3 ++ langs/it/cgi-bin/it.pl | 3 ++ langs/nl/cgi-bin/nl.pl | 3 ++ langs/pl/cgi-bin/pl.pl | 3 ++ langs/ru/cgi-bin/ru.pl | 3 ++ langs/tr/cgi-bin/tr.pl | 3 ++ 10 files changed, 133 insertions(+)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 71cba6d88..e248b3cbb 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -100,6 +100,8 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $cgiparams{'DATACIPHERS'} = ''; +$cgiparams{'CHANNELCIPHERS'} = ''; +$cgiparams{'NCHANNELCIPHERS'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -351,6 +353,20 @@ sub writeserverconf { print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; }
+ # Control channel encryption TLSv2 needs own line cause directive name differs + if ($sovpnsettings{'CHANNELCIPHERS'} ne '') { + # Set seperator for TLSv2 channel ciphers + @advcipherchar = ($sovpnsettings{'CHANNELCIPHERS'} =~ s/|/:/g); + print CONF "tls-cipher $sovpnsettings{'CHANNELCIPHERS'}\n"; + } + + # Control channel encryption >= TLSv3 + if ($sovpnsettings{'NCHANNELCIPHERS'} ne '') { + # Set seperator for TLSv3 channel ciphers + @advcipherchar = ($sovpnsettings{'NCHANNELCIPHERS'} =~ s/|/:/g); + print CONF "tls-ciphersuites $sovpnsettings{'NCHANNELCIPHERS'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -951,6 +967,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { goto ADV_ENC_ERROR; }
+ # If no value for --tls-cipher has been set, delete setting + if ($cgiparams{'CHANNELCIPHERS'} eq '') { + delete $vpnsettings{'CHANNELCIPHERS'}; + } else { + $vpnsettings{'CHANNELCIPHERS'} = $cgiparams{'CHANNELCIPHERS'}; + } + + # If no value for --tls-ciphersuites has been set, delete setting + if ($cgiparams{'NCHANNELCIPHERS'} eq '') { + delete $vpnsettings{'NCHANNELCIPHERS'}; + } else { + $vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'}; + } + &General::writehash("${General::swroot}/ovpn/settings", %vpnsettings); &writeserverconf(); } @@ -2402,6 +2432,23 @@ else print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; }
+ # Set --tls-cipher TLSv2 in client.ovpn if configured + if ($vpnsettings{'CHANNELCIPHERS'} ne '') { + # Set seperator for TLSv2 channel ciphers + @advcipherchar = ($vpnsettings{'CHANNELCIPHERS'} =~ s/|/:/g); + print CLIENTCONF "tls-cipher $vpnsettings{'CHANNELCIPHERS'}\r\n"; + } + + # Print new tls-ciphersuites TLSv3 in client.ovpn only if client is >=2.5.0 + if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') { + # Set --tls-ciphersuites TLSv3 if configured + if ($vpnsettings{'NCHANNELCIPHERS'} ne '') { + # Set seperator for TLSv3 channel ciphers + @advcipherchar = ($vpnsettings{'NCHANNELCIPHERS'} =~ s/|/:/g); + print CLIENTCONF "tls-ciphersuites $vpnsettings{'NCHANNELCIPHERS'}\r\n"; + } + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2934,6 +2981,8 @@ END } $confighash{$key}[40] = $cgiparams{'DCIPHER'}; $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; + $confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'}; + $confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'};
ADV_ENC_ERROR:
@@ -2967,13 +3016,37 @@ ADV_ENC_ERROR: @temp = split('|', $cgiparams{'DATACIPHERS'}); foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+ # No default settings for --tls-cipher so OpenVPN makes his own choice + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'} = ''; + @temp = split('|', $cgiparams{'CHANNELCIPHERS'}); + foreach my $key (@temp) {$checked{'CHANNELCIPHERS'}{$key} = "selected='selected'"; } + + # No default settings for --tls-ciphersuites so OpenVPN makes his own choice + $checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'} = ''; + $checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'} = ''; + $checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'} = ''; + @temp = split('|', $cgiparams{'NCHANNELCIPHERS'}); + foreach my $key (@temp) {$checked{'NCHANNELCIPHERS'}{$key} = "selected='selected'"; } + # Save settings and display default if not configured if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'}; $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; + $confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'}; + $confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'}; } else { $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'}; $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; + $cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'}; + $cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'}; }
ADV_ENC_ERROR: @@ -3040,8 +3113,41 @@ ADV_ENC_ERROR: </td> </tr>
+ <tr> + <th width="15%"></th> + <th>$Lang::tr{'ovpn control channel v3'}</th> + <th>$Lang::tr{'ovpn control channel v2'}</th> + </tr> + + <tr> + <td class='boldbase' width="27%">$Lang::tr{'ovpn channel encryption'}</td> + <td class='boldbase'> + <select name='NCHANNELCIPHERS' multiple='multiple' size='6' style='width: 100%'> + <option value='TLS_AES_256_GCM_SHA384' $checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'}>256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option> + <option value='TLS_CHACHA20_POLY1305_SHA256' $checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'}>256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option> + <option value='TLS_AES_128_GCM_SHA256' $checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'}>128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option> + </select> + </td> + + <td class='boldbase'> + <select name='CHANNELCIPHERS' multiple='multiple' size='6' style='width: 100%' style="margin-right:-17px" size="11"> + <option value='TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'}>TLS-ECDHE-ECDSA 256 $Lang::tr{'bit'} AES-GCM SHA384</option> + <option value='TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-ECDHE-ECDSA 256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option> + <option value='TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'}>TLS-ECDHE-ECDSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option> + <option value='TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'}>TLS-ECDHE-RSA 256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option> + <option value='TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-ECDHE-RSA 256 $Lang::tr{'bit'} CHACHA20_POLY1305 SHA256</option> + <option value='TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'}>TLS-ECDHE-RSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option> + <option value='TLS-DHE-RSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'}>TLS-DHE-RSA 256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option> + <option value='TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-DHE-RSA 256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option> + <option value='TLS-DHE-RSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'}>TLS-DHE-RSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option> + </select> + </td> + </tr> </tbody> </table> + + <br><br> + <hr> END ; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index ae05d5e55..cadf4b141 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1908,6 +1908,9 @@ 'ovpn config' => 'OVPN-Konfiguration', 'ovpn connection name' => 'Verbindungs-Name', 'ovpn crypt options' => 'Kryptografieoptionen', +'ovpn channel encryption' => 'Kontroll-Kanal Verschlüsselung', +'ovpn control channel v2' => 'Kontroll-Kanal TLSv2', +'ovpn control channel v3' => 'Kontroll-Kanal TLSv3', 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', 'ovpn data channel' => 'Daten-Kanal', 'ovpn data channel fallback' => 'Daten-Kanal Fallback', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 321503d67..4b667f881 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1940,6 +1940,9 @@ 'ovpn config' => 'OVPN-Config', 'ovpn connection name' => 'Connection Name', 'ovpn crypt options' => 'Cryptographic options', +'ovpn channel encryption' => 'Control-Channel encryption', +'ovpn control channel v2' => 'Control-Channel TLSv2', +'ovpn control channel v3' => 'Control-Channel TLSv3', 'ovpn data encryption' => 'Data-Channel encryption', 'ovpn data channel' => 'Data-Channel', 'ovpn data channel fallback' => 'Data-Channel fallback', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index 752093552..65505706c 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -1333,6 +1333,9 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'Estadisticas de conexión OpenVPN', 'ovpn config' => 'Configruación de OVPN', +'ovpn channel encryption' => 'Encriptación Canal-Control', +'ovpn control channel v2' => 'Canal-Control TLSv2', +'ovpn control channel v3' => 'Canal-Control TLSv3', 'ovpn data encryption' => 'Encriptación Data-Channel', 'ovpn data channel' => 'Canal-Datos', 'ovpn data channel fallback' => 'Retroceso Canal-Datos', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index f931bc70e..cda133e5d 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1941,6 +1941,9 @@ 'ovpn config' => 'Config OVPN', 'ovpn connection name' => 'Nom de la connexion ', 'ovpn crypt options' => 'Options cryptographiques', +'ovpn channel encryption' => 'Chiffrage du canal de contrôle', +'ovpn control channel v2' => 'Canal de contrôle TLSv2', +'ovpn control channel v3' => 'Canal de contrôle TLSv3', 'ovpn data encryption' => 'Chiffrage du canal de données', 'ovpn data channel' => 'Canal de données', 'ovpn data channel fallback' => 'Canal de données de repli', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 3779de3f6..22ce7cd4d 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -1701,6 +1701,9 @@ 'ovpn con stat' => 'OpenVPN Connection Statistics', 'ovpn config' => 'OVPN-Config', 'ovpn crypt options' => 'Cryptographic options', +'ovpn channel encryption' => 'Crittografia del canale di controllo', +'ovpn control channel v2' => 'Canale di controllo TLSv2', +'ovpn control channel v3' => 'Canale di controllo TLSv3', 'ovpn device' => 'OpenVPN device:', 'ovpn dh' => 'Diffie-Hellman parameters length', 'ovpn dh new key' => 'Generate new Diffie-Hellman parameters', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index dc9ea350f..15482b7c7 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -1660,6 +1660,9 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'OpenVPN connectiestatistieken', 'ovpn config' => 'OVPN-Configuratie', +'ovpn channel encryption' => 'Control-kanaal versleuteling', +'ovpn control channel v2' => 'Controle-Kanaal TLSv2', +'ovpn control channel v3' => 'Controle-Kanaal TLSv3', 'ovpn data encryption' => 'Datakanaalversleuteling', 'ovpn data channel' => 'Data-kanaal', 'ovpn data channel fallback' => 'Data-Kanaal terugval', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index 96e9a95ae..a5bde2044 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -1345,6 +1345,9 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'Statystyki połączeń OpenVPN', 'ovpn config' => 'OVPN-Konfig', +'ovpn channel encryption' => 'Szyfrowanie Control-Channel', +'ovpn control channel v2' => 'Kanał-Kontrolny TLSv2', +'ovpn control channel v3' => 'Kanał-Kontrolny TLSv3', 'ovpn data encryption' => 'Szyfrowanie Kanału-Danych', 'ovpn data channel' => 'Kanał-Danych', 'ovpn data channel fallback' => 'Awaria Kanału-Danych', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 5ba44ce29..17666de80 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -1336,6 +1336,9 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'Статистика подключений OpenVPN', 'ovpn config' => 'Настройки OVPN', +'ovpn channel encryption' => 'Шифрование каналов управления', +'ovpn control channel v2' => 'Канал-управления TLSv2', +'ovpn control channel v3' => 'Канал-управления TLSv3', 'ovpn data encryption' => 'шифрование-каналов данных', 'ovpn data channel' => 'Информационный-канал', 'ovpn data channel fallback' => 'Информационный-канал отступление', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index b459401c9..7df486bc8 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -1843,6 +1843,9 @@ 'ovpn con stat' => 'OpenVPN Bağlantı İstatistiği', 'ovpn config' => 'OVPN-Yapılandırması', 'ovpn crypt options' => 'Şifreleme seçenekleri', +'ovpn channel encryption' => 'Kontrol-Kanalı şifreleme', +'ovpn control channel v2' => 'Kontrol-Kanalı TLSv2', +'ovpn control channel v3' => 'Kontrol-Kanalı TLSv3', 'ovpn data channel' => 'Veri-Kanalı', 'ovpn data channel fallback' => 'Veri-Kanalı geri dönüşü', 'ovpn data encryption' => 'Veri-Kanalı şifreleme',
- The --auth directive has been enhanced with the Keccak (SHA3) family but also BLAKE2 has been integrated. - The HMACs have now multi select for better overview. - Old default SHA512 has been kept.
Signed-off-by: ummeegge erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 89 ++++++++++++++++++++++----------------- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + langs/es/cgi-bin/es.pl | 2 + langs/fr/cgi-bin/fr.pl | 1 + langs/it/cgi-bin/it.pl | 3 +- langs/nl/cgi-bin/nl.pl | 2 + langs/pl/cgi-bin/pl.pl | 3 ++ langs/ru/cgi-bin/ru.pl | 2 + langs/tr/cgi-bin/tr.pl | 1 + 10 files changed, 65 insertions(+), 40 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index e248b3cbb..a80befdb6 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -958,6 +958,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { &General::readhash("${General::swroot}/ovpn/settings", %vpnsettings);
+ $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
@@ -1292,7 +1293,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; - $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable
@@ -2979,6 +2979,7 @@ END $key = &General::findhasharraykey (%confighash); foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; } } + $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; $confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'}; @@ -2986,6 +2987,23 @@ END
ADV_ENC_ERROR:
+ # Set default for hash message authentication code + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} = 'SHA512'; #[39]; + } + $checked{'DAUTH'}{'BLAKE2b512'} = ''; + $checked{'DAUTH'}{'BLAKE2s256'} = ''; + $checked{'DAUTH'}{'SHA3-512'} = ''; + $checked{'DAUTH'}{'SHA3-384'} = ''; + $checked{'DAUTH'}{'SHA3-256'} = ''; + $checked{'DAUTH'}{'SHA512'} = ''; + $checked{'DAUTH'}{'SHA384'} = ''; + $checked{'DAUTH'}{'SHA256'} = ''; + $checked{'DAUTH'}{'whirlpool'} = ''; + $checked{'DAUTH'}{'SHA1'} = ''; + @temp = split('|', $cgiparams{'DAUTH'}); + foreach my $key (@temp) {$checked{'DAUTH'}{$key} = "selected='selected'"; } + # Set default for data-cipher-fallback (the old --cipher directive) if ($cgiparams{'DCIPHER'} eq '') { $cgiparams{'DCIPHER'} = 'AES-256-CBC'; #[40] @@ -3038,11 +3056,13 @@ ADV_ENC_ERROR:
# Save settings and display default if not configured if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { + $confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'DAUTH'}; $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'}; $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; $confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'}; $confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'}; } else { + $cgiparams{'DAUTH'} = $vpnsettings{'DAUTH'}; $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'}; $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; $cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'}; @@ -3148,6 +3168,35 @@ ADV_ENC_ERROR:
<br><br>
+ <h2>$Lang::tr{'ovpn crypt options'}:</h2> + + <table width="100%"> + <thead> + <tr> + <th width="15%"></th> + <th>$Lang::tr{'ovpn ha'}</th> + </tr> + </thead> + <tbody> + <tr> + <td width="27%">$Lang::tr{'ovpn data channel authentication'}</td> + <td class='boldbase'> + <select name='DAUTH' size='6' style='width: 100%'> + <option value='BLAKE2b512' $checked{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option> + <option value='BLAKE2s256' $checked{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option> + <option value='SHA3-512' $checked{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option> + <option value='SHA3-384' $checked{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option> + <option value='SHA3-256' $checked{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option> + <option value='SHA512' $checked{'DAUTH'}{'SHA512'}>SHA2 512 $Lang::tr{'bit'}</option> + <option value='SHA384' $checked{'DAUTH'}{'SHA384'}>SHA2 384 $Lang::tr{'bit'}</option> + <option value='SHA256' $checked{'DAUTH'}{'SHA256'}>SHA2 256 $Lang::tr{'bit'}</option> + <option value='whirlpool' $checked{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> + <option value='SHA1' $checked{'DAUTH'}{'SHA1'}>SHA1 160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option> + </select> + </td> + </tr> + </tbody> + </table> <hr> END ; @@ -4841,12 +4890,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- $selected{'DAUTH'}{'whirlpool'} = ''; - $selected{'DAUTH'}{'SHA512'} = ''; - $selected{'DAUTH'}{'SHA384'} = ''; - $selected{'DAUTH'}{'SHA256'} = ''; - $selected{'DAUTH'}{'SHA1'} = ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; $checked{'TLSAUTH'}{'off'} = ''; $checked{'TLSAUTH'}{'on'} = ''; $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; @@ -5396,18 +5439,6 @@ END if ($cgiparams{'MSSFIX'} eq '') { $cgiparams{'MSSFIX'} = 'off'; } - if ($cgiparams{'DAUTH'} eq '') { - if (-z "${General::swroot}/ovpn/ovpnconfig") { - $cgiparams{'DAUTH'} = 'SHA512'; - } - foreach my $key (keys %confighash) { - if ($confighash{$key}[3] ne 'host') { - $cgiparams{'DAUTH'} = 'SHA512'; - } else { - $cgiparams{'DAUTH'} = 'SHA1'; - } - } - } if ($cgiparams{'TLSAUTH'} eq '') { $cgiparams{'TLSAUTH'} = 'off'; } @@ -5428,13 +5459,6 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
- $selected{'DAUTH'}{'whirlpool'} = ''; - $selected{'DAUTH'}{'SHA512'} = ''; - $selected{'DAUTH'}{'SHA384'} = ''; - $selected{'DAUTH'}{'SHA256'} = ''; - $selected{'DAUTH'}{'SHA1'} = ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; - $checked{'TLSAUTH'}{'off'} = ''; $checked{'TLSAUTH'}{'on'} = ''; $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; @@ -5547,19 +5571,6 @@ END </tr> <tr><td colspan='1'><br></td></tr>
- <tr> - <td class='base'>$Lang::tr{'ovpn ha'}</td> - <td><select name='DAUTH'> - <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> - <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option> - <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option> - <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option> - <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - </select> - </td> - </tr> - - <tr><td colspan='4'><br></td></tr> <tr> <td class='base'>$Lang::tr{'ovpn tls auth'}</td> <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index cadf4b141..a4c166bfe 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1912,6 +1912,7 @@ 'ovpn control channel v2' => 'Kontroll-Kanal TLSv2', 'ovpn control channel v3' => 'Kontroll-Kanal TLSv3', 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', +'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation', 'ovpn data channel' => 'Daten-Kanal', 'ovpn data channel fallback' => 'Daten-Kanal Fallback', 'ovpn device' => 'OpenVPN-Gerät', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 4b667f881..dc324676a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1944,6 +1944,7 @@ 'ovpn control channel v2' => 'Control-Channel TLSv2', 'ovpn control channel v3' => 'Control-Channel TLSv3', 'ovpn data encryption' => 'Data-Channel encryption', +'ovpn data channel authentication' => 'Data and channel authentication', 'ovpn data channel' => 'Data-Channel', 'ovpn data channel fallback' => 'Data-Channel fallback', 'ovpn device' => 'OpenVPN device:', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index 65505706c..1a0272b8a 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -1337,11 +1337,13 @@ 'ovpn control channel v2' => 'Canal-Control TLSv2', 'ovpn control channel v3' => 'Canal-Control TLSv3', 'ovpn data encryption' => 'Encriptación Data-Channel', +'ovpn data channel authentication' => 'Autenticación de datos y canal', 'ovpn data channel' => 'Canal-Datos', 'ovpn data channel fallback' => 'Retroceso Canal-Datos', 'ovpn device' => 'Dispositivo OpenVPN', 'ovpn errmsg invalid data cipher input' => 'El cifrado de datos necesita al menos de un cifrado', 'ovpn dl' => 'Configuración de descargas OVPN', +'ovpn ha' => 'Algoritmo hash', 'ovpn log' => 'Registro de log de OVPN', 'ovpn on blue' => 'OpenVPN en BLUE', 'ovpn on orange' => 'OpenVPN en ORANGE', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index cda133e5d..d5deea1c0 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1945,6 +1945,7 @@ 'ovpn control channel v2' => 'Canal de contrôle TLSv2', 'ovpn control channel v3' => 'Canal de contrôle TLSv3', 'ovpn data encryption' => 'Chiffrage du canal de données', +'ovpn data channel authentication' => 'Authentification du canal et des données', 'ovpn data channel' => 'Canal de données', 'ovpn data channel fallback' => 'Canal de données de repli', 'ovpn device' => 'Périphérique OpenVPN :', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 22ce7cd4d..ad16de583 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -44,6 +44,7 @@ 'Number of Ports for the pie chart' => 'Numero di porte per il grafico a torta', 'OVPN' => 'OpenVPN', 'ovpn data encryption' => 'Crittografia del canale dati', +'ovpn data channel authentication' => 'Autenticazione di dati e di canali', 'ovpn data channel' => 'Canale-Dati', 'ovpn data channel fallback' => 'Canale-Dati di riserva', 'ovpn advanced encryption' => 'Impostazioni avanzate di crittografia', @@ -1715,7 +1716,7 @@ 'ovpn errmsg invalid data cipher input' => 'La crittografia dati necessita almeno un cifrario', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', 'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.', -'ovpn ha' => 'Hash algorithm', +'ovpn ha' => 'Algoritmo di hash', 'ovpn hmac' => 'HMAC options', 'ovpn log' => 'OVPN-Log', 'ovpn mgmt in root range' => 'A port number of 1024 or higher is required.', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index 15482b7c7..b0f037e0c 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -1664,6 +1664,7 @@ 'ovpn control channel v2' => 'Controle-Kanaal TLSv2', 'ovpn control channel v3' => 'Controle-Kanaal TLSv3', 'ovpn data encryption' => 'Datakanaalversleuteling', +'ovpn data channel authentication' => 'Gegevens en kanaal verificatie', 'ovpn data channel' => 'Data-kanaal', 'ovpn data channel fallback' => 'Data-Kanaal terugval', 'ovpn device' => 'OpenVPN apparaat:', @@ -1671,6 +1672,7 @@ 'ovpn errmsg green already pushed' => 'Route voor het groene netwerk is altijd aangezet', 'ovpn errmsg invalid data cipher input' => 'De gegevens codering heeft ten minste één codering nodig', 'ovpn errmsg invalid ip or mask' => 'Ongeldig netwerkadres of subnetmasker', +'ovpn ha' => 'Hash algoritme', 'ovpn log' => 'OVPN-Log', 'ovpn mgmt in root range' => 'Een poortnummer hoger dan 1024 is vereist.', 'ovpn mtu-disc' => 'Pad MTU Discovery', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index a5bde2044..5e8ec0864 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -40,6 +40,7 @@ 'ovpn advanced encryption' => 'Zaawansowane ustawienia szyfrowania', 'ovpn client version 25 cipher negotiation' => 'Negocjowanie szyfrowania', 'ovpn client version 25 warning' => 'Dostępny z klientem w wersji 2.5.0 i wyższej', +'ovpn crypt options' => 'Opcje kryptograficzne', 'OpenVPN' => 'OpenVPN', 'Pages' => 'Stron', 'Ping' => 'Ping :', @@ -1349,11 +1350,13 @@ 'ovpn control channel v2' => 'Kanał-Kontrolny TLSv2', 'ovpn control channel v3' => 'Kanał-Kontrolny TLSv3', 'ovpn data encryption' => 'Szyfrowanie Kanału-Danych', +'ovpn data channel authentication' => 'Uwierzytelnianie danych i kanałów', 'ovpn data channel' => 'Kanał-Danych', 'ovpn data channel fallback' => 'Awaria Kanału-Danych', 'ovpn device' => 'Urządzenie OpenVPN:', 'ovpn dl' => 'Pobierz konfig OVPN', 'ovpn errmsg invalid data cipher input' => 'Szyfr danych wymaga co najmniej jednego szyfru', +'ovpn ha' => 'Algorytm haszyszowy', 'ovpn log' => 'Log OVPN', 'ovpn on blue' => 'OpenVPN na int. BLUE', 'ovpn on orange' => 'OpenVPN na int. ORANGE', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 17666de80..6e3af2d7e 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -1340,6 +1340,7 @@ 'ovpn control channel v2' => 'Канал-управления TLSv2', 'ovpn control channel v3' => 'Канал-управления TLSv3', 'ovpn data encryption' => 'шифрование-каналов данных', +'ovpn data channel authentication' => 'Аутентификация данных и каналов', 'ovpn data channel' => 'Информационный-канал', 'ovpn data channel fallback' => 'Информационный-канал отступление', 'ovpn device' => 'Устройство OpenVPN:', @@ -1347,6 +1348,7 @@ 'ovpn errmsg green already pushed' => 'Маршрут для зелёной сети всегда включён', 'ovpn errmsg invalid data cipher input' => 'Для шифра данных нужен хотя бы один шифр', 'ovpn errmsg invalid ip or mask' => 'Неправильный адрес или маска подсти', +'ovpn ha' => 'хеш-алгоритм', 'ovpn log' => 'Журнал OVPN', 'ovpn on blue' => 'OpenVPN на BLUE', 'ovpn on orange' => 'OpenVPN на ORANGE', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 7df486bc8..e55a73aa3 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -1849,6 +1849,7 @@ 'ovpn data channel' => 'Veri-Kanalı', 'ovpn data channel fallback' => 'Veri-Kanalı geri dönüşü', 'ovpn data encryption' => 'Veri-Kanalı şifreleme', +'ovpn data channel authentication' => 'Veri ve kanal kimlik doğrulaması', 'ovpn device' => 'OpenVPN aygıtı:', 'ovpn dh' => 'Diffie-Hellman parametre uzunluğu', 'ovpn dh new key' => 'Yeni Diffie-Hellman parametrelerini oluşturun',
- The TLS authentication has been enhanced with --tls-crypt and with OpenVPN version 2.5.0 new introduced --tls-crypt-v2 . - New keys will be shown and can partly be downloaded over the "Certificate Authorities and -Keys" table. - The global section has been completely cleaned up from encryption settings which follows the IPSec WUI style.
Signed-off-by: ummeegge erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 304 +++++++++++++++++++++++++++++++------- langs/de/cgi-bin/de.pl | 10 +- langs/en/cgi-bin/en.pl | 12 +- langs/es/cgi-bin/es.pl | 10 ++ langs/fr/cgi-bin/fr.pl | 12 +- langs/it/cgi-bin/it.pl | 7 +- langs/nl/cgi-bin/nl.pl | 13 +- langs/pl/cgi-bin/pl.pl | 10 ++ langs/ru/cgi-bin/ru.pl | 11 ++ langs/tr/cgi-bin/tr.pl | 9 ++ 10 files changed, 334 insertions(+), 64 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index a80befdb6..23085e763 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -371,9 +371,19 @@ sub writeserverconf { # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n";
- if ($sovpnsettings{'TLSAUTH'} eq 'on') { - print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; - } + # TLS control channel authentication + if ($sovpnsettings{'TLSAUTH'} ne 'off') { + if ($sovpnsettings{'TLSAUTH'} eq 'on') { + print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt') { + print CONF "tls-crypt ${General::swroot}/ovpn/certs/tc.key\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') { + print CONF "tls-crypt-v2 ${General::swroot}/ovpn/certs/tc-v2-server.key\n"; + } + } + if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; } @@ -959,6 +969,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { &General::readhash("${General::swroot}/ovpn/settings", %vpnsettings);
$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
@@ -982,6 +993,39 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { $vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'}; }
+ # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ENC_ERROR; + } + } + } + + # Create tc.key for tls-crypt if not presant + if ($cgiparams{'TLSAUTH'} eq 'tls-crypt') { + if ( ! -e "${General::swroot}/ovpn/certs/tc.key") { + system('/usr/sbin/openvpn', '--genkey', 'tls-crypt', "${General::swroot}/ovpn/certs/tc.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ENC_ERROR; + } + } + } + + # Create tc-v2-server.key for tls-crypt-v2 server if not presant + if ($cgiparams{'TLSAUTH'} eq 'tls-crypt-v2') { + if ( ! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") { + system('/usr/sbin/openvpn', '--genkey', 'tls-crypt-v2-server', "${General::swroot}/ovpn/certs/tc-v2-server.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ENC_ERROR; + } + } + } + &General::writehash("${General::swroot}/ovpn/settings", %vpnsettings); &writeserverconf(); } @@ -1272,17 +1316,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; }
- # Create ta.key for tls-auth if not presant - if ($cgiparams{'TLSAUTH'} eq 'on') { - if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - goto SETTINGS_ERROR; - } - } - } - $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; @@ -1293,7 +1326,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; - $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable
if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} @@ -1723,12 +1755,34 @@ END ### Download tls-auth key ### }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) { - if ( -f "${General::swroot}/ovpn/certs/ta.key" ) { - print "Content-Type: application/octet-stream\r\n"; - print "Content-Disposition: filename=ta.key\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; - exit(0); - } + if ( -f "${General::swroot}/ovpn/certs/ta.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=ta.key\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + exit(0); + } + +### +### Download tls-crypt key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt key'}) { + if ( -f "${General::swroot}/ovpn/certs/tc.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=tc.key\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/tc.key`; + exit(0); + } + +### +### Download tls-crypt-v2 key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt-v2 key'}) { + if ( -f "${General::swroot}/ovpn/certs/tc-v2-server.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=tc-v2-server.key\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`; + exit(0); + }
### ### Form for generating a root certificate @@ -2451,13 +2505,37 @@ else
print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
- if ($vpnsettings{'TLSAUTH'} eq 'on') { - if ($cgiparams{'MODE'} eq 'insecure') { - print CLIENTCONF ";"; - } - print CLIENTCONF "tls-auth ta.key\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; + # Comment TLS-Auth directive if 'insecure' mode has been choosen + if ($vpnsettings{'TLSAUTH'} eq 'on') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } + print CLIENTCONF "tls-auth ta.key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; } + + # Comment TLS-Crypt directive if 'insecure' mode has been choosen + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } + print CLIENTCONF "tls-crypt tc.key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/tc.key", "tc.key") or die "Can't add file tc.key\n"; + } + + # Comment TLS-Crypt-v2 directive if 'insecure' mode has been choosen and generate individual key + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } + print CLIENTCONF "tls-crypt-v2 tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\r\n"; + # Generate individual tls-crypt-v2 client key + my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key"; + system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile"); + # Add individual tls-crypt-v2 client key to client package + $zip->addFile( "$cryptfile", "tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key") or die "Can't add file tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\n"; + } + if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; } @@ -2514,7 +2592,33 @@ else print CLIENTCONF "</key>\r\n\r\n"; close(FILE);
- # TLS auth + # Create individual tls-crypt-v2 client key and print it to client.conf if 'insecure' has been selected + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') { + my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key"; + system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile"); + open(FILE, "<$cryptfile"); + print CLIENTCONF "<tls-crypt-v2>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</tls-crypt-v2>\r\n\r\n"; + close(FILE); + } + + # Print TLS-Crypt key to client.ovpn if 'insecure' has been selected + if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') { + open(FILE, "<${General::swroot}/ovpn/certs/tc.key"); + print CLIENTCONF "<tls-crypt>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</tls-crypt>\r\n\r\n"; + close(FILE); + } + + # Print TLS-Auth key to client.ovpn if 'insecure' has been selected if ($vpnsettings{'TLSAUTH'} eq 'on') { open(FILE, "<${General::swroot}/ovpn/certs/ta.key"); print CLIENTCONF "<tls-auth>\r\n"; @@ -2706,6 +2810,50 @@ else exit(0); }
+### +### Display tls-crypt key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt key'}) { + + if (! -e "${General::swroot}/ovpn/certs/tc.key") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'tc key'}"); + my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`; + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + +### +### Display tls-crypt-v2 server key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt-v2 key'}) { + + if (! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'tc v2 key'}"); + my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`; + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + ### ### Display Certificate Revoke List ### @@ -2758,9 +2906,6 @@ ADV_ERROR: if ($cgiparams{'LOG_VERB'} eq '') { $cgiparams{'LOG_VERB'} = '3'; } - if ($cgiparams{'TLSAUTH'} eq '') { - $cgiparams{'TLSAUTH'} = 'off'; - } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED'; @@ -2981,6 +3126,7 @@ END } $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; + $confighash{$key}[41] = $cgiparams{'TLSAUTH'}; $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; $confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'}; $confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'}; @@ -3004,6 +3150,17 @@ ADV_ENC_ERROR: @temp = split('|', $cgiparams{'DAUTH'}); foreach my $key (@temp) {$checked{'DAUTH'}{$key} = "selected='selected'"; }
+ # Set default for TLS control authentication + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'tls-crypt'; #[41] + } + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'tls-crypt'} = ''; + $checked{'TLSAUTH'}{'tls-crypt-v2'} = ''; + @temp = split('|', $cgiparams{'TLSAUTH'}); + foreach my $key (@temp) {$checked{'TLSAUTH'}{$key} = "selected='selected'"; } + # Set default for data-cipher-fallback (the old --cipher directive) if ($cgiparams{'DCIPHER'} eq '') { $cgiparams{'DCIPHER'} = 'AES-256-CBC'; #[40] @@ -3058,12 +3215,14 @@ ADV_ENC_ERROR: if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { $confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'DAUTH'}; $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'}; + $confighash{$cgiparams{'KEY'}}[41] = $cgiparams{'TLSAUTH'}; $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; $confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'}; $confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'}; } else { $cgiparams{'DAUTH'} = $vpnsettings{'DAUTH'}; $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'}; + $cgiparams{'TLSAUTH'} = $vpnsettings{'TLSAUTH'}; $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; $cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'}; $cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'}; @@ -3175,6 +3334,7 @@ ADV_ENC_ERROR: <tr> <th width="15%"></th> <th>$Lang::tr{'ovpn ha'}</th> + <th>$Lang::tr{'ovpn tls auth'}</th> </tr> </thead> <tbody> @@ -3193,6 +3353,14 @@ ADV_ENC_ERROR: <option value='whirlpool' $checked{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> <option value='SHA1' $checked{'DAUTH'}{'SHA1'}>SHA1 160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option> </select> + + <td class='boldbase'> + <select name='TLSAUTH' size='6' style='width: 100%' style="margin-right:-17px" size="11"> + <option value='tls-crypt-v2' $checked{'TLSAUTH'}{'tls-crypt-v2'}>TLS-Crypt-v2</option> + <option value='tls-crypt' $checked{'TLSAUTH'}{'tls-crypt'}>TLS-Crypt</option> + <option value='on' $checked{'TLSAUTH'}{'on'}>TLS-Auth</option> + <option value='off' $checked{'TLSAUTH'}{'off'}>Off</option> + </select> </td> </tr> </tbody> @@ -3972,7 +4140,6 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; - $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; # Index from [39] to [44] has been reserved by advanced encryption $cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { @@ -4890,10 +5057,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- $checked{'TLSAUTH'}{'off'} = ''; - $checked{'TLSAUTH'}{'on'} = ''; - $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; - if (1) { &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); @@ -5439,9 +5602,6 @@ END if ($cgiparams{'MSSFIX'} eq '') { $cgiparams{'MSSFIX'} = 'off'; } - if ($cgiparams{'TLSAUTH'} eq '') { - $cgiparams{'TLSAUTH'} = 'off'; - } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } @@ -5459,10 +5619,6 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
- $checked{'TLSAUTH'}{'off'} = ''; - $checked{'TLSAUTH'}{'on'} = ''; - $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; - $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; @@ -5565,17 +5721,6 @@ END <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td> </tr>
- <tr><td colspan='4'><br></td></tr> - <tr> - <td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td> - </tr> - <tr><td colspan='1'><br></td></tr> - - <tr> - <td class='base'>$Lang::tr{'ovpn tls auth'}</td> - <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td> - </tr> - <tr><td colspan='4'><br><br></td></tr> END ; @@ -5874,6 +6019,10 @@ END my $col3="bgcolor='$color{'color22'}'"; # ta.key line my $col4="bgcolor='$color{'color20'}'"; + # tc-v2.key line + my $col5="bgcolor='$color{'color22'}'"; + # tc.key + my $col6="bgcolor='$color{'color20'}'";
if (-f "${General::swroot}/ovpn/ca/cacert.pem") { my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; @@ -6003,7 +6152,7 @@ END # Nothing print <<END; <tr> - <td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td> + <td width='25%' class='base' $col4>$Lang::tr{'ta key'}</td> <td class='base' $col4>$Lang::tr{'not present'}</td> <td colspan='3' $col4> </td> </tr> @@ -6011,6 +6160,51 @@ END ; }
+ # Adding tc-v2.key to chart + if (-f "${General::swroot}/ovpn/certs/tc-v2-server.key") { + my $tcvsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`; + $tcvsubject =~ /-----BEGIN (.*)-----[\n]/; + $tcvsubject = $1; + print <<END; + + <tr> + <td class='base' $col5>$Lang::tr{'tc v2 key'}</td> + <td class='base' $col5>$tcvsubject</td> + <form method='post' name='frmtcv2key'><td width='3%' align='center' $col5> + <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt-v2 key'}' /> + <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt-v2 key'}' title='$Lang::tr{'show tls-crypt-v2 key key'}' width='20' height='20' border='0' /> + </form> + <form method='post' name='frmtckey'><td width='3%' align='center' $col5> + <td width='4%' $col5> </td> + </tr> +END +; + } + + # Adding tc.key to chart + if (-f "${General::swroot}/ovpn/certs/tc.key") { + my $tcsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`; + $tcsubject =~ /# (.*)[\n]/; + $tcsubject = $1; + print <<END; + + <tr> + <td class='base' $col6>$Lang::tr{'tc key'}</td> + <td class='base' $col6>$tcsubject</td> + <form method='post' name='frmtckey'><td width='3%' align='center' $col6> + <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt key'}' /> + <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt key'}' title='$Lang::tr{'show tls-crypt key'}' width='20' height='20' border='0' /> + </form> + <form method='post' name='frmtckey'><td width='3%' align='center' $col6> + <input type='image' name='$Lang::tr{'download tls-crypt key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-crypt key'}' title='$Lang::tr{'download tls-crypt key'}' border='0' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'download tls-crypt key'}' /> + </form> + <td width='4%' $col6> </td> + </tr> +END +; + } + if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { print "<tr><td colspan='5' align='center'><form method='post'>"; print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />"; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index a4c166bfe..b6093be3e 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -894,6 +894,9 @@ 'download new ruleset' => 'Neuen Regelsatz herunterladen', 'download pkcs12 file' => 'PKCS12-Datei herunterladen', 'download root certificate' => 'Root-Zertifikat herunterladen', +'download tls-auth key' => 'TLS-Auth Schlüssel herunterladen', +'download tls-crypt key' => 'TLS-Crypt Schlüssel herunterladen', +'download tls-crypt-v2 key' => 'TLS-Crypt-v2 Schlüssel herunterladen', 'download tls-auth key' => 'tls-auth Key herunterladen', 'dpd action' => 'Aktion für Erkennung toter Gegenstellen (Dead Peer Detection)', 'dpd delay' => 'Verzögerung', @@ -1951,7 +1954,7 @@ 'ovpn subnet' => 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', -'ovpn tls auth' => 'TLS-Kanalabsicherung:', +'ovpn tls auth' => 'TLS-Kanalabsicherung', 'ovpn warning 64 bit block cipher' => 'Diser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte ändern Sie dies so schnell wie möglich!</br>', 'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert', 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', @@ -2226,6 +2229,9 @@ 'show last x lines' => 'die letzten x Zeilen anzeigen', 'show root certificate' => 'Root-Zertifikat anzeigen', 'show share options' => 'Anzeige der Freigabeeinstellungen', +'show tls-auth key' => 'TLS-Auth Schlüssel anzeigen', +'show tls-crypt key' => 'TLS-Crypt Schlüssel anzeigen', +'show tls-crypt-v2 key' => 'TLS-Crypt-v2 Schlüssel anzeigen', 'shuffle' => 'Zufall', 'shutdown' => 'Herunterfahren', 'shutdown ask' => 'Herunterfahren?', @@ -2352,6 +2358,8 @@ 'system logs' => 'Systemprotokolldateien', 'system status information' => 'System-Statusinformationen', 'ta key' => 'TLS-Authentifizierungsschlüssel', +'tc key' => 'TLS-Kryptografie-Schlüssel', +'tc v2 key' => 'TLS-Kryptografie-Schlüssel-Version2', 'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2', 'tcp more reliable' => 'TCP (zuverlässiger)', 'telephone not set' => 'Telefonnummer nicht angegeben.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index dc324676a..fe2a9d65d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -918,7 +918,9 @@ 'download new ruleset' => 'Download new ruleset', 'download pkcs12 file' => 'Download PKCS12 file', 'download root certificate' => 'Download root certificate', -'download tls-auth key' => 'Download tls-auth key', +'download tls-auth key' => 'Download TLS-Auth key', +'download tls-crypt key' => 'Download TLS-Crypt key', +'download tls-crypt-v2 key' => 'Download TLS-Crypt-v2 server key', 'dpd action' => 'Action', 'dpd delay' => 'Delay', 'dpd timeout' => 'Timeout', @@ -1983,7 +1985,7 @@ 'ovpn subnet' => 'OpenVPN subnet:', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', -'ovpn tls auth' => 'TLS Channel Protection:', +'ovpn tls auth' => 'TLS Channel Protection', 'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this as soon as possible!</br>', 'ovpn warning algorithm' => 'You configured the algorithm', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', @@ -2262,7 +2264,9 @@ 'show lines' => 'Show lines', 'show root certificate' => 'Show root certificate', 'show share options' => 'Show shares options', -'show tls-auth key' => 'Show tls-auth key', +'show tls-auth key' => 'Show TLS-Auth key', +'show tls-crypt key' => 'Show TLS-Crypt key', +'show tls-crypt-v2 key' => 'Show TLS-Crypt-v2 key', 'shuffle' => 'Shuffle', 'shutdown' => 'Shutdown', 'shutdown ask' => 'Shutdown?', @@ -2390,6 +2394,8 @@ 'system logs' => 'System Logs', 'system status information' => 'System Status Information', 'ta key' => 'TLS-Authentification-Key', +'tc key' => 'TLS-Cryptografic-Key', +'tc v2 key' => 'TLS-Cryptografic-Key-version2', 'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2', 'tcp more reliable' => 'TCP (more reliable)', 'telephone not set' => 'Telephone not set.', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index 1a0272b8a..99aa73482 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -717,6 +717,9 @@ 'download new ruleset' => 'Descargar nuevo grupo de reglas', 'download pkcs12 file' => 'Descargar archivo PKCS12', 'download root certificate' => 'Descargar certificado root', +'download tls-auth key' => 'Descargar llave TLS-Auth', +'download tls-crypt key' => 'Descargar llave TLS-Crypt', +'download tls-crypt-v2 key' => 'Descargar llave servidor TLS-Crypt-v2', 'dpd action' => 'Acción al detectar Dead Peer', 'driver' => 'Driver', 'drop input' => 'Registrar paquetes descartados', @@ -1352,6 +1355,7 @@ 'ovpn subnet' => 'Subred de OpenVPN (ej. 10.0.10.0/255.255.255.0', 'ovpn subnet is invalid' => 'Subred de OpenVPN no es válida.', 'ovpn subnet overlap' => 'La subred de OpenVPN se traslapa con:', +'ovpn tls auth' => 'Protección Canal TLS', 'ovpn warning 64 bit block cipher' => 'Este algoritmo de cifrado del está roto y pronto se eliminará. <br>¡Por favor, cambie esto lo antes posible!</br>', 'ovpn warning algorithm' => 'Se configuró el siguiente algoritmo', 'ovpn_fastio' => 'Fast-IO', @@ -1596,6 +1600,9 @@ 'show lines' => 'Mostrar líneas', 'show root certificate' => 'Mostrar certificado root', 'show share options' => 'Mostrar opciones de recursos compartidos', +'show tls-auth key' => 'Mostrar llave TLS-Auth', +'show tls-crypt key' => 'Mostrar llave TLS-Crypt', +'show tls-crypt-v2 key' => 'Mostrar llave TLS-Crypt-v2', 'shuffle' => 'Al azar', 'shutdown' => 'Apagar', 'shutdown ask' => '¿Apagar?', @@ -1698,6 +1705,9 @@ 'system log viewer' => 'Visor de registros (logs) del sistema', 'system logs' => 'Registros del sistema', 'system status information' => 'Información de status del sistema', +'ta key' => 'Clave de Autentificación-TLS', +'tc key' => 'Clave Criptográfica-TLS', +'tc v2 key' => 'Clave Criptográfica-TLS versión 2', 'telephone not set' => 'Teléfono no establecido.', 'template' => 'Preestablecido', 'template warning' => 'Tiene dos opciones para establecer QoS. La primera, presionar el botón Guardar y generar clases y reglas por ud. mismo. La segunda, presione el botón preestablecidos y las clases y reglas se generarán a partir de una plantilla', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index d5deea1c0..349ebb83d 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -921,7 +921,9 @@ 'download new ruleset' => 'Télécharger de nouvelles règles', 'download pkcs12 file' => 'Télécharger le fichier PKCS12', 'download root certificate' => 'Télécharger le certificat Root', -'download tls-auth key' => 'Télécharger la clé tls-auth', +'download tls-auth key' => 'Télécharger la clé TLS-Auth', +'download tls-crypt key' => 'Télécharger la clef TLS-Crypt', +'download tls-crypt-v2 key' => 'Télécharger la clef server TLS-Crypt-v2', 'dpd action' => 'Détection du pair mort', 'dpd delay' => 'Retard', 'dpd timeout' => 'Délai dépassé', @@ -1984,7 +1986,7 @@ 'ovpn subnet' => 'Sous-réseau OpenVPN', 'ovpn subnet is invalid' => 'Sous-réseau OpenVPN non valide.', 'ovpn subnet overlap' => 'Le sous-réseau OpenVPN se chevauche avec : ', -'ovpn tls auth' => 'Protection du canal TLS :', +'ovpn tls auth' => 'Protection du canal TLS', 'ovpn warning 64 bit block cipher' => 'Ce L'algorithme de chiffage du n'est plus sûr et sera bientôt supprimé. <br>Veuillez changer cela dès que possible!</br>', 'ovpn warning algorithm' => 'L'algorithme suivant a été configuré', 'ovpn warning rfc3280' => 'Votre certificat d'hôte n'est pas conforme avec la RFC3280.<br>Veuillez mettre à jour la dernière version d'IPFire et générer dès que possible un nouveau certificat racine et hôte.</br><br>Tous les clients OpenVPN doivent ensuite être renouvelés !</br>', @@ -2266,7 +2268,9 @@ 'show lines' => 'Montrer les lignes', 'show root certificate' => 'Afficher le certificat root', 'show share options' => 'Montrer les options partagées', -'show tls-auth key' => 'Afficher clef tls-auth', +'show tls-auth key' => 'Afficher clef TLS-Auth', +'show tls-crypt key' => 'Montrer la clef TLS-Crypt', +'show tls-crypt-v2 key' => 'Montrer la clef TLS-Crypt-v2', 'shuffle' => 'Mélanger', 'shutdown' => 'Arrêter', 'shutdown ask' => 'Arrêter ?', @@ -2394,6 +2398,8 @@ 'system logs' => 'Rapports système', 'system status information' => 'Informations sur le statut du système', 'ta key' => 'Clé d'authentification TLS', +'tc key' => 'Clef de chiffrage TLS', +'tc v2 key' => 'Clef de chiffrage TLS version2', 'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2', 'tcp more reliable' => 'TCP (plus fiable)', 'telephone not set' => 'Numéro de téléphone non défini.', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index ad16de583..cbbb3bb80 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -1739,6 +1739,7 @@ 'ovpn subnet' => 'OpenVPN subnet (e.g. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', +'ovpn tls auth' => 'Protezione del canale TLS', 'ovpn warning 64 bit block cipher' => 'L'algoritmo di crittografia è insicuro e verrà presto disinstallato.<br>Si prega di cambiare il più presto possibile!</br>', 'ovpn warning algorithm' => 'È stato configurato il seguente algoritmo', 'ovpn_fastio' => 'Fast-IO', @@ -1994,7 +1995,9 @@ 'show lines' => 'Show lines', 'show root certificate' => 'Show root certificate', 'show share options' => 'Show shares options', -'show tls-auth key' => 'Show tls-auth key', +'show tls-auth key' => 'Mostra la chiave TLS-Auth', +'show tls-crypt key' => 'Mostra la chiave TLS-Crypt', +'show tls-crypt-v2 key' => 'Mostra la chiave TLS-Crypt v2', 'shuffle' => 'Shuffle', 'shutdown' => 'Spegni', 'shutdown ask' => 'Spegni?', @@ -2107,6 +2110,8 @@ 'system logs' => 'Log di Sistema', 'system status information' => 'Informazioni e stato del sistema', 'ta key' => 'TLS-Authentification-Key', +'tc key' => 'Chiave-Crittografica-TLS', +'tc v2 key' => 'Chiave-Crittografica-TLS-v2', 'telephone not set' => 'Telephone not set.', 'template' => 'Preset', 'template warning' => 'Ci sono due opzioni per impostare il Qos. La prima: si preme il pulsante Salva e poi si generano le classi e le regole da soli. La seconda: si preme il tasto di preset e le classi e le regole saranno automaticamente generate da un modello.', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index b0f037e0c..23ccaedf9 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -794,6 +794,9 @@ 'download new ruleset' => 'Download nieuwe regelset', 'download pkcs12 file' => 'Download PKCS12 bestand', 'download root certificate' => 'Download root certificaat', +'download tls-auth key' => 'Download TLS-Auth sleutel', +'download tls-crypt key' => 'Download TLS-Crypt sleutel', +'download tls-crypt-v2 key' => 'Download TLS-Crypt-v2 server sleutel', 'dpd action' => 'Dead peer-detectie actie', 'dpd delay' => 'Vertraging', 'dpd timeout' => 'Timeout', @@ -1660,12 +1663,13 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'OpenVPN connectiestatistieken', 'ovpn config' => 'OVPN-Configuratie', +'ovpn crypt options' => 'Cryptografische opties', 'ovpn channel encryption' => 'Control-kanaal versleuteling', 'ovpn control channel v2' => 'Controle-Kanaal TLSv2', 'ovpn control channel v3' => 'Controle-Kanaal TLSv3', 'ovpn data encryption' => 'Datakanaalversleuteling', 'ovpn data channel authentication' => 'Gegevens en kanaal verificatie', -'ovpn data channel' => 'Data-kanaal', +'ovpn data channel' => 'Data-Kanaal', 'ovpn data channel fallback' => 'Data-Kanaal terugval', 'ovpn device' => 'OpenVPN apparaat:', 'ovpn dl' => 'OVPN-Configuratie download', @@ -1693,6 +1697,7 @@ 'ovpn subnet' => 'OpenVPN subnet (bijv. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'OpenVPN subnet is ongeldig.', 'ovpn subnet overlap' => 'OpenVPN subnet overlapt met : ', +'ovpn tls auth' => 'TLS Kanaal bescherming', 'ovpn warning 64 bit block cipher' => 'Dit encryptie algoritme is verbroken en zal binnenkort worden verwijderd. <br>Verander dit zo snel mogelijk!</br>', 'ovpn warning algorithm' => 'U hebt het algoritme geconfigureerd', 'ovpn warning rfc3280' => 'Uw gastheercertificaat is niet RFC3280-conform. <br>Please-update naar de nieuwste IPFire-versie en genereer zo snel mogelijk een nieuw root- en host-certificaat.</br><br>Alle OpenVPN-clients moeten dan vernieuwd worden!</br>', @@ -1948,6 +1953,9 @@ 'show lines' => 'Toon regels', 'show root certificate' => 'Toon root certificaat', 'show share options' => 'Toon shares opties', +'show tls-auth key' => 'Toon TLS-Auth sleutel', +'show tls-crypt key' => 'Toon TLS-Crypt sleutel', +'show tls-crypt-v2 key' => 'Toon TLS-Crypt-v2 sleutel', 'shuffle' => 'Willekeurige volgorde', 'shutdown' => 'Afsluiten', 'shutdown ask' => 'Afsluiten?', @@ -2057,6 +2065,9 @@ 'system log viewer' => 'Systeem Log Viewer', 'system logs' => 'Systeem logs', 'system status information' => 'Systeem Status Informatie', +'ta key' => 'TLS-Authentificatie-sleutel', +'tc key' => 'TLS-Cryptografische-sleutel', +'tc v2 key' => 'TLS-Cryptografische sleutel-versie2', 'telephone not set' => 'Telefoon niet ingesteld.', 'template' => 'Vooringesteld', 'template warning' => 'U heeft twee opties voor QoS. Bij de eerste klikt u op de knop opslaan en genereert u zelf de klassen en regels. Voor de tweede klikt u op de "vooringesteld" knop en worden de regels middels een sjabloon voor u ingesteld.', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index 5e8ec0864..fb7c12e85 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -719,6 +719,9 @@ 'download new ruleset' => 'Pobierz nowy zestaw reguł', 'download pkcs12 file' => 'Pobierz plik PKCS12', 'download root certificate' => 'Pobierz certyfikat root', +'download tls-auth key' => 'Pobierz klucz TLS-Auth', +'download tls-crypt key' => 'Pobierz klucz TLS-Crypt', +'download tls-crypt-v2 key' => 'Pobierz klucz serwera TLS-Crypt-v2', 'dpd action' => 'Dead Peer Detection action', 'driver' => 'Sterownik', 'drop input' => 'Loguj odrzucone pakiety wejściowe (input packets)', @@ -1365,6 +1368,7 @@ 'ovpn subnet' => 'Podsieć OpenVPN (np. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'Podsieć OpenVPN jest niepoprawna.', 'ovpn subnet overlap' => 'Podsieć OpenVPN zachodzi na : ', +'ovpn tls auth' => 'Ochrona Kanału-TLS', 'ovpn warning 64 bit block cipher' => 'Szyfr danych wymaga co najmniej jednego szyfru. <br>Proszę to zmienić jak najszybciej!</br>', 'ovpn warning algorithm' => 'Skonfigurowałeś algorytm', 'ovpn_fastio' => 'Fast-IO', @@ -1609,6 +1613,9 @@ 'show lines' => 'Pokaż linie', 'show root certificate' => 'Pokaż certyfikat root', 'show share options' => 'Pokaż opcje zasobu', +'show tls-auth key' => 'Pokaż klucz TLS-Auth', +'show tls-crypt key' => 'Pokaż klucz TLS-Crypt', +'show tls-crypt-v2 key' => 'Pokaż klucz TLS-Crypt-v2', 'shuffle' => 'Losowo', 'shutdown' => 'Wyłącz', 'shutdown ask' => 'Wyłączyć?', @@ -1712,6 +1719,9 @@ 'system log viewer' => 'Przegląd logów systemu', 'system logs' => 'Logi systemu', 'system status information' => 'Informacje o stanie systemu', +'ta key' => 'TLS-Klucz-Uwierzytelniający', +'tc key' => 'TLS-Klucz-Kryptograficzny', +'tc v2 key' => 'TLS-Klucz-Kryptograficzny-wersja2', 'telephone not set' => 'Telephone not set.', 'template' => 'Schemat', 'template warning' => 'Masz 2 możliwości skonfigurowania QoS. Pierwsza to naciśnięcie przycisku zapisz i skonfigurowanie klas i reguł samodzielnie. Druga to wciśnięcie przycisku schemat aby utworzyć klasy i reguły ze schematu.', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 6e3af2d7e..c4520ae2c 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -714,6 +714,9 @@ 'download new ruleset' => 'Загрузить новые правила', 'download pkcs12 file' => 'Загрузить PKCS12 файл', 'download root certificate' => 'Загрузить root сертификат', +'download tls-auth key' => 'Скачать TLS-Auth ключ', +'download tls-crypt key' => 'Скачать TLS-Crypt ключ', +'download tls-crypt-v2 key' => 'Скачать серверный ключ TLS-Crypt-v2', 'dpd action' => 'Действие при обнаружении Dead Peer', 'driver' => 'Драйвер', 'drop input' => 'Записывать сброшенные входящие пакеты', @@ -1339,6 +1342,7 @@ 'ovpn channel encryption' => 'Шифрование каналов управления', 'ovpn control channel v2' => 'Канал-управления TLSv2', 'ovpn control channel v3' => 'Канал-управления TLSv3', +'ovpn crypt options' => 'Криптографические опции', 'ovpn data encryption' => 'шифрование-каналов данных', 'ovpn data channel authentication' => 'Аутентификация данных и каналов', 'ovpn data channel' => 'Информационный-канал', @@ -1359,6 +1363,7 @@ 'ovpn subnet' => 'Подсеть OpenVPN (e.g. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'Подсеть OpenVPN задана неверно.', 'ovpn subnet overlap' => 'Подсеть OpenVPN пересекается с: ', +'ovpn tls auth' => 'Защита канала TLS', 'ovpn warning 64 bit block cipher' => 'Этот алгоритм шифрования сломан и вскоре будет удален. <br>Пожалуйста, измените это как можно скорее!</br>', 'ovpn warning algorithm' => 'Вы настроили алгоритм', 'ovpn_fastio' => 'Fast-IO', @@ -1603,6 +1608,9 @@ 'show lines' => 'Показать строки', 'show root certificate' => 'Показать root сертификат', 'show share options' => 'Показать настройки общих ресурсов', +'show tls-auth key' => 'Показать ключ TLS-Auth', +'show tls-crypt key' => 'Показать ключ TLS-Crypt', +'show tls-crypt-v2 key' => 'Показать ключ TLS-Crypt-клавиша-v2', 'shuffle' => 'Перемешать', 'shutdown' => 'Выключить', 'shutdown ask' => 'Выключить?', @@ -1706,6 +1714,9 @@ 'system log viewer' => 'System Log Viewer', 'system logs' => 'Системные журналы', 'system status information' => 'System Status Information', +'ta key' => 'TLS-Аутентификация-Кей', +'tc key' => 'TLS-криптографический-ключ', +'tc v2 key' => 'TLS-криптографическая-версия2', 'telephone not set' => 'Telephone not set.', 'template' => 'Задать', 'template warning' => 'У Вас есть две опции для установки Qos. Первая - нажать кнопку сохранения и сгенерировать классы и правила самостоятельно. Вторая - задать правила по шаблону.', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index e55a73aa3..1cde33dc7 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -879,6 +879,9 @@ 'download new ruleset' => 'Yeni Kural Kümesi İndir', 'download pkcs12 file' => 'PKCS12 dosyasını indir', 'download root certificate' => 'Root sertifikasını indir', +'download tls-auth key' => 'TLS-Auth anahtarını indirin', +'download tls-crypt key' => 'TLS-Crypt anahtarını indirin', +'download tls-crypt-v2 key' => 'TLS-Crypt-v2 sunucu anahtarını indirin', 'download tls-auth key' => 'Tls kimlik doğrulama anahtarını indir', 'dpd action' => 'Hareketsiz eş algılama eylemi', 'dpd delay' => 'Gecikme', @@ -1884,6 +1887,7 @@ 'ovpn subnet' => 'OpenVPN alt ağı (örneğin 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'Geçersiz OpenVPN alt ağı.', 'ovpn subnet overlap' => 'OpenVPN alt ağı ile örtüşenler: ', +'ovpn tls auth' => 'TLS Kanal Koruması', 'ovpn warning 64 bit block cipher' => 'Bu şifreleme algoritması bozuldu ve yakında kaldırılacak. <br> Lütfen bunu mümkün olan en kısa sürede değiştirin!</br>', 'ovpn warning algorithm' => 'Algoritmayı sen yapılandırdın', 'ovpn_fastio' => 'Hızlı-IO', @@ -2148,6 +2152,9 @@ 'show root certificate' => 'Root sertifikasını göster', 'show share options' => 'Paylaşım seçeneklerini göster', 'show tls-auth key' => 'Tls kimlik doğrulama anahtarını göster', +'show tls-auth key' => 'TLS-Auth anahtarını göster', +'show tls-crypt key' => 'TLS-Crypt anahtarını göster', +'show tls-crypt-v2 key' => 'TLS-Crypt-v2 anahtarını göster', 'shuffle' => 'Karma', 'shutdown' => 'Kapat', 'shutdown ask' => 'Kapat?', @@ -2260,6 +2267,8 @@ 'system logs' => 'Sistem Günlükleri', 'system status information' => 'Sistem Durum Bilgisi', 'ta key' => 'TLS Kimlik Doğrulama Anahtarı', +'tc key' => 'TLS-Şifreleme-Anahtarı', +'tc v2 key' => 'TLS-Şifreleme-Anahtarı-versiyon 2', 'tcp more reliable' => 'TCP (daha güvenli)', 'telephone not set' => 'Telefon ayarlanmamış.', 'template' => 'Ön Ayar',
Hi all, just wanted to ask if there is still interest in this patch series ?
Best,
Erik
Hello Erik,
Yes, I am very much interested in this.
And I have spent pretty much an hour to make sense out of all of this, and unfortunately have to report that I failed.
I have the problem that I cannot get on top of these things. You are submitting *massive* patchsets, in this case I even believe that the whole things has been submitted a second time, although I do not know if there are any changes.
I could not even find out *what* you are actually trying to do. There are more and more buttons being added and I have not the slightest idea what I am supposed to do with them. I have given my thoughts about the cipher selection and I felt that I have not been heard.
I fear that this is all way too complicated. I cannot review what I do not even understand what the desired outcome is. And failing to understand that either means that it is either way too complicated or I have not read enough anywhere about all of this.
So, could you please summarise for me what you want to achieve here?
Is this supposed to make OpenVPN more compatible, secure, or anything else?
Why do we not talk about this before things are being implemented, or did I just miss the discussion?
-Michael
On 14 Dec 2020, at 14:03, ummeegge ummeegge@ipfire.org wrote:
Hi all, just wanted to ask if there is still interest in this patch series ?
Best,
Erik
Hi Michael, thanks for looking into this.
Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael Tremer:
Hello Erik,
Yes, I am very much interested in this.
And I have spent pretty much an hour to make sense out of all of this, and unfortunately have to report that I failed.
that´s not good to hear. OK, let me explain... I tried to come up with a solution where we already have spoken more times about in the past, i tried to follow up your suggestions, the latest about that topic was here --> https://lists.ipfire.org/pipermail/development/2020-October/008441.html in Oktober to bring up "a select box where multiple algorithms can be chosen (like in IPsec)". Since --cipher is deprectaed and will be replaced by --data-ciphers which is a >=2.5.0 option we need another selection field for the --data-ciphers-fallback which is a replacement for --cipher and the server uses this directive to talk also to client which are <2.5.0 . OpenVPN presses to use cipher negotiation which we have avoid since the release of 2.4 with --ncp-disable, this option is no also deprecated so we need to take action on this.
We need to have then two new options, two seletion boxes which are odd to see in the global section. I tried it in the advanced server section too and it looks even more confusing with all the other already existing options, nothing i wanted to do. So i thought your above linked suggestions are pretty straight forward and the best solution to build an own crypto section which do have already defaults, nobody needs to do there anyting, the global section has been cleaned up and it should be even easier for everone to overview.
It made for me no sense to leave parts of the crypto (TLS-auth and HMACs) in the global section, especially because there are also even more algorithms, but also new options for the TLS authentication which i have all integrated so i moved them also into that place (patch 6/7 and 7/7).
The control-channel cipher selection (patch 5/7) is new and should be really a part for the advanced ones, therefor no defaults has been set, it simply won´t appear if nothing has been configured.
I have the problem that I cannot get on top of these things. You are submitting *massive* patchsets, in this case I even believe that the whole things has been submitted a second time, although I do not know if there are any changes. Yes there are. Old and deprecated ciphers will now be detected and a warning comes up in the global section to change them as soon as possible (patch 3/7), also all languages has been translated and has been included. Also i wanted to split it in more specific topics for better overview but it seems that i have been failed.
I could not even find out *what* you are actually trying to do. There are more and more buttons being added and I have not the slightest idea what I am supposed to do with them. I have given my thoughts about the cipher selection and I felt that I have not been heard. One intention was that you do not need anything to do except you want to do some advanced crypto stuff. The rest should have already been made...
I fear that this is all way too complicated. I cannot review what I do not even understand what the desired outcome is. And failing to understand that either means that it is either way too complicated or I have not read enough anywhere about all of this. Please check out the above linked topic where you have wrote suggestions that i simply tried to achieve but again, it seems that i was not successfull with this...
So, could you please summarise for me what you want to achieve here? Hope i have it done above.
Is this supposed to make OpenVPN more compatible, secure, or anything else? Yes both but also easier since the user do not need to do anything but he should become more security under the hood, the backward and the forward compatibility should be in a better standing than before and if someone wants to go into the depth, this is even also possible.
Why do we not talk about this before things are being implemented, or did I just miss the discussion? Yes i think you missed some of that, hopefully i could remind you on some points.
-Michael
Best,
Erik
On 14 Dec 2020, at 14:03, ummeegge ummeegge@ipfire.org wrote:
Hi all, just wanted to ask if there is still interest in this patch series ?
Best,
Erik
Hi,
On 14 Dec 2020, at 16:12, ummeegge ummeegge@ipfire.org wrote:
Hi Michael, thanks for looking into this.
Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael Tremer:
Hello Erik,
Yes, I am very much interested in this.
And I have spent pretty much an hour to make sense out of all of this, and unfortunately have to report that I failed.
that´s not good to hear. OK, let me explain... I tried to come up with a solution where we already have spoken more times about in the past, i tried to follow up your suggestions, the latest about that topic was here --> https://lists.ipfire.org/pipermail/development/2020-October/008441.html in Oktober to bring up "a select box where multiple algorithms can be chosen (like in IPsec)". Since --cipher is deprectaed and will be replaced by --data-ciphers which is a >=2.5.0 option we need another selection field for the --data-ciphers-fallback which is a replacement for --cipher and the server uses this directive to talk also to client which are <2.5.0 .
Yes, the ciphers. But as far as I understand this, you are offering to select the whole cipher suite. That is something different.
And you are offering different options for TLSv1.3 and lower, which we do not do in IPsec either. You have one selection for both IKEv1 and IKEv2.
OpenVPN presses to use cipher negotiation which we have avoid since the release of 2.4 with --ncp-disable, this option is no also deprecated so we need to take action on this.
I will skip my moan about introducing something and then deprecating it shortly after…
I agree that we need to act.
We need to have then two new options, two seletion boxes which are odd to see in the global section. I tried it in the advanced server section too and it looks even more confusing with all the other already existing options, nothing i wanted to do. So i thought your above linked suggestions are pretty straight forward and the best solution to build an own crypto section which do have already defaults, nobody needs to do there anyting, the global section has been cleaned up and it should be even easier for everone to overview.
We have touched this topic multiple times. And I remember the last conclusion as follows:
The average user does not have to touch the advanced options. They have to put in their subnet, select a port and protocol maybe and that is about it. They do not need to think about what cipher to use, because we would have selected a reasonable default. If they want to change something (because of hardware requirements, etc.) they can do that on the advanced page.
I agree that this is all not idea, but adding a third page to this all makes it rather more confusing than less.
It made for me no sense to leave parts of the crypto (TLS-auth and HMACs) in the global section, especially because there are also even more algorithms, but also new options for the TLS authentication which i have all integrated so i moved them also into that place (patch 6/7 and 7/7).
I remember that we have agreed to move the existing crypto options to the advanced page.
The control-channel cipher selection (patch 5/7) is new and should be really a part for the advanced ones, therefor no defaults has been set, it simply won´t appear if nothing has been configured.
What is the benefit of choosing a different cipher for the control channel?
I have the problem that I cannot get on top of these things. You are submitting *massive* patchsets, in this case I even believe that the whole things has been submitted a second time, although I do not know if there are any changes. Yes there are. Old and deprecated ciphers will now be detected and a warning comes up in the global section to change them as soon as possible (patch 3/7), also all languages has been translated and has been included. Also i wanted to split it in more specific topics for better overview but it seems that i have been failed.
I do not think that you have failed. I just think that it is not clear what the patch intended to do. So I cannot really look at it and verify if the code actually does what you want it to do.
Could it have been split into even smaller changes? Yes, would that have helped? Maybe. But I do not think that we should waste too much time to reformat the patches. I want the changes to be ready to be merged as soon as possible.
I could not even find out *what* you are actually trying to do. There are more and more buttons being added and I have not the slightest idea what I am supposed to do with them. I have given my thoughts about the cipher selection and I felt that I have not been heard. One intention was that you do not need anything to do except you want to do some advanced crypto stuff. The rest should have already been made...
I fear that this is all way too complicated. I cannot review what I do not even understand what the desired outcome is. And failing to understand that either means that it is either way too complicated or I have not read enough anywhere about all of this. Please check out the above linked topic where you have wrote suggestions that i simply tried to achieve but again, it seems that i was not successfull with this...
So, maybe help me to understand why the user would want to use different ciphers for the control channel and for TLSv1.3/2.
I consider my ciphers as follows:
* Which algorithms do I trust? If I do not trust AES for example, I would unselect it for everything, regardless if that is the control or data channel).
* What does my hardware support? I would want to choose AES if my hardware has acceleration for it.
* Then I would sort them by most secure first (e.g. AES-256, then AES-192 and so on…)
I can replicate that with only one multiple-select box that simply lists:
* AES-256-GCM * AES-256-CBC * AES-128-GCM * AES-128-CBC * ChaCha20-Poly1305 * Blowfish * ...
And a second one that has
* SHA512 * SHA384 * SHA256 * …
The code will then have to convert this into the fancy names for the OpenVPN configuration file. But I suppose that should be easy to do.
That way, the user can be certain that they have chosen the right thing for everything in one go.
So, could you please summarise for me what you want to achieve here? Hope i have it done above.
Thank you for that.
I really appreciate all this time that you have invested in this, and the code looks clean. I just think we have been on different pages about what we want it to look and feel like for the user.
Is this supposed to make OpenVPN more compatible, secure, or anything else? Yes both but also easier since the user do not need to do anything but he should become more security under the hood, the backward and the forward compatibility should be in a better standing than before and if someone wants to go into the depth, this is even also possible.
I think that you have implemented the “pro” version here. It has all the buttons you need and uses all features of OpenVPN. But it is complicated. So maybe lets hide it from the user that there is a control and data channel. Does the user need to know about this? I do not think so. It will work either way.
Why do we not talk about this before things are being implemented, or did I just miss the discussion? Yes i think you missed some of that, hopefully i could remind you on some points.
This is good progress :)
-Michael
-Michael
Best,
Erik
On 14 Dec 2020, at 14:03, ummeegge ummeegge@ipfire.org wrote:
Hi all, just wanted to ask if there is still interest in this patch series ?
Best,
Erik
Hi Michael,
Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael Tremer:
Hi,
On 14 Dec 2020, at 16:12, ummeegge ummeegge@ipfire.org wrote:
Hi Michael, thanks for looking into this.
Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael Tremer:
Hello Erik,
Yes, I am very much interested in this.
And I have spent pretty much an hour to make sense out of all of this, and unfortunately have to report that I failed.
that´s not good to hear. OK, let me explain... I tried to come up with a solution where we already have spoken more times about in the past, i tried to follow up your suggestions, the latest about that topic was here --> https://lists.ipfire.org/pipermail/development/2020-October/008441.html in Oktober to bring up "a select box where multiple algorithms can be chosen (like in IPsec)". Since --cipher is deprectaed and will be replaced by --data-ciphers which is a >=2.5.0 option we need another selection field for the --data-ciphers-fallback which is a replacement for --cipher and the server uses this directive to talk also to client which are <2.5.0 .
Yes, the ciphers. But as far as I understand this, you are offering to select the whole cipher suite. That is something different.
And you are offering different options for TLSv1.3 and lower, which we do not do in IPsec either. You have one selection for both IKEv1 and IKEv2.
Yes, i thougt it might be an idea for the advanced section be it is not really needed since OpenVPN uses his own choice for the control-chanel if nothing has been configured.
OpenVPN presses to use cipher negotiation which we have avoid since the release of 2.4 with --ncp-disable, this option is no also deprecated so we need to take action on this.
I will skip my moan about introducing something and then deprecating it shortly after…
It was good that we did not act at that time.
I agree that we need to act.
We need to have then two new options, two seletion boxes which are odd to see in the global section. I tried it in the advanced server section too and it looks even more confusing with all the other already existing options, nothing i wanted to do. So i thought your above linked suggestions are pretty straight forward and the best solution to build an own crypto section which do have already defaults, nobody needs to do there anyting, the global section has been cleaned up and it should be even easier for everone to overview.
We have touched this topic multiple times. And I remember the last conclusion as follows:
The average user does not have to touch the advanced options. They have to put in their subnet, select a port and protocol maybe and that is about it. They do not need to think about what cipher to use, because we would have selected a reasonable default. If they want to change something (because of hardware requirements, etc.) they can do that on the advanced page.
This is exactly what i did.
I agree that this is all not idea, but adding a third page to this all makes it rather more confusing than less.
Not sure if i understand you here right. You mentioned above the advanced page but i understand you here that you do not want a third one ?
It made for me no sense to leave parts of the crypto (TLS-auth and HMACs) in the global section, especially because there are also even more algorithms, but also new options for the TLS authentication which i have all integrated so i moved them also into that place (patch 6/7 and 7/7).
I remember that we have agreed to move the existing crypto options to the advanced page.
Yes, me too and i thought you meant an dedicated crypto page like it is for IPSec but you meant the advanced server section ? If yes we would mix then routing logging, DNS/WINS options with MTU related configure options. Also, the crypto section can have also some additionals like key lieftime, tls-version (if someone wants only TLSv1.3) and may some other upcoming stuff.
The control-channel cipher selection (patch 5/7) is new and should be really a part for the advanced ones, therefor no defaults has been set, it simply won´t appear if nothing has been configured.
What is the benefit of choosing a different cipher for the control channel?
This one is not really needed, as mentioned above OpenVPN makes then this desicion by it´s own.
I have the problem that I cannot get on top of these things. You are submitting *massive* patchsets, in this case I even believe that the whole things has been submitted a second time, although I do not know if there are any changes. Yes there are. Old and deprecated ciphers will now be detected and a warning comes up in the global section to change them as soon as possible (patch 3/7), also all languages has been translated and has been included. Also i wanted to split it in more specific topics for better overview but it seems that i have been failed.
I do not think that you have failed. I just think that it is not clear what the patch intended to do. So I cannot really look at it and verify if the code actually does what you want it to do.
Could it have been split into even smaller changes? Yes, would that have helped? Maybe. But I do not think that we should waste too much time to reformat the patches. I want the changes to be ready to be merged as soon as possible.
OK. Let´s go through this then. I have attached also screenshots for all changes for a better first impression.
I could not even find out *what* you are actually trying to do. There are more and more buttons being added and I have not the slightest idea what I am supposed to do with them. I have given my thoughts about the cipher selection and I felt that I have not been heard. One intention was that you do not need anything to do except you want to do some advanced crypto stuff. The rest should have already been made...
I fear that this is all way too complicated. I cannot review what I do not even understand what the desired outcome is. And failing to understand that either means that it is either way too complicated or I have not read enough anywhere about all of this. Please check out the above linked topic where you have wrote suggestions that i simply tried to achieve but again, it seems that i was not successfull with this...
So, maybe help me to understand why the user would want to use different ciphers for the control channel and for TLSv1.3/2.
This is not needed and i can easily let it out but mentioned beneath OpenVPN decided to give TLSv1.2 another directive then TLSv1.3 therefor the two boxes.
I consider my ciphers as follows:
- Which algorithms do I trust? If I do not trust AES for example, I
would unselect it for everything, regardless if that is the control or data channel).
- What does my hardware support? I would want to choose AES if my
hardware has acceleration for it.
- Then I would sort them by most secure first (e.g. AES-256, then
AES-192 and so on…)
I can replicate that with only one multiple-select box that simply lists:
- AES-256-GCM
- AES-256-CBC
- AES-128-GCM
- AES-128-CBC
- ChaCha20-Poly1305
- Blowfish
- ...
This is a problen there is exactly the same, this are two directives. - -data-cipher does NCP whereby --data-ciphers-fallback substitutes -- cipher. If we leave --data-ciphers-fallback out and work only with -- data-ciphers' clients which do not have this directive can not connect. Also, client which are <=2.5.0 do not understands both directives and simply do not starts. To find a way out in this foggy world i delivered a checkbox while client creation so the user have the possiblity to bring the new directive into client.ovpn but also old clients can be changed/updated via the edit menu.
And a second one that has
- SHA512
- SHA384
- SHA256
- …
The HMACs can not be used for negotiation, this is only a single selection.
The code will then have to convert this into the fancy names for the OpenVPN configuration file. But I suppose that should be easy to do.
That way, the user can be certain that they have chosen the right thing for everything in one go.
So, could you please summarise for me what you want to achieve here? Hope i have it done above.
Thank you for that.
I really appreciate all this time that you have invested in this, and the code looks clean. I just think we have been on different pages about what we want it to look and feel like for the user.
Thank you too. This one really needs a lot of time and testing around and also with help from Adolf it comes to this where it currently is.
Is this supposed to make OpenVPN more compatible, secure, or anything else? Yes both but also easier since the user do not need to do anything but he should become more security under the hood, the backward and the forward compatibility should be in a better standing than before and if someone wants to go into the depth, this is even also possible.
I think that you have implemented the “pro” version here. It has all the buttons you need and uses all features of OpenVPN. But it is complicated. So maybe lets hide it from the user that there is a control and data channel. Does the user need to know about this? I do not think so. It will work either way.
No there is no must for the control-channel cipher selection... If one is in, it is sometimes nice to walk through all that ;-).
Why do we not talk about this before things are being implemented, or did I just miss the discussion? Yes i think you missed some of that, hopefully i could remind you on some points.
This is good progress :)
Happy to here this.
Best,
Erik
-Michael
-Michael
Best,
Erik
On 14 Dec 2020, at 14:03, ummeegge ummeegge@ipfire.org wrote:
Hi all, just wanted to ask if there is still interest in this patch series ?
Best,
Erik
Hi,
On 16 Dec 2020, at 17:30, ummeegge ummeegge@ipfire.org wrote:
Hi Michael,
Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael Tremer:
Hi,
On 14 Dec 2020, at 16:12, ummeegge ummeegge@ipfire.org wrote:
Hi Michael, thanks for looking into this.
Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael Tremer:
Hello Erik,
Yes, I am very much interested in this.
And I have spent pretty much an hour to make sense out of all of this, and unfortunately have to report that I failed.
that´s not good to hear. OK, let me explain... I tried to come up with a solution where we already have spoken more times about in the past, i tried to follow up your suggestions, the latest about that topic was here --> https://lists.ipfire.org/pipermail/development/2020-October/008441.html in Oktober to bring up "a select box where multiple algorithms can be chosen (like in IPsec)". Since --cipher is deprectaed and will be replaced by --data-ciphers which is a >=2.5.0 option we need another selection field for the --data-ciphers-fallback which is a replacement for --cipher and the server uses this directive to talk also to client which are <2.5.0 .
Yes, the ciphers. But as far as I understand this, you are offering to select the whole cipher suite. That is something different.
And you are offering different options for TLSv1.3 and lower, which we do not do in IPsec either. You have one selection for both IKEv1 and IKEv2.
Yes, i thougt it might be an idea for the advanced section be it is not really needed since OpenVPN uses his own choice for the control-chanel if nothing has been configured.
That probably isn’t good then. The UI should at least show the user what is being used.
If we want OpenVPN to chose what is best, there should be some option that says “automatic” at least.
OpenVPN presses to use cipher negotiation which we have avoid since the release of 2.4 with --ncp-disable, this option is no also deprecated so we need to take action on this.
I will skip my moan about introducing something and then deprecating it shortly after…
It was good that we did not act at that time.
In hindsight yes. But we didn’t know back then that things would change again, and we do not know now if things will change another time in the near future.
So, we have to do “best-effort” here.
I agree that we need to act.
We need to have then two new options, two seletion boxes which are odd to see in the global section. I tried it in the advanced server section too and it looks even more confusing with all the other already existing options, nothing i wanted to do. So i thought your above linked suggestions are pretty straight forward and the best solution to build an own crypto section which do have already defaults, nobody needs to do there anyting, the global section has been cleaned up and it should be even easier for everone to overview.
We have touched this topic multiple times. And I remember the last conclusion as follows:
The average user does not have to touch the advanced options. They have to put in their subnet, select a port and protocol maybe and that is about it. They do not need to think about what cipher to use, because we would have selected a reasonable default. If they want to change something (because of hardware requirements, etc.) they can do that on the advanced page.
This is exactly what i did.
Okay. So why is there an extra page then, and not a section on the advanced page?
I like the now cleaner look of the main page which only has the bare necessities.
I agree that this is all not idea, but adding a third page to this all makes it rather more confusing than less.
Not sure if i understand you here right. You mentioned above the advanced page but i understand you here that you do not want a third one ?
There is the main page, where things can be configured (subnet, port, protocol, …), then advanced options, and now the cryptography options.
They are all the same - in that they directly change the OpenVPN configuration - and we only wanted to split them by two things:
a) Is it likely that the user will change them?
b) Or is this an option that the average user should not touch.
The advanced settings page can be as long as we like. It does not have to be pretty.
It made for me no sense to leave parts of the crypto (TLS-auth and HMACs) in the global section, especially because there are also even more algorithms, but also new options for the TLS authentication which i have all integrated so i moved them also into that place (patch 6/7 and 7/7).
I remember that we have agreed to move the existing crypto options to the advanced page.
Yes, me too and i thought you meant an dedicated crypto page like it is for IPSec but you meant the advanced server section ? If yes we would mix then routing logging, DNS/WINS options with MTU related configure options. Also, the crypto section can have also some additionals like key lieftime, tls-version (if someone wants only TLSv1.3) and may some other upcoming stuff.
That can all go to the advanced page in my opinion.
The control-channel cipher selection (patch 5/7) is new and should be really a part for the advanced ones, therefor no defaults has been set, it simply won´t appear if nothing has been configured.
What is the benefit of choosing a different cipher for the control channel?
This one is not really needed, as mentioned above OpenVPN makes then this desicion by it´s own.
Okay, but why do we have it then? :)
I have the problem that I cannot get on top of these things. You are submitting *massive* patchsets, in this case I even believe that the whole things has been submitted a second time, although I do not know if there are any changes. Yes there are. Old and deprecated ciphers will now be detected and a warning comes up in the global section to change them as soon as possible (patch 3/7), also all languages has been translated and has been included. Also i wanted to split it in more specific topics for better overview but it seems that i have been failed.
I do not think that you have failed. I just think that it is not clear what the patch intended to do. So I cannot really look at it and verify if the code actually does what you want it to do.
Could it have been split into even smaller changes? Yes, would that have helped? Maybe. But I do not think that we should waste too much time to reformat the patches. I want the changes to be ready to be merged as soon as possible.
OK. Let´s go through this then. I have attached also screenshots for all changes for a better first impression.
That was very helpful to me.
I could not even find out *what* you are actually trying to do. There are more and more buttons being added and I have not the slightest idea what I am supposed to do with them. I have given my thoughts about the cipher selection and I felt that I have not been heard. One intention was that you do not need anything to do except you want to do some advanced crypto stuff. The rest should have already been made...
I fear that this is all way too complicated. I cannot review what I do not even understand what the desired outcome is. And failing to understand that either means that it is either way too complicated or I have not read enough anywhere about all of this. Please check out the above linked topic where you have wrote suggestions that i simply tried to achieve but again, it seems that i was not successfull with this...
So, maybe help me to understand why the user would want to use different ciphers for the control channel and for TLSv1.3/2.
This is not needed and i can easily let it out but mentioned beneath OpenVPN decided to give TLSv1.2 another directive then TLSv1.3 therefor the two boxes.
Yes, I think choosing this once is enough.
I consider my ciphers as follows:
- Which algorithms do I trust? If I do not trust AES for example, I
would unselect it for everything, regardless if that is the control or data channel).
- What does my hardware support? I would want to choose AES if my
hardware has acceleration for it.
- Then I would sort them by most secure first (e.g. AES-256, then
AES-192 and so on…)
I can replicate that with only one multiple-select box that simply lists:
- AES-256-GCM
- AES-256-CBC
- AES-128-GCM
- AES-128-CBC
- ChaCha20-Poly1305
- Blowfish
- ...
This is a problen there is exactly the same, this are two directives. - -data-cipher does NCP whereby --data-ciphers-fallback substitutes -- cipher. If we leave --data-ciphers-fallback out and work only with -- data-ciphers' clients which do not have this directive can not connect.
No no, we want to be compatible with older clients and there should be a dropdown that works just like the old cipher selection.
It should be possible to turn it off though by adding a “disabled” option.
Also, client which are <=2.5.0 do not understands both directives and simply do not starts. To find a way out in this foggy world i delivered a checkbox while client creation so the user have the possiblity to bring the new directive into client.ovpn but also old clients can be changed/updated via the edit menu.
The clients should not have any cipher configuration now since they should automatically negotiate it - which is enabled by default.
And a second one that has
- SHA512
- SHA384
- SHA256
- …
The HMACs can not be used for negotiation, this is only a single selection.
Well, that is bad. That means we still do not have full negotiation?
The code will then have to convert this into the fancy names for the OpenVPN configuration file. But I suppose that should be easy to do.
That way, the user can be certain that they have chosen the right thing for everything in one go.
So, could you please summarise for me what you want to achieve here? Hope i have it done above.
Thank you for that.
I really appreciate all this time that you have invested in this, and the code looks clean. I just think we have been on different pages about what we want it to look and feel like for the user.
Thank you too. This one really needs a lot of time and testing around and also with help from Adolf it comes to this where it currently is.
Great teamwork!
Is this supposed to make OpenVPN more compatible, secure, or anything else? Yes both but also easier since the user do not need to do anything but he should become more security under the hood, the backward and the forward compatibility should be in a better standing than before and if someone wants to go into the depth, this is even also possible.
I think that you have implemented the “pro” version here. It has all the buttons you need and uses all features of OpenVPN. But it is complicated. So maybe lets hide it from the user that there is a control and data channel. Does the user need to know about this? I do not think so. It will work either way.
No there is no must for the control-channel cipher selection... If one is in, it is sometimes nice to walk through all that ;-).
Why do we not talk about this before things are being implemented, or did I just miss the discussion? Yes i think you missed some of that, hopefully i could remind you on some points.
This is good progress :)
Happy to here this.
Okay, so what are the next steps now?
-Michael
Best,
Erik
-Michael
-Michael
Best,
Erik
On 14 Dec 2020, at 14:03, ummeegge ummeegge@ipfire.org wrote:
Hi all, just wanted to ask if there is still interest in this patch series ?
Best,
Erik
<advanced_encryption_with_defaults.png><client_version.png><global_settings.png><deprectaed_ciphers_warning.png>
Hi Michael, there is currently a lot of other real world stuff around me and my time is really less since things out there do not get easier these days, at least for me.
If more time and motivation (which is most important) comes up i will may go for another try to accomplish this topic with your suggestions. I would also finish this conversation here since it is hardly comprehensible and a possible v3 would differs a lot.
If someone else wanted to jump in this topic with solutions i am more then happy with this.
All the best,
Erik
Am Dienstag, dem 29.12.2020 um 11:44 +0100 schrieb Michael Tremer:
Hi,
On 16 Dec 2020, at 17:30, ummeegge ummeegge@ipfire.org wrote:
Hi Michael,
Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael Tremer:
Hi,
On 14 Dec 2020, at 16:12, ummeegge ummeegge@ipfire.org wrote:
Hi Michael, thanks for looking into this.
Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael Tremer:
Hello Erik,
Yes, I am very much interested in this.
And I have spent pretty much an hour to make sense out of all of this, and unfortunately have to report that I failed.
that´s not good to hear. OK, let me explain... I tried to come up with a solution where we already have spoken more times about in the past, i tried to follow up your suggestions, the latest about that topic was here --> https://lists.ipfire.org/pipermail/development/2020-October/008441.html in Oktober to bring up "a select box where multiple algorithms can be chosen (like in IPsec)". Since --cipher is deprectaed and will be replaced by --data-ciphers which is a >=2.5.0 option we need another selection field for the --data-ciphers-fallback which is a replacement for --cipher and the server uses this directive to talk also to client which are <2.5.0 .
Yes, the ciphers. But as far as I understand this, you are offering to select the whole cipher suite. That is something different.
And you are offering different options for TLSv1.3 and lower, which we do not do in IPsec either. You have one selection for both IKEv1 and IKEv2.
Yes, i thougt it might be an idea for the advanced section be it is not really needed since OpenVPN uses his own choice for the control- chanel if nothing has been configured.
That probably isn’t good then. The UI should at least show the user what is being used.
If we want OpenVPN to chose what is best, there should be some option that says “automatic” at least.
OpenVPN presses to use cipher negotiation which we have avoid since the release of 2.4 with --ncp-disable, this option is no also deprecated so we need to take action on this.
I will skip my moan about introducing something and then deprecating it shortly after…
It was good that we did not act at that time.
In hindsight yes. But we didn’t know back then that things would change again, and we do not know now if things will change another time in the near future.
So, we have to do “best-effort” here.
I agree that we need to act.
We need to have then two new options, two seletion boxes which are odd to see in the global section. I tried it in the advanced server section too and it looks even more confusing with all the other already existing options, nothing i wanted to do. So i thought your above linked suggestions are pretty straight forward and the best solution to build an own crypto section which do have already defaults, nobody needs to do there anyting, the global section has been cleaned up and it should be even easier for everone to overview.
We have touched this topic multiple times. And I remember the last conclusion as follows:
The average user does not have to touch the advanced options. They have to put in their subnet, select a port and protocol maybe and that is about it. They do not need to think about what cipher to use, because we would have selected a reasonable default. If they want to change something (because of hardware requirements, etc.) they can do that on the advanced page.
This is exactly what i did.
Okay. So why is there an extra page then, and not a section on the advanced page?
I like the now cleaner look of the main page which only has the bare necessities.
I agree that this is all not idea, but adding a third page to this all makes it rather more confusing than less.
Not sure if i understand you here right. You mentioned above the advanced page but i understand you here that you do not want a third one ?
There is the main page, where things can be configured (subnet, port, protocol, …), then advanced options, and now the cryptography options.
They are all the same - in that they directly change the OpenVPN configuration - and we only wanted to split them by two things:
a) Is it likely that the user will change them?
b) Or is this an option that the average user should not touch.
The advanced settings page can be as long as we like. It does not have to be pretty.
It made for me no sense to leave parts of the crypto (TLS-auth and HMACs) in the global section, especially because there are also even more algorithms, but also new options for the TLS authentication which i have all integrated so i moved them also into that place (patch 6/7 and 7/7).
I remember that we have agreed to move the existing crypto options to the advanced page.
Yes, me too and i thought you meant an dedicated crypto page like it is for IPSec but you meant the advanced server section ? If yes we would mix then routing logging, DNS/WINS options with MTU related configure options. Also, the crypto section can have also some additionals like key lieftime, tls-version (if someone wants only TLSv1.3) and may some other upcoming stuff.
That can all go to the advanced page in my opinion.
The control-channel cipher selection (patch 5/7) is new and should be really a part for the advanced ones, therefor no defaults has been set, it simply won´t appear if nothing has been configured.
What is the benefit of choosing a different cipher for the control channel?
This one is not really needed, as mentioned above OpenVPN makes then this desicion by it´s own.
Okay, but why do we have it then? :)
I have the problem that I cannot get on top of these things. You are submitting *massive* patchsets, in this case I even believe that the whole things has been submitted a second time, although I do not know if there are any changes. Yes there are. Old and deprecated ciphers will now be detected and a warning comes up in the global section to change them as soon as possible (patch 3/7), also all languages has been translated and has been included. Also i wanted to split it in more specific topics for better overview but it seems that i have been failed.
I do not think that you have failed. I just think that it is not clear what the patch intended to do. So I cannot really look at it and verify if the code actually does what you want it to do.
Could it have been split into even smaller changes? Yes, would that have helped? Maybe. But I do not think that we should waste too much time to reformat the patches. I want the changes to be ready to be merged as soon as possible.
OK. Let´s go through this then. I have attached also screenshots for all changes for a better first impression.
That was very helpful to me.
I could not even find out *what* you are actually trying to do. There are more and more buttons being added and I have not the slightest idea what I am supposed to do with them. I have given my thoughts about the cipher selection and I felt that I have not been heard. One intention was that you do not need anything to do except you want to do some advanced crypto stuff. The rest should have already been made...
I fear that this is all way too complicated. I cannot review what I do not even understand what the desired outcome is. And failing to understand that either means that it is either way too complicated or I have not read enough anywhere about all of this. Please check out the above linked topic where you have wrote suggestions that i simply tried to achieve but again, it seems that i was not successfull with this...
So, maybe help me to understand why the user would want to use different ciphers for the control channel and for TLSv1.3/2.
This is not needed and i can easily let it out but mentioned beneath OpenVPN decided to give TLSv1.2 another directive then TLSv1.3 therefor the two boxes.
Yes, I think choosing this once is enough.
I consider my ciphers as follows:
- Which algorithms do I trust? If I do not trust AES for example,
I would unselect it for everything, regardless if that is the control or data channel).
- What does my hardware support? I would want to choose AES if my
hardware has acceleration for it.
- Then I would sort them by most secure first (e.g. AES-256, then
AES-192 and so on…)
I can replicate that with only one multiple-select box that simply lists:
- AES-256-GCM
- AES-256-CBC
- AES-128-GCM
- AES-128-CBC
- ChaCha20-Poly1305
- Blowfish
- ...
This is a problen there is exactly the same, this are two directives. - -data-cipher does NCP whereby --data-ciphers-fallback substitutes -
cipher. If we leave --data-ciphers-fallback out and work only with
data-ciphers' clients which do not have this directive can not connect.
No no, we want to be compatible with older clients and there should be a dropdown that works just like the old cipher selection.
It should be possible to turn it off though by adding a “disabled” option.
Also, client which are <=2.5.0 do not understands both directives and simply do not starts. To find a way out in this foggy world i delivered a checkbox while client creation so the user have the possiblity to bring the new directive into client.ovpn but also old clients can be changed/updated via the edit menu.
The clients should not have any cipher configuration now since they should automatically negotiate it - which is enabled by default.
And a second one that has
- SHA512
- SHA384
- SHA256
- …
The HMACs can not be used for negotiation, this is only a single selection.
Well, that is bad. That means we still do not have full negotiation?
The code will then have to convert this into the fancy names for the OpenVPN configuration file. But I suppose that should be easy to do.
That way, the user can be certain that they have chosen the right thing for everything in one go.
So, could you please summarise for me what you want to achieve here? Hope i have it done above.
Thank you for that.
I really appreciate all this time that you have invested in this, and the code looks clean. I just think we have been on different pages about what we want it to look and feel like for the user.
Thank you too. This one really needs a lot of time and testing around and also with help from Adolf it comes to this where it currently is.
Great teamwork!
Is this supposed to make OpenVPN more compatible, secure, or anything else? Yes both but also easier since the user do not need to do anything but he should become more security under the hood, the backward and the forward compatibility should be in a better standing than before and if someone wants to go into the depth, this is even also possible.
I think that you have implemented the “pro” version here. It has all the buttons you need and uses all features of OpenVPN. But it is complicated. So maybe lets hide it from the user that there is a control and data channel. Does the user need to know about this? I do not think so. It will work either way.
No there is no must for the control-channel cipher selection... If one is in, it is sometimes nice to walk through all that ;-).
Why do we not talk about this before things are being implemented, or did I just miss the discussion? Yes i think you missed some of that, hopefully i could remind you on some points.
This is good progress :)
Happy to here this.
Okay, so what are the next steps now?
-Michael
Best,
Erik
-Michael
-Michael
Best,
Erik
On 14 Dec 2020, at 14:03, ummeegge ummeegge@ipfire.org wrote:
Hi all, just wanted to ask if there is still interest in this patch series ?
Best,
Erik
<advanced_encryption_with_defaults.png><client_version.png><global_ settings.png><deprectaed_ciphers_warning.png>
Hi Erik,
I have been keeping an eye on this OpenVPN thread anyway so I am willing to pick this up and see if I can help.
As I am no where near as proficient in OpenVPN as you I may end up needing some guidance but am willing to give it a go and see how things go.
I have a couple of bugs with my name against them that I want to get moving first but then I will pick this topic up if you are okay with that.
Regards,
Adolf.
On 13/01/2021 10:18, ummeegge wrote:
Hi Michael, there is currently a lot of other real world stuff around me and my time is really less since things out there do not get easier these days, at least for me.
If more time and motivation (which is most important) comes up i will may go for another try to accomplish this topic with your suggestions. I would also finish this conversation here since it is hardly comprehensible and a possible v3 would differs a lot.
If someone else wanted to jump in this topic with solutions i am more then happy with this.
All the best,
Erik
Am Dienstag, dem 29.12.2020 um 11:44 +0100 schrieb Michael Tremer:
Hi,
On 16 Dec 2020, at 17:30, ummeegge ummeegge@ipfire.org wrote:
Hi Michael,
Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael Tremer:
Hi,
On 14 Dec 2020, at 16:12, ummeegge ummeegge@ipfire.org wrote:
Hi Michael, thanks for looking into this.
Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael Tremer:
Hello Erik,
Yes, I am very much interested in this.
And I have spent pretty much an hour to make sense out of all of this, and unfortunately have to report that I failed.
that´s not good to hear. OK, let me explain... I tried to come up with a solution where we already have spoken more times about in the past, i tried to follow up your suggestions, the latest about that topic was here --> https://lists.ipfire.org/pipermail/development/2020-October/008441.html in Oktober to bring up "a select box where multiple algorithms can be chosen (like in IPsec)". Since --cipher is deprectaed and will be replaced by --data-ciphers which is a >=2.5.0 option we need another selection field for the --data-ciphers-fallback which is a replacement for --cipher and the server uses this directive to talk also to client which are <2.5.0 .
Yes, the ciphers. But as far as I understand this, you are offering to select the whole cipher suite. That is something different.
And you are offering different options for TLSv1.3 and lower, which we do not do in IPsec either. You have one selection for both IKEv1 and IKEv2.
Yes, i thougt it might be an idea for the advanced section be it is not really needed since OpenVPN uses his own choice for the control- chanel if nothing has been configured.
That probably isn’t good then. The UI should at least show the user what is being used.
If we want OpenVPN to chose what is best, there should be some option that says “automatic” at least.
OpenVPN presses to use cipher negotiation which we have avoid since the release of 2.4 with --ncp-disable, this option is no also deprecated so we need to take action on this.
I will skip my moan about introducing something and then deprecating it shortly after…
It was good that we did not act at that time.
In hindsight yes. But we didn’t know back then that things would change again, and we do not know now if things will change another time in the near future.
So, we have to do “best-effort” here.
I agree that we need to act.
We need to have then two new options, two seletion boxes which are odd to see in the global section. I tried it in the advanced server section too and it looks even more confusing with all the other already existing options, nothing i wanted to do. So i thought your above linked suggestions are pretty straight forward and the best solution to build an own crypto section which do have already defaults, nobody needs to do there anyting, the global section has been cleaned up and it should be even easier for everone to overview.
We have touched this topic multiple times. And I remember the last conclusion as follows:
The average user does not have to touch the advanced options. They have to put in their subnet, select a port and protocol maybe and that is about it. They do not need to think about what cipher to use, because we would have selected a reasonable default. If they want to change something (because of hardware requirements, etc.) they can do that on the advanced page.
This is exactly what i did.
Okay. So why is there an extra page then, and not a section on the advanced page?
I like the now cleaner look of the main page which only has the bare necessities.
I agree that this is all not idea, but adding a third page to this all makes it rather more confusing than less.
Not sure if i understand you here right. You mentioned above the advanced page but i understand you here that you do not want a third one ?
There is the main page, where things can be configured (subnet, port, protocol, …), then advanced options, and now the cryptography options.
They are all the same - in that they directly change the OpenVPN configuration - and we only wanted to split them by two things:
a) Is it likely that the user will change them?
b) Or is this an option that the average user should not touch.
The advanced settings page can be as long as we like. It does not have to be pretty.
It made for me no sense to leave parts of the crypto (TLS-auth and HMACs) in the global section, especially because there are also even more algorithms, but also new options for the TLS authentication which i have all integrated so i moved them also into that place (patch 6/7 and 7/7).
I remember that we have agreed to move the existing crypto options to the advanced page.
Yes, me too and i thought you meant an dedicated crypto page like it is for IPSec but you meant the advanced server section ? If yes we would mix then routing logging, DNS/WINS options with MTU related configure options. Also, the crypto section can have also some additionals like key lieftime, tls-version (if someone wants only TLSv1.3) and may some other upcoming stuff.
That can all go to the advanced page in my opinion.
The control-channel cipher selection (patch 5/7) is new and should be really a part for the advanced ones, therefor no defaults has been set, it simply won´t appear if nothing has been configured.
What is the benefit of choosing a different cipher for the control channel?
This one is not really needed, as mentioned above OpenVPN makes then this desicion by it´s own.
Okay, but why do we have it then? :)
I have the problem that I cannot get on top of these things. You are submitting *massive* patchsets, in this case I even believe that the whole things has been submitted a second time, although I do not know if there are any changes. Yes there are. Old and deprecated ciphers will now be detected and a warning comes up in the global section to change them as soon as possible (patch 3/7), also all languages has been translated and has been included. Also i wanted to split it in more specific topics for better overview but it seems that i have been failed.
I do not think that you have failed. I just think that it is not clear what the patch intended to do. So I cannot really look at it and verify if the code actually does what you want it to do.
Could it have been split into even smaller changes? Yes, would that have helped? Maybe. But I do not think that we should waste too much time to reformat the patches. I want the changes to be ready to be merged as soon as possible.
OK. Let´s go through this then. I have attached also screenshots for all changes for a better first impression.
That was very helpful to me.
I could not even find out *what* you are actually trying to do. There are more and more buttons being added and I have not the slightest idea what I am supposed to do with them. I have given my thoughts about the cipher selection and I felt that I have not been heard. One intention was that you do not need anything to do except you want to do some advanced crypto stuff. The rest should have already been made...
I fear that this is all way too complicated. I cannot review what I do not even understand what the desired outcome is. And failing to understand that either means that it is either way too complicated or I have not read enough anywhere about all of this. Please check out the above linked topic where you have wrote suggestions that i simply tried to achieve but again, it seems that i was not successfull with this...
So, maybe help me to understand why the user would want to use different ciphers for the control channel and for TLSv1.3/2.
This is not needed and i can easily let it out but mentioned beneath OpenVPN decided to give TLSv1.2 another directive then TLSv1.3 therefor the two boxes.
Yes, I think choosing this once is enough.
I consider my ciphers as follows:
- Which algorithms do I trust? If I do not trust AES for example,
I would unselect it for everything, regardless if that is the control or data channel).
- What does my hardware support? I would want to choose AES if my
hardware has acceleration for it.
- Then I would sort them by most secure first (e.g. AES-256, then
AES-192 and so on…)
I can replicate that with only one multiple-select box that simply lists:
- AES-256-GCM
- AES-256-CBC
- AES-128-GCM
- AES-128-CBC
- ChaCha20-Poly1305
- Blowfish
- ...
This is a problen there is exactly the same, this are two directives. - -data-cipher does NCP whereby --data-ciphers-fallback substitutes -
cipher. If we leave --data-ciphers-fallback out and work only with
data-ciphers' clients which do not have this directive can not connect.
No no, we want to be compatible with older clients and there should be a dropdown that works just like the old cipher selection.
It should be possible to turn it off though by adding a “disabled” option.
Also, client which are <=2.5.0 do not understands both directives and simply do not starts. To find a way out in this foggy world i delivered a checkbox while client creation so the user have the possiblity to bring the new directive into client.ovpn but also old clients can be changed/updated via the edit menu.
The clients should not have any cipher configuration now since they should automatically negotiate it - which is enabled by default.
And a second one that has
- SHA512
- SHA384
- SHA256
- …
The HMACs can not be used for negotiation, this is only a single selection.
Well, that is bad. That means we still do not have full negotiation?
The code will then have to convert this into the fancy names for the OpenVPN configuration file. But I suppose that should be easy to do.
That way, the user can be certain that they have chosen the right thing for everything in one go.
So, could you please summarise for me what you want to achieve here? Hope i have it done above.
Thank you for that.
I really appreciate all this time that you have invested in this, and the code looks clean. I just think we have been on different pages about what we want it to look and feel like for the user.
Thank you too. This one really needs a lot of time and testing around and also with help from Adolf it comes to this where it currently is.
Great teamwork!
Is this supposed to make OpenVPN more compatible, secure, or anything else? Yes both but also easier since the user do not need to do anything but he should become more security under the hood, the backward and the forward compatibility should be in a better standing than before and if someone wants to go into the depth, this is even also possible.
I think that you have implemented the “pro” version here. It has all the buttons you need and uses all features of OpenVPN. But it is complicated. So maybe lets hide it from the user that there is a control and data channel. Does the user need to know about this? I do not think so. It will work either way.
No there is no must for the control-channel cipher selection... If one is in, it is sometimes nice to walk through all that ;-).
Why do we not talk about this before things are being implemented, or did I just miss the discussion? Yes i think you missed some of that, hopefully i could remind you on some points.
This is good progress :)
Happy to here this.
Okay, so what are the next steps now?
-Michael
Best,
Erik
-Michael
-Michael
Best,
Erik
On 14 Dec 2020, at 14:03, ummeegge ummeegge@ipfire.org wrote:
Hi all, just wanted to ask if there is still interest in this patch series ?
Best,
Erik
<advanced_encryption_with_defaults.png><client_version.png><global_ settings.png><deprectaed_ciphers_warning.png>
Good morning Adolf,
Am Donnerstag, dem 14.01.2021 um 19:50 +0100 schrieb Adolf Belka:
Hi Erik,
I have been keeping an eye on this OpenVPN thread anyway so I am willing to pick this up and see if I can help.
As I am no where near as proficient in OpenVPN as you I may end up needing some guidance but am willing to give it a go and see how things go.
Will try to help you out if i can.
I have a couple of bugs with my name against them that I want to get moving first but then I will pick this topic up if you are okay with that.
As mentioned before, i am more then happy with this.
Regards,
Adolf.
Best,
Erik
On 13/01/2021 10:18, ummeegge wrote:
Hi Michael, there is currently a lot of other real world stuff around me and my time is really less since things out there do not get easier these days, at least for me.
If more time and motivation (which is most important) comes up i will may go for another try to accomplish this topic with your suggestions. I would also finish this conversation here since it is hardly comprehensible and a possible v3 would differs a lot.
If someone else wanted to jump in this topic with solutions i am more then happy with this.
All the best,
Erik
Am Dienstag, dem 29.12.2020 um 11:44 +0100 schrieb Michael Tremer:
Hi,
On 16 Dec 2020, at 17:30, ummeegge ummeegge@ipfire.org wrote:
Hi Michael,
Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael Tremer:
Hi,
On 14 Dec 2020, at 16:12, ummeegge ummeegge@ipfire.org wrote:
Hi Michael, thanks for looking into this.
Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael Tremer: > Hello Erik, > > Yes, I am very much interested in this. > > And I have spent pretty much an hour to make sense out of > all > of > this, and unfortunately have to report that I failed. that´s not good to hear. OK, let me explain... I tried to come up with a solution where we already have spoken more times about in the past, i tried to follow up your suggestions, the latest about that topic was here -->
https://lists.ipfire.org/pipermail/development/2020-October/008441.html in Oktober to bring up "a select box where multiple algorithms can be chosen (like in IPsec)". Since --cipher is deprectaed and will be replaced by --data-ciphers which is a >=2.5.0 option we need another selection field for the --data-ciphers-fallback which is a replacement for --cipher and the server uses this directive to talk also to client which are <2.5.0 .
Yes, the ciphers. But as far as I understand this, you are offering to select the whole cipher suite. That is something different.
And you are offering different options for TLSv1.3 and lower, which we do not do in IPsec either. You have one selection for both IKEv1 and IKEv2.
Yes, i thougt it might be an idea for the advanced section be it is not really needed since OpenVPN uses his own choice for the control- chanel if nothing has been configured.
That probably isn’t good then. The UI should at least show the user what is being used.
If we want OpenVPN to chose what is best, there should be some option that says “automatic” at least.
OpenVPN presses to use cipher negotiation which we have avoid since the release of 2.4 with --ncp-disable, this option is no also deprecated so we need to take action on this.
I will skip my moan about introducing something and then deprecating it shortly after…
It was good that we did not act at that time.
In hindsight yes. But we didn’t know back then that things would change again, and we do not know now if things will change another time in the near future.
So, we have to do “best-effort” here.
I agree that we need to act.
We need to have then two new options, two seletion boxes which are odd to see in the global section. I tried it in the advanced server section too and it looks even more confusing with all the other already existing options, nothing i wanted to do. So i thought your above linked suggestions are pretty straight forward and the best solution to build an own crypto section which do have already defaults, nobody needs to do there anyting, the global section has been cleaned up and it should be even easier for everone to overview.
We have touched this topic multiple times. And I remember the last conclusion as follows:
The average user does not have to touch the advanced options. They have to put in their subnet, select a port and protocol maybe and that is about it. They do not need to think about what cipher to use, because we would have selected a reasonable default. If they want to change something (because of hardware requirements, etc.) they can do that on the advanced page.
This is exactly what i did.
Okay. So why is there an extra page then, and not a section on the advanced page?
I like the now cleaner look of the main page which only has the bare necessities.
I agree that this is all not idea, but adding a third page to this all makes it rather more confusing than less.
Not sure if i understand you here right. You mentioned above the advanced page but i understand you here that you do not want a third one ?
There is the main page, where things can be configured (subnet, port, protocol, …), then advanced options, and now the cryptography options.
They are all the same - in that they directly change the OpenVPN configuration - and we only wanted to split them by two things:
a) Is it likely that the user will change them?
b) Or is this an option that the average user should not touch.
The advanced settings page can be as long as we like. It does not have to be pretty.
It made for me no sense to leave parts of the crypto (TLS- auth and HMACs) in the global section, especially because there are also even more algorithms, but also new options for the TLS authentication which i have all integrated so i moved them also into that place (patch 6/7 and 7/7).
I remember that we have agreed to move the existing crypto options to the advanced page.
Yes, me too and i thought you meant an dedicated crypto page like it is for IPSec but you meant the advanced server section ? If yes we would mix then routing logging, DNS/WINS options with MTU related configure options. Also, the crypto section can have also some additionals like key lieftime, tls-version (if someone wants only TLSv1.3) and may some other upcoming stuff.
That can all go to the advanced page in my opinion.
The control-channel cipher selection (patch 5/7) is new and should be really a part for the advanced ones, therefor no defaults has been set, it simply won´t appear if nothing has been configured.
What is the benefit of choosing a different cipher for the control channel?
This one is not really needed, as mentioned above OpenVPN makes then this desicion by it´s own.
Okay, but why do we have it then? :)
I have the problem that I cannot get on top of these things. You are submitting *massive* patchsets, in this case I even believe that the whole things has been submitted a second time, although I do not know if there are any changes. Yes there are. Old and deprecated ciphers will now be detected and a warning comes up in the global section to change them as soon as possible (patch 3/7), also all languages has been translated and has been included. Also i wanted to split it in more specific topics for better overview but it seems that i have been failed.
I do not think that you have failed. I just think that it is not clear what the patch intended to do. So I cannot really look at it and verify if the code actually does what you want it to do.
Could it have been split into even smaller changes? Yes, would that have helped? Maybe. But I do not think that we should waste too much time to reformat the patches. I want the changes to be ready to be merged as soon as possible.
OK. Let´s go through this then. I have attached also screenshots for all changes for a better first impression.
That was very helpful to me.
I could not even find out *what* you are actually trying to do. There are more and more buttons being added and I have not the slightest idea what I am supposed to do with them. I have given my thoughts about the cipher selection and I felt that I have not been heard. One intention was that you do not need anything to do except you want to do some advanced crypto stuff. The rest should have already been made...
I fear that this is all way too complicated. I cannot review what I do not even understand what the desired outcome is. And failing to understand that either means that it is either way too complicated or I have not read enough anywhere about all of this. Please check out the above linked topic where you have wrote suggestions that i simply tried to achieve but again, it seems that i was not successfull with this...
So, maybe help me to understand why the user would want to use different ciphers for the control channel and for TLSv1.3/2.
This is not needed and i can easily let it out but mentioned beneath OpenVPN decided to give TLSv1.2 another directive then TLSv1.3 therefor the two boxes.
Yes, I think choosing this once is enough.
I consider my ciphers as follows:
- Which algorithms do I trust? If I do not trust AES for
example, I would unselect it for everything, regardless if that is the control or data channel).
- What does my hardware support? I would want to choose AES
if my hardware has acceleration for it.
- Then I would sort them by most secure first (e.g. AES-256,
then AES-192 and so on…)
I can replicate that with only one multiple-select box that simply lists:
- AES-256-GCM
- AES-256-CBC
- AES-128-GCM
- AES-128-CBC
- ChaCha20-Poly1305
- Blowfish
- ...
This is a problen there is exactly the same, this are two directives. - -data-cipher does NCP whereby --data-ciphers-fallback substitutes -
cipher. If we leave --data-ciphers-fallback out and work only with -- data-ciphers' clients which do not have this directive can not connect.
No no, we want to be compatible with older clients and there should be a dropdown that works just like the old cipher selection.
It should be possible to turn it off though by adding a “disabled” option.
Also, client which are <=2.5.0 do not understands both directives and simply do not starts. To find a way out in this foggy world i delivered a checkbox while client creation so the user have the possiblity to bring the new directive into client.ovpn but also old clients can be changed/updated via the edit menu.
The clients should not have any cipher configuration now since they should automatically negotiate it - which is enabled by default.
And a second one that has
- SHA512
- SHA384
- SHA256
- …
The HMACs can not be used for negotiation, this is only a single selection.
Well, that is bad. That means we still do not have full negotiation?
The code will then have to convert this into the fancy names for the OpenVPN configuration file. But I suppose that should be easy to do.
That way, the user can be certain that they have chosen the right thing for everything in one go.
So, could you please summarise for me what you want to achieve here? Hope i have it done above.
Thank you for that.
I really appreciate all this time that you have invested in this, and the code looks clean. I just think we have been on different pages about what we want it to look and feel like for the user.
Thank you too. This one really needs a lot of time and testing around and also with help from Adolf it comes to this where it currently is.
Great teamwork!
Is this supposed to make OpenVPN more compatible, secure, or anything else? Yes both but also easier since the user do not need to do anything but he should become more security under the hood, the backward and the forward compatibility should be in a better standing than before and if someone wants to go into the depth, this is even also possible.
I think that you have implemented the “pro” version here. It has all the buttons you need and uses all features of OpenVPN. But it is complicated. So maybe lets hide it from the user that there is a control and data channel. Does the user need to know about this? I do not think so. It will work either way.
No there is no must for the control-channel cipher selection... If one is in, it is sometimes nice to walk through all that ;-).
Why do we not talk about this before things are being implemented, or did I just miss the discussion? Yes i think you missed some of that, hopefully i could remind you on some points.
This is good progress :)
Happy to here this.
Okay, so what are the next steps now?
-Michael
Best,
Erik
-Michael
-Michael
Best,
Erik
> On 14 Dec 2020, at 14:03, ummeegge ummeegge@ipfire.org > wrote: > > Hi all, > just wanted to ask if there is still interest in this > patch > series ? > > Best, > > Erik >
<advanced_encryption_with_defaults.png><client_version.png><glo bal_ settings.png><deprectaed_ciphers_warning.png>
Hi Erik,
Where can I get hold of your latest version of ovpnmain.cgi
Regards,
Adolf.
On 15/01/2021 05:56, ummeegge wrote:
Good morning Adolf,
Am Donnerstag, dem 14.01.2021 um 19:50 +0100 schrieb Adolf Belka:
Hi Erik,
I have been keeping an eye on this OpenVPN thread anyway so I am willing to pick this up and see if I can help.
As I am no where near as proficient in OpenVPN as you I may end up needing some guidance but am willing to give it a go and see how things go.
Will try to help you out if i can.
I have a couple of bugs with my name against them that I want to get moving first but then I will pick this topic up if you are okay with that.
As mentioned before, i am more then happy with this.
Regards,
Adolf.
Best,
Erik
On 13/01/2021 10:18, ummeegge wrote:
Hi Michael, there is currently a lot of other real world stuff around me and my time is really less since things out there do not get easier these days, at least for me.
If more time and motivation (which is most important) comes up i will may go for another try to accomplish this topic with your suggestions. I would also finish this conversation here since it is hardly comprehensible and a possible v3 would differs a lot.
If someone else wanted to jump in this topic with solutions i am more then happy with this.
All the best,
Erik
Am Dienstag, dem 29.12.2020 um 11:44 +0100 schrieb Michael Tremer:
Hi,
On 16 Dec 2020, at 17:30, ummeegge ummeegge@ipfire.org wrote:
Hi Michael,
Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael Tremer:
Hi,
> On 14 Dec 2020, at 16:12, ummeegge ummeegge@ipfire.org > wrote: > > Hi Michael, > thanks for looking into this. > > Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael > Tremer: >> Hello Erik, >> >> Yes, I am very much interested in this. >> >> And I have spent pretty much an hour to make sense out of >> all >> of >> this, and unfortunately have to report that I failed. > that´s not good to hear. OK, let me explain... I tried to > come > up > with > a solution where we already have spoken more times about in > the > past, i > tried to follow up your suggestions, the latest about that > topic > was > here --> > > https://lists.ipfire.org/pipermail/development/2020-October/008441.html > in Oktober to bring up "a select box where multiple > algorithms > can > be > chosen (like in IPsec)". Since --cipher is deprectaed and > will > be > replaced by --data-ciphers which is a >=2.5.0 option we > need > another > selection field for the --data-ciphers-fallback which is a > replacement > for --cipher and the server uses this directive to talk > also to > client > which are <2.5.0 . Yes, the ciphers. But as far as I understand this, you are offering to select the whole cipher suite. That is something different.
And you are offering different options for TLSv1.3 and lower, which we do not do in IPsec either. You have one selection for both IKEv1 and IKEv2.
Yes, i thougt it might be an idea for the advanced section be it is not really needed since OpenVPN uses his own choice for the control- chanel if nothing has been configured.
That probably isn’t good then. The UI should at least show the user what is being used.
If we want OpenVPN to chose what is best, there should be some option that says “automatic” at least.
> OpenVPN presses to use cipher negotiation which we have > avoid > since > the > release of 2.4 with --ncp-disable, this option is no also > deprecated so > we need to take action on this. I will skip my moan about introducing something and then deprecating it shortly after…
It was good that we did not act at that time.
In hindsight yes. But we didn’t know back then that things would change again, and we do not know now if things will change another time in the near future.
So, we have to do “best-effort” here.
I agree that we need to act.
> We need to have then two new options, two seletion boxes > which > are > odd > to see in the global section. I tried it in the advanced > server > section > too and it looks even more confusing with all the other > already > existing options, nothing i wanted to do. So i thought your > above > linked suggestions are pretty straight forward and the best > solution to > build an own crypto section which do have already defaults, > nobody > needs to do there anyting, the global section has been > cleaned > up > and > it should be even easier for everone to overview. We have touched this topic multiple times. And I remember the last conclusion as follows:
The average user does not have to touch the advanced options. They have to put in their subnet, select a port and protocol maybe and that is about it. They do not need to think about what cipher to use, because we would have selected a reasonable default. If they want to change something (because of hardware requirements, etc.) they can do that on the advanced page.
This is exactly what i did.
Okay. So why is there an extra page then, and not a section on the advanced page?
I like the now cleaner look of the main page which only has the bare necessities.
I agree that this is all not idea, but adding a third page to this all makes it rather more confusing than less.
Not sure if i understand you here right. You mentioned above the advanced page but i understand you here that you do not want a third one ?
There is the main page, where things can be configured (subnet, port, protocol, …), then advanced options, and now the cryptography options.
They are all the same - in that they directly change the OpenVPN configuration - and we only wanted to split them by two things:
a) Is it likely that the user will change them?
b) Or is this an option that the average user should not touch.
The advanced settings page can be as long as we like. It does not have to be pretty.
> It made for me no sense to leave parts of the crypto (TLS- > auth > and > HMACs) in the global section, especially because there are > also > even > more algorithms, but also new options for the TLS > authentication > which > i have all integrated so i moved them also into that place > (patch > 6/7 > and 7/7). I remember that we have agreed to move the existing crypto options to the advanced page.
Yes, me too and i thought you meant an dedicated crypto page like it is for IPSec but you meant the advanced server section ? If yes we would mix then routing logging, DNS/WINS options with MTU related configure options. Also, the crypto section can have also some additionals like key lieftime, tls-version (if someone wants only TLSv1.3) and may some other upcoming stuff.
That can all go to the advanced page in my opinion.
> The control-channel cipher selection (patch 5/7) is new and > should > be > really a part for the advanced ones, therefor no defaults > has > been > set, > it simply won´t appear if nothing has been configured. What is the benefit of choosing a different cipher for the control channel?
This one is not really needed, as mentioned above OpenVPN makes then this desicion by it´s own.
Okay, but why do we have it then? :)
> I have the problem that I cannot get on top of these > things. > You > are > submitting *massive* patchsets, in this case I even believe > that > the > whole things has been submitted a second time, although I > do > not > know > if there are any changes. > Yes there are. Old and deprecated ciphers will now be > detected > and > a > warning comes up in the global section to change them as > soon > as > possible (patch 3/7), also all languages has been > translated > and > has > been included. > Also i wanted to split it in more specific topics for > better > overview > but it seems that i have been failed. I do not think that you have failed. I just think that it is not clear what the patch intended to do. So I cannot really look at it and verify if the code actually does what you want it to do.
Could it have been split into even smaller changes? Yes, would that have helped? Maybe. But I do not think that we should waste too much time to reformat the patches. I want the changes to be ready to be merged as soon as possible.
OK. Let´s go through this then. I have attached also screenshots for all changes for a better first impression.
That was very helpful to me.
> I could not even find out *what* you are actually trying to > do. > There > are more and more buttons being added and I have not the > slightest > idea > what I am supposed to do with them. I have given my > thoughts > about > the > cipher selection and I felt that I have not been heard. > One intention was that you do not need anything to do > except > you > want > to do some advanced crypto stuff. The rest should have > already > been > made... > > > I fear that this is all way too complicated. I cannot > review > what I > do > not even understand what the desired outcome is. And > failing to > understand that either means that it is either way too > complicated > or I > have not read enough anywhere about all of this. > Please check out the above linked topic where you have > wrote > suggestions that i simply tried to achieve but again, it > seems > that > i > was not successfull with this... So, maybe help me to understand why the user would want to use different ciphers for the control channel and for TLSv1.3/2.
This is not needed and i can easily let it out but mentioned beneath OpenVPN decided to give TLSv1.2 another directive then TLSv1.3 therefor the two boxes.
Yes, I think choosing this once is enough.
I consider my ciphers as follows:
- Which algorithms do I trust? If I do not trust AES for
example, I would unselect it for everything, regardless if that is the control or data channel).
- What does my hardware support? I would want to choose AES
if my hardware has acceleration for it.
- Then I would sort them by most secure first (e.g. AES-256,
then AES-192 and so on…)
I can replicate that with only one multiple-select box that simply lists:
- AES-256-GCM
- AES-256-CBC
- AES-128-GCM
- AES-128-CBC
- ChaCha20-Poly1305
- Blowfish
- ...
This is a problen there is exactly the same, this are two directives. - -data-cipher does NCP whereby --data-ciphers-fallback substitutes -
cipher. If we leave --data-ciphers-fallback out and work only with -- data-ciphers' clients which do not have this directive can not connect.
No no, we want to be compatible with older clients and there should be a dropdown that works just like the old cipher selection.
It should be possible to turn it off though by adding a “disabled” option.
Also, client which are <=2.5.0 do not understands both directives and simply do not starts. To find a way out in this foggy world i delivered a checkbox while client creation so the user have the possiblity to bring the new directive into client.ovpn but also old clients can be changed/updated via the edit menu.
The clients should not have any cipher configuration now since they should automatically negotiate it - which is enabled by default.
And a second one that has
- SHA512
- SHA384
- SHA256
- …
The HMACs can not be used for negotiation, this is only a single selection.
Well, that is bad. That means we still do not have full negotiation?
The code will then have to convert this into the fancy names for the OpenVPN configuration file. But I suppose that should be easy to do.
That way, the user can be certain that they have chosen the right thing for everything in one go.
> So, could you please summarise for me what you want to > achieve > here? > Hope i have it done above. Thank you for that.
I really appreciate all this time that you have invested in this, and the code looks clean. I just think we have been on different pages about what we want it to look and feel like for the user.
Thank you too. This one really needs a lot of time and testing around and also with help from Adolf it comes to this where it currently is.
Great teamwork!
> Is this supposed to make OpenVPN more compatible, secure, > or > anything > else? > Yes both but also easier since the user do not need to do > anything > but > he should become more security under the hood, the backward > and > the > forward compatibility should be in a better standing than > before > and if > someone wants to go into the depth, this is even also > possible. I think that you have implemented the “pro” version here. It has all the buttons you need and uses all features of OpenVPN. But it is complicated. So maybe lets hide it from the user that there is a control and data channel. Does the user need to know about this? I do not think so. It will work either way.
No there is no must for the control-channel cipher selection... If one is in, it is sometimes nice to walk through all that ;-).
> Why do we not talk about this before things are being > implemented, > or > did I just miss the discussion? > Yes i think you missed some of that, hopefully i could > remind > you > on > some points. This is good progress :)
Happy to here this.
Okay, so what are the next steps now?
-Michael
Best,
Erik
-Michael
> -Michael > > Best, > > Erik > > >> On 14 Dec 2020, at 14:03, ummeegge ummeegge@ipfire.org >> wrote: >> >> Hi all, >> just wanted to ask if there is still interest in this >> patch >> series ? >> >> Best, >> >> Erik >> > >
<advanced_encryption_with_defaults.png><client_version.png><glo bal_ settings.png><deprectaed_ciphers_warning.png>
Hi Adolf, you can find it with better overview on Patchwork --> https://patchwork.ipfire.org/patch/3712/ you can get there the specific diffs (button right side) and a list of the series by clicking on "Related --> Show"
Best,
Erik
Am Freitag, dem 22.01.2021 um 23:08 +0100 schrieb Adolf Belka:
Hi Erik,
Where can I get hold of your latest version of ovpnmain.cgi
Regards,
Adolf.
On 15/01/2021 05:56, ummeegge wrote:
Good morning Adolf,
Am Donnerstag, dem 14.01.2021 um 19:50 +0100 schrieb Adolf Belka:
Hi Erik,
I have been keeping an eye on this OpenVPN thread anyway so I am willing to pick this up and see if I can help.
As I am no where near as proficient in OpenVPN as you I may end up needing some guidance but am willing to give it a go and see how things go.
Will try to help you out if i can.
I have a couple of bugs with my name against them that I want to get moving first but then I will pick this topic up if you are okay with that.
As mentioned before, i am more then happy with this.
Regards,
Adolf.
Best,
Erik
On 13/01/2021 10:18, ummeegge wrote:
Hi Michael, there is currently a lot of other real world stuff around me and my time is really less since things out there do not get easier these days, at least for me.
If more time and motivation (which is most important) comes up i will may go for another try to accomplish this topic with your suggestions. I would also finish this conversation here since it is hardly comprehensible and a possible v3 would differs a lot.
If someone else wanted to jump in this topic with solutions i am more then happy with this.
All the best,
Erik
Am Dienstag, dem 29.12.2020 um 11:44 +0100 schrieb Michael Tremer:
Hi,
On 16 Dec 2020, at 17:30, ummeegge ummeegge@ipfire.org wrote:
Hi Michael,
Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael Tremer: > Hi, > > > On 14 Dec 2020, at 16:12, ummeegge > > ummeegge@ipfire.org > > wrote: > > > > Hi Michael, > > thanks for looking into this. > > > > Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb > > Michael > > Tremer: > > > Hello Erik, > > > > > > Yes, I am very much interested in this. > > > > > > And I have spent pretty much an hour to make sense > > > out of > > > all > > > of > > > this, and unfortunately have to report that I failed. > > that´s not good to hear. OK, let me explain... I tried > > to > > come > > up > > with > > a solution where we already have spoken more times > > about in > > the > > past, i > > tried to follow up your suggestions, the latest about > > that > > topic > > was > > here --> > > > > https://lists.ipfire.org/pipermail/development/2020-October/008441.html > > in Oktober to bring up "a select box where multiple > > algorithms > > can > > be > > chosen (like in IPsec)". Since --cipher is deprectaed > > and > > will > > be > > replaced by --data-ciphers which is a >=2.5.0 option we > > need > > another > > selection field for the --data-ciphers-fallback which > > is a > > replacement > > for --cipher and the server uses this directive to talk > > also to > > client > > which are <2.5.0 . > Yes, the ciphers. But as far as I understand this, you > are > offering > to select the whole cipher suite. That is something > different. > > And you are offering different options for TLSv1.3 and > lower, > which > we do not do in IPsec either. You have one selection for > both > IKEv1 > and IKEv2. Yes, i thougt it might be an idea for the advanced section be it is not really needed since OpenVPN uses his own choice for the control- chanel if nothing has been configured.
That probably isn’t good then. The UI should at least show the user what is being used.
If we want OpenVPN to chose what is best, there should be some option that says “automatic” at least.
> > OpenVPN presses to use cipher negotiation which we have > > avoid > > since > > the > > release of 2.4 with --ncp-disable, this option is no > > also > > deprecated so > > we need to take action on this. > I will skip my moan about introducing something and then > deprecating > it shortly after… It was good that we did not act at that time.
In hindsight yes. But we didn’t know back then that things would change again, and we do not know now if things will change another time in the near future.
So, we have to do “best-effort” here.
> I agree that we need to act. > > > We need to have then two new options, two seletion > > boxes > > which > > are > > odd > > to see in the global section. I tried it in the > > advanced > > server > > section > > too and it looks even more confusing with all the other > > already > > existing options, nothing i wanted to do. So i thought > > your > > above > > linked suggestions are pretty straight forward and the > > best > > solution to > > build an own crypto section which do have already > > defaults, > > nobody > > needs to do there anyting, the global section has been > > cleaned > > up > > and > > it should be even easier for everone to overview. > We have touched this topic multiple times. And I remember > the > last > conclusion as follows: > > The average user does not have to touch the advanced > options. > They > have to put in their subnet, select a port and protocol > maybe > and > that is about it. They do not need to think about what > cipher > to > use, > because we would have selected a reasonable default. If > they > want > to > change something (because of hardware requirements, etc.) > they > can do > that on the advanced page. This is exactly what i did.
Okay. So why is there an extra page then, and not a section on the advanced page?
I like the now cleaner look of the main page which only has the bare necessities.
> I agree that this is all not idea, but adding a third > page to > this > all makes it rather more confusing than less. Not sure if i understand you here right. You mentioned above the advanced page but i understand you here that you do not want a third one ?
There is the main page, where things can be configured (subnet, port, protocol, …), then advanced options, and now the cryptography options.
They are all the same - in that they directly change the OpenVPN configuration - and we only wanted to split them by two things:
a) Is it likely that the user will change them?
b) Or is this an option that the average user should not touch.
The advanced settings page can be as long as we like. It does not have to be pretty.
> > It made for me no sense to leave parts of the crypto > > (TLS- > > auth > > and > > HMACs) in the global section, especially because there > > are > > also > > even > > more algorithms, but also new options for the TLS > > authentication > > which > > i have all integrated so i moved them also into that > > place > > (patch > > 6/7 > > and 7/7). > I remember that we have agreed to move the existing > crypto > options to > the advanced page. Yes, me too and i thought you meant an dedicated crypto page like it is for IPSec but you meant the advanced server section ? If yes we would mix then routing logging, DNS/WINS options with MTU related configure options. Also, the crypto section can have also some additionals like key lieftime, tls-version (if someone wants only TLSv1.3) and may some other upcoming stuff.
That can all go to the advanced page in my opinion.
> > The control-channel cipher selection (patch 5/7) is new > > and > > should > > be > > really a part for the advanced ones, therefor no > > defaults > > has > > been > > set, > > it simply won´t appear if nothing has been configured. > What is the benefit of choosing a different cipher for > the > control > channel? This one is not really needed, as mentioned above OpenVPN makes then this desicion by it´s own.
Okay, but why do we have it then? :)
> > I have the problem that I cannot get on top of these > > things. > > You > > are > > submitting *massive* patchsets, in this case I even > > believe > > that > > the > > whole things has been submitted a second time, although > > I > > do > > not > > know > > if there are any changes. > > Yes there are. Old and deprecated ciphers will now be > > detected > > and > > a > > warning comes up in the global section to change them > > as > > soon > > as > > possible (patch 3/7), also all languages has been > > translated > > and > > has > > been included. > > Also i wanted to split it in more specific topics for > > better > > overview > > but it seems that i have been failed. > I do not think that you have failed. I just think that it > is > not > clear what the patch intended to do. So I cannot really > look > at > it > and verify if the code actually does what you want it to > do. > > Could it have been split into even smaller changes? Yes, > would > that > have helped? Maybe. But I do not think that we should > waste > too > much > time to reformat the patches. I want the changes to be > ready > to > be > merged as soon as possible. OK. Let´s go through this then. I have attached also screenshots for all changes for a better first impression.
That was very helpful to me.
> > I could not even find out *what* you are actually > > trying to > > do. > > There > > are more and more buttons being added and I have not > > the > > slightest > > idea > > what I am supposed to do with them. I have given my > > thoughts > > about > > the > > cipher selection and I felt that I have not been heard. > > One intention was that you do not need anything to do > > except > > you > > want > > to do some advanced crypto stuff. The rest should have > > already > > been > > made... > > > > > > I fear that this is all way too complicated. I cannot > > review > > what I > > do > > not even understand what the desired outcome is. And > > failing to > > understand that either means that it is either way too > > complicated > > or I > > have not read enough anywhere about all of this. > > Please check out the above linked topic where you have > > wrote > > suggestions that i simply tried to achieve but again, > > it > > seems > > that > > i > > was not successfull with this... > So, maybe help me to understand why the user would want > to > use > different ciphers for the control channel and for > TLSv1.3/2. This is not needed and i can easily let it out but mentioned beneath OpenVPN decided to give TLSv1.2 another directive then TLSv1.3 therefor the two boxes.
Yes, I think choosing this once is enough.
> I consider my ciphers as follows: > > * Which algorithms do I trust? If I do not trust AES for > example, > I > would unselect it for everything, regardless if that is > the > control > or data channel). > > * What does my hardware support? I would want to choose > AES > if my > hardware has acceleration for it. > > * Then I would sort them by most secure first (e.g. AES- > 256, > then > AES-192 and so on…) > > I can replicate that with only one multiple-select box > that > simply > lists: > > * AES-256-GCM > * AES-256-CBC > * AES-128-GCM > * AES-128-CBC > * ChaCha20-Poly1305 > * Blowfish > * ... This is a problen there is exactly the same, this are two directives. - -data-cipher does NCP whereby --data-ciphers-fallback substitutes -
cipher. If we leave --data-ciphers-fallback out and work only with -- data-ciphers' clients which do not have this directive can not connect.
No no, we want to be compatible with older clients and there should be a dropdown that works just like the old cipher selection.
It should be possible to turn it off though by adding a “disabled” option.
Also, client which are <=2.5.0 do not understands both directives and simply do not starts. To find a way out in this foggy world i delivered a checkbox while client creation so the user have the possiblity to bring the new directive into client.ovpn but also old clients can be changed/updated via the edit menu.
The clients should not have any cipher configuration now since they should automatically negotiate it - which is enabled by default.
> And a second one that has > > * SHA512 > * SHA384 > * SHA256 > * … The HMACs can not be used for negotiation, this is only a single selection.
Well, that is bad. That means we still do not have full negotiation?
> The code will then have to convert this into the fancy > names > for > the > OpenVPN configuration file. But I suppose that should be > easy > to > do. > > That way, the user can be certain that they have chosen > the > right > thing for everything in one go. > > > So, could you please summarise for me what you want to > > achieve > > here? > > Hope i have it done above. > Thank you for that. > > I really appreciate all this time that you have invested > in > this, > and > the code looks clean. I just think we have been on > different > pages > about what we want it to look and feel like for the user. Thank you too. This one really needs a lot of time and testing around and also with help from Adolf it comes to this where it currently is.
Great teamwork!
> > Is this supposed to make OpenVPN more compatible, > > secure, > > or > > anything > > else? > > Yes both but also easier since the user do not need to > > do > > anything > > but > > he should become more security under the hood, the > > backward > > and > > the > > forward compatibility should be in a better standing > > than > > before > > and if > > someone wants to go into the depth, this is even also > > possible. > I think that you have implemented the “pro” version here. > It > has > all > the buttons you need and uses all features of OpenVPN. > But it > is > complicated. So maybe lets hide it from the user that > there > is a > control and data channel. Does the user need to know > about > this? > I do > not think so. It will work either way. No there is no must for the control-channel cipher selection... If one is in, it is sometimes nice to walk through all that ;-).
> > Why do we not talk about this before things are being > > implemented, > > or > > did I just miss the discussion? > > Yes i think you missed some of that, hopefully i could > > remind > > you > > on > > some points. > This is good progress :) Happy to here this.
Okay, so what are the next steps now?
-Michael
Best,
Erik
> -Michael > > > -Michael > > > > Best, > > > > Erik > > > > > > > On 14 Dec 2020, at 14:03, ummeegge > > > ummeegge@ipfire.org > > > wrote: > > > > > > Hi all, > > > just wanted to ask if there is still interest in this > > > patch > > > series ? > > > > > > Best, > > > > > > Erik > > > > > > > <advanced_encryption_with_defaults.png><client_version.png> <glo bal_ settings.png><deprectaed_ciphers_warning.png>
Hi All,
After some deliberation, I have to say that I will not be able to pick up this OpenVPN topic for the new encryption section coming with OpenVPN 2.5.0
The basis for this decision is that as I have been reviewing ovpnmain.cgi and the changes proposed by Erik, I have come to realise that my capabilities to understand what is going on in the code are just too limited. I have not been able to understand the structure of the existing code well enough to even start to think about proposing changes to the code that would do what is needed but also not have knock on effects.
I am very sorry to be communicating this and I have thought hard about it for some time but even leaving some gaps and then going back to the code after a while has resulted in me continuing to find new code that I didn't understand what it was doing rather than things becoming clearer and eventually I came to this conclusion.
I will still continue to help with testing and to provide update patches for addons and core programs and also work on the simpler bugs where my knowledge is sufficient.
Regards,
Adolf.
On 15/01/2021 05:56, ummeegge wrote:
Good morning Adolf,
Am Donnerstag, dem 14.01.2021 um 19:50 +0100 schrieb Adolf Belka:
Hi Erik,
I have been keeping an eye on this OpenVPN thread anyway so I am willing to pick this up and see if I can help.
As I am no where near as proficient in OpenVPN as you I may end up needing some guidance but am willing to give it a go and see how things go.
Will try to help you out if i can.
I have a couple of bugs with my name against them that I want to get moving first but then I will pick this topic up if you are okay with that.
As mentioned before, i am more then happy with this.
Regards,
Adolf.
Best,
Erik
On 13/01/2021 10:18, ummeegge wrote:
Hi Michael, there is currently a lot of other real world stuff around me and my time is really less since things out there do not get easier these days, at least for me.
If more time and motivation (which is most important) comes up i will may go for another try to accomplish this topic with your suggestions. I would also finish this conversation here since it is hardly comprehensible and a possible v3 would differs a lot.
If someone else wanted to jump in this topic with solutions i am more then happy with this.
All the best,
Erik
Am Dienstag, dem 29.12.2020 um 11:44 +0100 schrieb Michael Tremer:
Hi,
On 16 Dec 2020, at 17:30, ummeegge ummeegge@ipfire.org wrote:
Hi Michael,
Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael Tremer:
Hi,
> On 14 Dec 2020, at 16:12, ummeegge ummeegge@ipfire.org > wrote: > > Hi Michael, > thanks for looking into this. > > Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael > Tremer: >> Hello Erik, >> >> Yes, I am very much interested in this. >> >> And I have spent pretty much an hour to make sense out of >> all >> of >> this, and unfortunately have to report that I failed. > that´s not good to hear. OK, let me explain... I tried to > come > up > with > a solution where we already have spoken more times about in > the > past, i > tried to follow up your suggestions, the latest about that > topic > was > here --> > > https://lists.ipfire.org/pipermail/development/2020-October/008441.html > in Oktober to bring up "a select box where multiple > algorithms > can > be > chosen (like in IPsec)". Since --cipher is deprectaed and > will > be > replaced by --data-ciphers which is a >=2.5.0 option we > need > another > selection field for the --data-ciphers-fallback which is a > replacement > for --cipher and the server uses this directive to talk > also to > client > which are <2.5.0 . Yes, the ciphers. But as far as I understand this, you are offering to select the whole cipher suite. That is something different.
And you are offering different options for TLSv1.3 and lower, which we do not do in IPsec either. You have one selection for both IKEv1 and IKEv2.
Yes, i thougt it might be an idea for the advanced section be it is not really needed since OpenVPN uses his own choice for the control- chanel if nothing has been configured.
That probably isn’t good then. The UI should at least show the user what is being used.
If we want OpenVPN to chose what is best, there should be some option that says “automatic” at least.
> OpenVPN presses to use cipher negotiation which we have > avoid > since > the > release of 2.4 with --ncp-disable, this option is no also > deprecated so > we need to take action on this. I will skip my moan about introducing something and then deprecating it shortly after…
It was good that we did not act at that time.
In hindsight yes. But we didn’t know back then that things would change again, and we do not know now if things will change another time in the near future.
So, we have to do “best-effort” here.
I agree that we need to act.
> We need to have then two new options, two seletion boxes > which > are > odd > to see in the global section. I tried it in the advanced > server > section > too and it looks even more confusing with all the other > already > existing options, nothing i wanted to do. So i thought your > above > linked suggestions are pretty straight forward and the best > solution to > build an own crypto section which do have already defaults, > nobody > needs to do there anyting, the global section has been > cleaned > up > and > it should be even easier for everone to overview. We have touched this topic multiple times. And I remember the last conclusion as follows:
The average user does not have to touch the advanced options. They have to put in their subnet, select a port and protocol maybe and that is about it. They do not need to think about what cipher to use, because we would have selected a reasonable default. If they want to change something (because of hardware requirements, etc.) they can do that on the advanced page.
This is exactly what i did.
Okay. So why is there an extra page then, and not a section on the advanced page?
I like the now cleaner look of the main page which only has the bare necessities.
I agree that this is all not idea, but adding a third page to this all makes it rather more confusing than less.
Not sure if i understand you here right. You mentioned above the advanced page but i understand you here that you do not want a third one ?
There is the main page, where things can be configured (subnet, port, protocol, …), then advanced options, and now the cryptography options.
They are all the same - in that they directly change the OpenVPN configuration - and we only wanted to split them by two things:
a) Is it likely that the user will change them?
b) Or is this an option that the average user should not touch.
The advanced settings page can be as long as we like. It does not have to be pretty.
> It made for me no sense to leave parts of the crypto (TLS- > auth > and > HMACs) in the global section, especially because there are > also > even > more algorithms, but also new options for the TLS > authentication > which > i have all integrated so i moved them also into that place > (patch > 6/7 > and 7/7). I remember that we have agreed to move the existing crypto options to the advanced page.
Yes, me too and i thought you meant an dedicated crypto page like it is for IPSec but you meant the advanced server section ? If yes we would mix then routing logging, DNS/WINS options with MTU related configure options. Also, the crypto section can have also some additionals like key lieftime, tls-version (if someone wants only TLSv1.3) and may some other upcoming stuff.
That can all go to the advanced page in my opinion.
> The control-channel cipher selection (patch 5/7) is new and > should > be > really a part for the advanced ones, therefor no defaults > has > been > set, > it simply won´t appear if nothing has been configured. What is the benefit of choosing a different cipher for the control channel?
This one is not really needed, as mentioned above OpenVPN makes then this desicion by it´s own.
Okay, but why do we have it then? :)
> I have the problem that I cannot get on top of these > things. > You > are > submitting *massive* patchsets, in this case I even believe > that > the > whole things has been submitted a second time, although I > do > not > know > if there are any changes. > Yes there are. Old and deprecated ciphers will now be > detected > and > a > warning comes up in the global section to change them as > soon > as > possible (patch 3/7), also all languages has been > translated > and > has > been included. > Also i wanted to split it in more specific topics for > better > overview > but it seems that i have been failed. I do not think that you have failed. I just think that it is not clear what the patch intended to do. So I cannot really look at it and verify if the code actually does what you want it to do.
Could it have been split into even smaller changes? Yes, would that have helped? Maybe. But I do not think that we should waste too much time to reformat the patches. I want the changes to be ready to be merged as soon as possible.
OK. Let´s go through this then. I have attached also screenshots for all changes for a better first impression.
That was very helpful to me.
> I could not even find out *what* you are actually trying to > do. > There > are more and more buttons being added and I have not the > slightest > idea > what I am supposed to do with them. I have given my > thoughts > about > the > cipher selection and I felt that I have not been heard. > One intention was that you do not need anything to do > except > you > want > to do some advanced crypto stuff. The rest should have > already > been > made... > > > I fear that this is all way too complicated. I cannot > review > what I > do > not even understand what the desired outcome is. And > failing to > understand that either means that it is either way too > complicated > or I > have not read enough anywhere about all of this. > Please check out the above linked topic where you have > wrote > suggestions that i simply tried to achieve but again, it > seems > that > i > was not successfull with this... So, maybe help me to understand why the user would want to use different ciphers for the control channel and for TLSv1.3/2.
This is not needed and i can easily let it out but mentioned beneath OpenVPN decided to give TLSv1.2 another directive then TLSv1.3 therefor the two boxes.
Yes, I think choosing this once is enough.
I consider my ciphers as follows:
- Which algorithms do I trust? If I do not trust AES for
example, I would unselect it for everything, regardless if that is the control or data channel).
- What does my hardware support? I would want to choose AES
if my hardware has acceleration for it.
- Then I would sort them by most secure first (e.g. AES-256,
then AES-192 and so on…)
I can replicate that with only one multiple-select box that simply lists:
- AES-256-GCM
- AES-256-CBC
- AES-128-GCM
- AES-128-CBC
- ChaCha20-Poly1305
- Blowfish
- ...
This is a problen there is exactly the same, this are two directives. - -data-cipher does NCP whereby --data-ciphers-fallback substitutes -
cipher. If we leave --data-ciphers-fallback out and work only with -- data-ciphers' clients which do not have this directive can not connect.
No no, we want to be compatible with older clients and there should be a dropdown that works just like the old cipher selection.
It should be possible to turn it off though by adding a “disabled” option.
Also, client which are <=2.5.0 do not understands both directives and simply do not starts. To find a way out in this foggy world i delivered a checkbox while client creation so the user have the possiblity to bring the new directive into client.ovpn but also old clients can be changed/updated via the edit menu.
The clients should not have any cipher configuration now since they should automatically negotiate it - which is enabled by default.
And a second one that has
- SHA512
- SHA384
- SHA256
- …
The HMACs can not be used for negotiation, this is only a single selection.
Well, that is bad. That means we still do not have full negotiation?
The code will then have to convert this into the fancy names for the OpenVPN configuration file. But I suppose that should be easy to do.
That way, the user can be certain that they have chosen the right thing for everything in one go.
> So, could you please summarise for me what you want to > achieve > here? > Hope i have it done above. Thank you for that.
I really appreciate all this time that you have invested in this, and the code looks clean. I just think we have been on different pages about what we want it to look and feel like for the user.
Thank you too. This one really needs a lot of time and testing around and also with help from Adolf it comes to this where it currently is.
Great teamwork!
> Is this supposed to make OpenVPN more compatible, secure, > or > anything > else? > Yes both but also easier since the user do not need to do > anything > but > he should become more security under the hood, the backward > and > the > forward compatibility should be in a better standing than > before > and if > someone wants to go into the depth, this is even also > possible. I think that you have implemented the “pro” version here. It has all the buttons you need and uses all features of OpenVPN. But it is complicated. So maybe lets hide it from the user that there is a control and data channel. Does the user need to know about this? I do not think so. It will work either way.
No there is no must for the control-channel cipher selection... If one is in, it is sometimes nice to walk through all that ;-).
> Why do we not talk about this before things are being > implemented, > or > did I just miss the discussion? > Yes i think you missed some of that, hopefully i could > remind > you > on > some points. This is good progress :)
Happy to here this.
Okay, so what are the next steps now?
-Michael
Best,
Erik
-Michael
> -Michael > > Best, > > Erik > > >> On 14 Dec 2020, at 14:03, ummeegge ummeegge@ipfire.org >> wrote: >> >> Hi all, >> just wanted to ask if there is still interest in this >> patch >> series ? >> >> Best, >> >> Erik >> > >
<advanced_encryption_with_defaults.png><client_version.png><glo bal_ settings.png><deprectaed_ciphers_warning.png>
On 12/14/20 7:03 AM, ummeegge wrote:
Hi all, just wanted to ask if there is still interest in this patch series ?
Best,
Erik
Hey there, @list. I'm patiently awaiting this series.
Thanks!
-
Adolf Belka -
Adolf Belka (ipfire)
-
Michael Tremer -
Paul Simmons -
ummeegge -
ummeegge