Hi all,
I too am testing core update 123.
My version of ipfire was a new install of 2.21 core update 122 followed by a restore of an .ipf backup from last 2.19. This was then moved up to Core Update 123.
So far stable and have only two issues unresolved so far.
Backup.
Generate ISO is still not working for me. I still have a size of 0.00 MB. Web gui shows "Backup from ipfire-2.21.x86_64-full-core123.iso Size 0.00 MB"
The normal backup to generate an ".ipf" file does work. Web gui shows "Backup from 20180823-1150.ipf Size 14.38 MB"
Downloading these backups confirms the sizes shown.
OpenVPN
Initially had the two crypto warnings so deleted all the cert data and then generated new DH parameters with 3076 value. Then generated new certificate data using the 3076 value. This removed the DH size warning but still leaves the following:
Cryptographic warning
Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.
All OpenVPN clients needs then to be renewed!
I looked for any settings that I could apply in web GUI to set extendkeyusage with TLS Web Server Authentication in the cert generation to make the warning go away but could not find a way to do this.
+ # Warning if certificate is not compliant to RFC3280 TLS rules
+ if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+ $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+ goto CRYPTO_WARNING;
+ }
+ }
+
+ CRYPTO_WARNING:
Is OpenVPN going to require critical extends on the certs in the future?
Hope this somewhat limited testing information helps.
Regards,
Paul
We tested the backup of the settings but did NOT test the ISO backup. Will try this later today to confirm the issue with the ISO backup.
We had regenerated the keys during the 120 Core update. We did not see the cryptographic warnings that you did.
Fred
From: Paul Titjen paul.titjen@ministc.com Sent: 28 August, 2018 13:12 To: development@lists.ipfire.org Subject: Testing core update 123
Hi all,
I too am testing core update 123.
My version of ipfire was a new install of 2.21 core update 122 followed by a restore of an .ipf backup from last 2.19. This was then moved up to Core Update 123.
So far stable and have only two issues unresolved so far.
Backup.
Generate ISO is still not working for me. I still have a size of 0.00 MB. Web gui shows "Backup from ipfire-2.21.x86_64-full-core123.iso Size 0.00 MB"
The normal backup to generate an ".ipf" file does work. Web gui shows "Backup from 20180823-1150.ipf Size 14.38 MB"
Downloading these backups confirms the sizes shown.
OpenVPN
Initially had the two crypto warnings so deleted all the cert data and then generated new DH parameters with 3076 value. Then generated new certificate data using the 3076 value. This removed the DH size warning but still leaves the following:
Cryptographic warning
Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.
All OpenVPN clients needs then to be renewed!
I looked for any settings that I could apply in web GUI to set extendkeyusage with TLS Web Server Authentication in the cert generation to make the warning go away but could not find a way to do this.
+ # Warning if certificate is not compliant to RFC3280 TLS rules
+ if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+ $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+ goto CRYPTO_WARNING;
+ }
+ }
+
+ CRYPTO_WARNING:
Is OpenVPN going to require critical extends on the certs in the future?
Hope this somewhat limited testing information helps.
Regards,
Paul
Hi Paul, an thanks for your feedback. Causing the OpenVPN messages:
Am Dienstag, den 28.08.2018, 18:11 +0100 schrieb Paul Titjen:
OpenVPN Initially had the two crypto warnings so deleted all the cert data and then generated new DH parameters with 3076 value. Then generated new certificate data using the 3076 value. This removed the DH size warning but still leaves the following:
Cryptographic warning Your host certificate is not RFC3280 compliant. Please update to the latest IPFire version and generate as soon as possible a new root and host certificate. All OpenVPN clients needs then to be renewed!
I looked for any settings that I could apply in web GUI to set extendkeyusage with TLS Web Server Authentication in the cert generation to make the warning go away but could not find a way to do this.
The needed changes are already shipped https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=b66b02ab73863bcb9130300d... . To get the needed changes to your certificates and configuration, you will need to renew the complete x509 which will also reset all existing clients. You can find in here https://forum.ipfire.org/viewtopic.php?t=18852#p108144 a more detailed discussion about this topic whereby OpenVPN provides some infos also in here https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--ns-cert-type .
It is time until OpenVPN version 2.5 but ns-cert-type will be dropped then.
# Warning if certificate is not compliant to RFC3280 TLS
rules
if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
my $extendkeyusage = `/usr/bin/openssl x509 -noout
-text -in ${General::swroot}/ovpn/certs/servercert.pem`;
if ($extendkeyusage !~ /TLS Web Server
Authentication/) {
$cryptowarning = "$Lang::tr{'ovpn warning
rfc3280'}";
goto CRYPTO_WARNING;
}
}
CRYPTO_WARNING:
Is OpenVPN going to require critical extends on the certs in the future?
Yes, see above.
Hope this somewhat limited testing information helps.
Great, and thanks.
Regards, Paul