Changed LFS and ROOTFILE for OpenVPN 2.4.4 update.
Added CRL updater script to LFS.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- config/rootfiles/common/openvpn | 5 ++++- lfs/openvpn | 11 ++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index b58e30c..cbfd03e 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,5 @@ +etc/fcron.daily/ovpn_crl_updater.sh +#usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn #usr/lib/openvpn/plugins @@ -10,11 +12,12 @@ usr/sbin/openvpn #usr/share/doc/openvpn #usr/share/doc/openvpn/COPYING #usr/share/doc/openvpn/COPYRIGHT.GPL +#usr/share/doc/openvpn/Changes.rst #usr/share/doc/openvpn/README #usr/share/doc/openvpn/README.IPv6 #usr/share/doc/openvpn/README.auth-pam #usr/share/doc/openvpn/README.down-root -#usr/share/doc/openvpn/README.polarssl +#usr/share/doc/openvpn/README.mbedtls #usr/share/doc/openvpn/management-notes.txt #usr/share/man/man8/openvpn.8 var/ipfire/ovpn/ca diff --git a/lfs/openvpn b/lfs/openvpn index 8307d01..e7f9bc2 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2017 IPFire Team info@ipfire.org # +# Copyright (C) 2018 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.3.18 +VER = 2.4.4
THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881 +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
install : $(TARGET)
@@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify + mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily + chown root:root /etc/fcron.daily/ovpn_crl_updater.sh + chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh + @rm -rf $(DIR_APP) @$(POSTBUILD) +
Hello,
this patch is much better because it is smaller, but the script is actually missing.
Could you modify the patch so that it doesn't appear in the LFS file and rootfile and we just have the plain update of the package? Then I could merge that into the OpenSSL branch which will then build and then we can move on to the rest.
Best, -Michael
On Tue, 2018-01-30 at 17:38 +0100, Erik Kapfer wrote:
Changed LFS and ROOTFILE for OpenVPN 2.4.4 update.
Added CRL updater script to LFS.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
config/rootfiles/common/openvpn | 5 ++++- lfs/openvpn | 11 ++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index b58e30c..cbfd03e 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,5 @@ +etc/fcron.daily/ovpn_crl_updater.sh +#usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn #usr/lib/openvpn/plugins @@ -10,11 +12,12 @@ usr/sbin/openvpn #usr/share/doc/openvpn #usr/share/doc/openvpn/COPYING #usr/share/doc/openvpn/COPYRIGHT.GPL +#usr/share/doc/openvpn/Changes.rst #usr/share/doc/openvpn/README #usr/share/doc/openvpn/README.IPv6 #usr/share/doc/openvpn/README.auth-pam #usr/share/doc/openvpn/README.down-root -#usr/share/doc/openvpn/README.polarssl +#usr/share/doc/openvpn/README.mbedtls #usr/share/doc/openvpn/management-notes.txt #usr/share/man/man8/openvpn.8 var/ipfire/ovpn/ca diff --git a/lfs/openvpn b/lfs/openvpn index 8307d01..e7f9bc2 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################# ## # # # IPFire.org - A linux based firewall # -# Copyright (C) 2017 IPFire Team info@ipfire.org # +# Copyright (C) 2018 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.3.18 +VER = 2.4.4
THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881 +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
install : $(TARGET)
@@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify
- mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
- chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
- chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
- @rm -rf $(DIR_APP) @$(POSTBUILD)
Changed LFS and ROOTFILE for OpenVPN 2.4.4 update.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- config/rootfiles/common/openvpn | 5 ++++- lfs/openvpn | 8 +++++--- 2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index b58e30c..cbfd03e 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,5 @@ +etc/fcron.daily/ovpn_crl_updater.sh +#usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn #usr/lib/openvpn/plugins @@ -10,11 +12,12 @@ usr/sbin/openvpn #usr/share/doc/openvpn #usr/share/doc/openvpn/COPYING #usr/share/doc/openvpn/COPYRIGHT.GPL +#usr/share/doc/openvpn/Changes.rst #usr/share/doc/openvpn/README #usr/share/doc/openvpn/README.IPv6 #usr/share/doc/openvpn/README.auth-pam #usr/share/doc/openvpn/README.down-root -#usr/share/doc/openvpn/README.polarssl +#usr/share/doc/openvpn/README.mbedtls #usr/share/doc/openvpn/management-notes.txt #usr/share/man/man8/openvpn.8 var/ipfire/ovpn/ca diff --git a/lfs/openvpn b/lfs/openvpn index 8307d01..a925f78 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2017 IPFire Team info@ipfire.org # +# Copyright (C) 2018 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.3.18 +VER = 2.4.4
THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881 +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
install : $(TARGET)
@@ -96,5 +96,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify + @rm -rf $(DIR_APP) @$(POSTBUILD) +
Hi,
there was one line for the script left in the rootfile.
I removed that myself and merged the patch into the OpenSSL 1.1.0 branch. I will build this now and see if everything goes through. If it does I suppose we will be able to ship OpenSSL very soon.
Please keep working on the other patches in the meantime.
Best, -Michael
On Wed, 2018-01-31 at 10:34 +0100, Erik Kapfer wrote:
Changed LFS and ROOTFILE for OpenVPN 2.4.4 update.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
config/rootfiles/common/openvpn | 5 ++++- lfs/openvpn | 8 +++++--- 2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index b58e30c..cbfd03e 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,5 @@ +etc/fcron.daily/ovpn_crl_updater.sh +#usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn #usr/lib/openvpn/plugins @@ -10,11 +12,12 @@ usr/sbin/openvpn #usr/share/doc/openvpn #usr/share/doc/openvpn/COPYING #usr/share/doc/openvpn/COPYRIGHT.GPL +#usr/share/doc/openvpn/Changes.rst #usr/share/doc/openvpn/README #usr/share/doc/openvpn/README.IPv6 #usr/share/doc/openvpn/README.auth-pam #usr/share/doc/openvpn/README.down-root -#usr/share/doc/openvpn/README.polarssl +#usr/share/doc/openvpn/README.mbedtls #usr/share/doc/openvpn/management-notes.txt #usr/share/man/man8/openvpn.8 var/ipfire/ovpn/ca diff --git a/lfs/openvpn b/lfs/openvpn index 8307d01..a925f78 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################# ## # # # IPFire.org - A linux based firewall # -# Copyright (C) 2017 IPFire Team info@ipfire.org # +# Copyright (C) 2018 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.3.18 +VER = 2.4.4
THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881 +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
install : $(TARGET)
@@ -96,5 +96,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify
- @rm -rf $(DIR_APP) @$(POSTBUILD)
Hi, thanks for corrections. Do you keep the openssl-11 branch up to date then so i could pull all changes from there or do you want to use the next branch ?
Greetings,
Erik
Am 31.01.2018 um 17:41 schrieb Michael Tremer:
Hi,
there was one line for the script left in the rootfile.
I removed that myself and merged the patch into the OpenSSL 1.1.0 branch. I will build this now and see if everything goes through. If it does I suppose we will be able to ship OpenSSL very soon.
Please keep working on the other patches in the meantime.
Best, -Michael
On Wed, 2018-01-31 at 10:34 +0100, Erik Kapfer wrote:
Changed LFS and ROOTFILE for OpenVPN 2.4.4 update.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
config/rootfiles/common/openvpn | 5 ++++- lfs/openvpn | 8 +++++--- 2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index b58e30c..cbfd03e 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,5 @@ +etc/fcron.daily/ovpn_crl_updater.sh +#usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn #usr/lib/openvpn/plugins @@ -10,11 +12,12 @@ usr/sbin/openvpn #usr/share/doc/openvpn #usr/share/doc/openvpn/COPYING #usr/share/doc/openvpn/COPYRIGHT.GPL +#usr/share/doc/openvpn/Changes.rst #usr/share/doc/openvpn/README #usr/share/doc/openvpn/README.IPv6 #usr/share/doc/openvpn/README.auth-pam #usr/share/doc/openvpn/README.down-root -#usr/share/doc/openvpn/README.polarssl +#usr/share/doc/openvpn/README.mbedtls #usr/share/doc/openvpn/management-notes.txt #usr/share/man/man8/openvpn.8 var/ipfire/ovpn/ca diff --git a/lfs/openvpn b/lfs/openvpn index 8307d01..a925f78 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################# ## # # # IPFire.org - A linux based firewall # -# Copyright (C) 2017 IPFire Team info@ipfire.org # +# Copyright (C) 2018 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.3.18 +VER = 2.4.4
THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881 +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
install : $(TARGET)
@@ -96,5 +96,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify
- @rm -rf $(DIR_APP) @$(POSTBUILD)
Hi,
yes I will keep the openssl-11 branch up to date. Make sure that you rebase any local branches on it instead of merging it because I might remove commits in between.
I do not know when I am going to merge everything into next. So far at least the OpenVPN stuff in the webUI are missing and I haven't really done any testing with the new OpenSSL library, yet. I just built it. Therefore I have no idea what bugs we might still find.
Best, -Michael
On Thu, 2018-02-01 at 09:35 +0100, ummeegge wrote:
Hi, thanks for corrections. Do you keep the openssl-11 branch up to date then so i could pull all changes from there or do you want to use the next branch ?
Greetings,
Erik
Am 31.01.2018 um 17:41 schrieb Michael Tremer:
Hi,
there was one line for the script left in the rootfile.
I removed that myself and merged the patch into the OpenSSL 1.1.0 branch. I will build this now and see if everything goes through. If it does I suppose we will be able to ship OpenSSL very soon.
Please keep working on the other patches in the meantime.
Best, -Michael
On Wed, 2018-01-31 at 10:34 +0100, Erik Kapfer wrote:
Changed LFS and ROOTFILE for OpenVPN 2.4.4 update.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
config/rootfiles/common/openvpn | 5 ++++- lfs/openvpn | 8 +++++--- 2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index b58e30c..cbfd03e 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,5 @@ +etc/fcron.daily/ovpn_crl_updater.sh +#usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn #usr/lib/openvpn/plugins @@ -10,11 +12,12 @@ usr/sbin/openvpn #usr/share/doc/openvpn #usr/share/doc/openvpn/COPYING #usr/share/doc/openvpn/COPYRIGHT.GPL +#usr/share/doc/openvpn/Changes.rst #usr/share/doc/openvpn/README #usr/share/doc/openvpn/README.IPv6 #usr/share/doc/openvpn/README.auth-pam #usr/share/doc/openvpn/README.down-root -#usr/share/doc/openvpn/README.polarssl +#usr/share/doc/openvpn/README.mbedtls #usr/share/doc/openvpn/management-notes.txt #usr/share/man/man8/openvpn.8 var/ipfire/ovpn/ca diff --git a/lfs/openvpn b/lfs/openvpn index 8307d01..a925f78 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ########################################################################## ### ## #
# # IPFire.org - A linux based firewall # -# Copyright (C) 2017 IPFire Team info@ipfire.org
# +# Copyright (C) 2018 IPFire Team info@ipfire.org
# #
# # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.3.18 +VER = 2.4.4
THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881 +$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
install : $(TARGET)
@@ -96,5 +96,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify
- @rm -rf $(DIR_APP) @$(POSTBUILD)
Hi Michael, did a rebase of the branch but it seems that the ROOTFILE changes are not integrated in the CRL updater commit --> https://lists.ipfire.org/pipermail/development/2018-February/003997.html even i have added it to the commit. Can you may integrate the line
etc/fcron.daily/ovpn_crl_updater.sh
again to the OpenVPN ROOTFILE ?
Thanks and greetings,
Erik
Am 01.02.2018 um 12:33 schrieb Michael Tremer:
Hi,
yes I will keep the openssl-11 branch up to date. Make sure that you rebase any local branches on it instead of merging it because I might remove commits in between.
I do not know when I am going to merge everything into next. So far at least the OpenVPN stuff in the webUI are missing and I haven't really done any testing with the new OpenSSL library, yet. I just built it. Therefore I have no idea what bugs we might still find.
Best, -Michael
Update script for OpenVPNs CRL has been integrated cause OpenVPN refactors the CRL handling since v.2.4.0 . Script checks the next update field from the CRL and executes an update two days before it expires. Script is placed under fcron.daily for daily checks. OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e070... .
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++++++ lfs/openvpn | 4 ++++ 2 files changed, 57 insertions(+) create mode 100644 config/ovpn/ovpn_crl_updater.sh
diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh new file mode 100644 index 0000000..309edc2 --- /dev/null +++ b/config/ovpn/ovpn_crl_updater.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# +# Script Name: ovpn_crl_updater.sh +# Description: This script checks the "Next Update:" field of the CRL and renews it if needed, +# which prevents the expiration of OpenVPNs CRL. +# With OpenVPN 2.4.x the CRL handling has been refactored, +# whereby the verification logic has been removed from ssl_verify_<backend>.c . +# See for more infos: +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e070... +# +# Run Information: If OpenVPNs CRL is presant, +# this script provides a cronjob which checks daily if an update of the CRL is needed. +# If the expiring date reaches the value (defined in the 'UPDATE' variable in days) +# before the CRL expiration, an openssl command will be executed to renew the CRL. +# The renewing of the CRL will be logged into /var/log/messages. +# +# Author: Erik Kapfer +# +# Date: 17.01.2018 +# +############################################################################################### + +# Check if OpenVPN is active or if the CRL is presant +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then + exit 0; +fi + +## Paths +OVPN="/var/ipfire/ovpn"; +CRL="${OVPN}/crls/cacrl.pem"; +CAKEY="${OVPN}/ca/cakey.pem"; +CACERT="${OVPN}/ca/cacert.pem"; +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"; +## Values +# CRL check for the the 'Next Update:' in seconds +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))"; +# Day in seconds to calculate +DAYINSEC="86400"; +# Convert seconds to days +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"; +# Update of the CRL in days before CRL expiring date +UPDATE="2"; + +# Check if OpenVPNs CRL needs to be renewed +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then + openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; + logger -t openssl "OpenVPN CRL has been renewed"; +fi + +exit 0 + +# EOF diff --git a/lfs/openvpn b/lfs/openvpn index a925f78..1e1ddc2 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify + # Add crl updater + mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily + chown root:root /etc/fcron.daily/ovpn_crl_updater.sh + chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
@rm -rf $(DIR_APP) @$(POSTBUILD)
Hi,
thanks for working on this.
On Fri, 2018-02-02 at 07:34 +0100, Erik Kapfer wrote:
Update script for OpenVPNs CRL has been integrated cause OpenVPN refactors the CRL handling since v.2.4.0 . Script checks the next update field from the CRL and executes an update two days before it expires. Script is placed under fcron.daily for daily checks. OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e070... .
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++++++ lfs/openvpn | 4 ++++ 2 files changed, 57 insertions(+) create mode 100644 config/ovpn/ovpn_crl_updater.sh
diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh new file mode 100644 index 0000000..309edc2 --- /dev/null +++ b/config/ovpn/ovpn_crl_updater.sh @@ -0,0 +1,53 @@ +#!/bin/bash
The file needs a GPL header here or what ever license you choose this will be.
+# +# Script Name: ovpn_crl_updater.sh +# Description: This script checks the "Next Update:" field of the CRL and renews it if needed, +# which prevents the expiration of OpenVPNs CRL. +# With OpenVPN 2.4.x the CRL handling has been refactored, +# whereby the verification logic has been removed from ssl_verify_<backend>.c . +# See for more infos: +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e070... +# +# Run Information: If OpenVPNs CRL is presant, +# this script provides a cronjob which checks daily if an update of the CRL is needed. +# If the expiring date reaches the value (defined in the 'UPDATE' variable in days) +# before the CRL expiration, an openssl command will be executed to renew the CRL. +# The renewing of the CRL will be logged into /var/log/messages. +# +# Author: Erik Kapfer +# +# Date: 17.01.2018 +# +###############################################################################################
+# Check if OpenVPN is active or if the CRL is presant +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
- exit 0;
+fi
+## Paths +OVPN="/var/ipfire/ovpn"; +CRL="${OVPN}/crls/cacrl.pem"; +CAKEY="${OVPN}/ca/cakey.pem"; +CACERT="${OVPN}/ca/cacert.pem"; +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";
You may use some empty lines here to make the coder easier to read.
+## Values +# CRL check for the the 'Next Update:' in seconds +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
Complicated command. Can we break this down a little bit? Code doesn't necessarily run faster when everything is just one line, but it will be way easier to understand.
+# Day in seconds to calculate +DAYINSEC="86400";
No ; needed here and everywhere else...
It's shell, not C.
+# Convert seconds to days +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"; +# Update of the CRL in days before CRL expiring date +UPDATE="2";
I think we should update every 14 days if the usual expiry time is 30. Therefore we will never get too close by accident.
+# Check if OpenVPNs CRL needs to be renewed +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
- openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}";
- logger -t openssl "OpenVPN CRL has been renewed";
+fi
You don't need the quotes around the integer comparison.
Should we catch any errors of the openssl command?
I think the logging tag should rather be openvpn instead of openssl.
+exit 0
+# EOF diff --git a/lfs/openvpn b/lfs/openvpn index a925f78..1e1ddc2 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify
- # Add crl updater
- mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
- chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
- chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
Can we rename the script to openvpn-crl-updater?
@rm -rf $(DIR_APP) @$(POSTBUILD)
Apart from that this looks good. Just minor stuff.
Best, -Michael
Hi Michael, thanks for your feedback.
Am 02.02.2018 um 11:51 schrieb Michael Tremer:
Hi,
thanks for working on this.
On Fri, 2018-02-02 at 07:34 +0100, Erik Kapfer wrote:
Update script for OpenVPNs CRL has been integrated cause OpenVPN refactors the CRL handling since v.2.4.0 . Script checks the next update field from the CRL and executes an update two days before it expires. Script is placed under fcron.daily for daily checks. OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e070... .
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++++++ lfs/openvpn | 4 ++++ 2 files changed, 57 insertions(+) create mode 100644 config/ovpn/ovpn_crl_updater.sh
diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh new file mode 100644 index 0000000..309edc2 --- /dev/null +++ b/config/ovpn/ovpn_crl_updater.sh @@ -0,0 +1,53 @@ +#!/bin/bash
The file needs a GPL header here or what ever license you choose this will be.
OK, I think i would use then GPL 3 like IPFire.
+# +# Script Name: ovpn_crl_updater.sh +# Description: This script checks the "Next Update:" field of the CRL and renews it if needed, +# which prevents the expiration of OpenVPNs CRL. +# With OpenVPN 2.4.x the CRL handling has been refactored, +# whereby the verification logic has been removed from ssl_verify_<backend>.c . +# See for more infos: +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e070... +# +# Run Information: If OpenVPNs CRL is presant, +# this script provides a cronjob which checks daily if an update of the CRL is needed. +# If the expiring date reaches the value (defined in the 'UPDATE' variable in days) +# before the CRL expiration, an openssl command will be executed to renew the CRL. +# The renewing of the CRL will be logged into /var/log/messages. +# +# Author: Erik Kapfer +# +# Date: 17.01.2018 +# +###############################################################################################
+# Check if OpenVPN is active or if the CRL is presant +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
- exit 0;
+fi
+## Paths +OVPN="/var/ipfire/ovpn"; +CRL="${OVPN}/crls/cacrl.pem"; +CAKEY="${OVPN}/ca/cakey.pem"; +CACERT="${OVPN}/ca/cacert.pem"; +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";
You may use some empty lines here to make the coder easier to read.
Done.
+## Values +# CRL check for the the 'Next Update:' in seconds +EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
Complicated command. Can we break this down a little bit? Code doesn't necessarily run faster when everything is just one line, but it will be way easier to understand.
Done.
+# Day in seconds to calculate +DAYINSEC="86400";
No ; needed here and everywhere else...
It's shell, not C.
OK :-) done
+# Convert seconds to days +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"; +# Update of the CRL in days before CRL expiring date +UPDATE="2";
I think we should update every 14 days if the usual expiry time is 30. Therefore we will never get too close by accident.
So i would need then an frcontab entry and another location for the script since the fcron directories provides only daily, weekly and monthly. Another possibility might be a weekly check so we can use the fcron directories ?
+# Check if OpenVPNs CRL needs to be renewed +if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
- openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}";
- logger -t openssl "OpenVPN CRL has been renewed";
+fi
You don't need the quotes around the integer comparison.
Done
Should we catch any errors of the openssl command?
OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get an OpenSSL command output in messages if the CRL has been renewed.
I think the logging tag should rather be openvpn instead of openssl.
Done.
+exit 0
+# EOF diff --git a/lfs/openvpn b/lfs/openvpn index a925f78..1e1ddc2 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify
- # Add crl updater
- mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
- chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
- chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
Can we rename the script to openvpn-crl-updater?
Done.
@rm -rf $(DIR_APP) @$(POSTBUILD)
Apart from that this looks good. Just minor stuff.
Great that you looked over it.
Best, -Michael
Greetings,
Erik
Hello Michael, some thoughts causing two quested points
+# Convert seconds to days +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"; +# Update of the CRL in days before CRL expiring date +UPDATE="2";
I think we should update every 14 days if the usual expiry time is 30. Therefore we will never get too close by accident.
So i would need then an frcontab entry and another location for the script since the fcron directories provides only daily, weekly and monthly. Another possibility might be a weekly check so we can use the fcron directories ?
In case machines are off while the script performs his weekly check (no 24/7er) the next check will be made one/two week(s) later which might be a long time if you do not know where the problem is. I would do make there possibly a daily check and would also set the UPDATE to a week or 5 days instead of the current 2 before expiration date so more days can be grabbed even the check should be a fast one.
Should we catch any errors of the openssl command?
OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get an OpenSSL command output in messages if the CRL has been renewed.
Have here two possibilities.
1) in error case: Feb 3 17:56:03 ipfire-server crl_updater[18986]: /etc/fcron.daily/ovpn_crl_updater.sh: line 56: /usr/bin/opensl: No such file or directory
if successful: Feb 3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from /var/ipfire/ovpn/openssl/ovpn.cnf
which equals to the OpenSSL command output ( 2>&1 | logger ).
or 2)
in error case: Feb 2 19:02:34 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - CRL update failed
if successful: Feb 2 19:03:19 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - CRL has been updated
if else query echo´s a defined message so search string like failed or updated can also be logged ?
Otherwise all other quested changes has been made and are ready so far, might be nice to push the remaining CGI changes soon i think :-) .
Greetings,
Erik
Hi,
On Sat, 2018-02-03 at 21:20 +0100, ummeegge wrote:
Hello Michael, some thoughts causing two quested points
+# Convert seconds to days +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"; +# Update of the CRL in days before CRL expiring date +UPDATE="2";
I think we should update every 14 days if the usual expiry time is 30. Therefore we will never get too close by accident.
So i would need then an frcontab entry and another location for the script since the fcron directories provides only daily, weekly and monthly. Another possibility might be a weekly check so we can use the fcron directories ?
In case machines are off while the script performs his weekly check (no 24/7er) the next check will be made one/two week(s) later which might be a long time if you do not know where the problem is. I would do make there possibly a daily check and would also set the UPDATE to a week or 5 days instead of the current 2 before expiration date so more days can be grabbed even the check should be a fast one.
Cron will take care of this. It will automatically perform the cron jobs a little while after the system has been booted and when the cron jobs should have been executed while it was shut down.
https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561... 43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13
It's the "bootrun" argument there.
Should we catch any errors of the openssl command?
OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get an OpenSSL command output in messages if the CRL has been renewed.
Have here two possibilities.
in error case: Feb 3 17:56:03 ipfire-server crl_updater[18986]: /etc/fcron.daily/ovpn_crl_updater.sh: line 56: /usr/bin/opensl: No such file or directory
Don't put the path in. Calling "openssl" should be fine.
if successful: Feb 3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from /var/ipfire/ovpn/openssl/ovpn.cnf
which equals to the OpenSSL command output ( 2>&1 | logger ).
Do we need to log the output of OpenSSL? A line that says something like "Could not update the OpenVPN CA CRL" should do, shouldn't it? People should run the script themselves then and see what is going wrong.
or 2)
in error case: Feb 2 19:02:34 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - CRL update failed
if successful: Feb 2 19:03:19 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - CRL has been updated
if else query echo´s a defined message so search string like failed or updated can also be logged ?
Otherwise all other quested changes has been made and are ready so far, might be nice to push the remaining CGI changes soon i think :-) .
Cool.
Let me know if I can be of any more help.
Best, -Michael
Greetings,
Erik
Hello,
In case machines are off while the script performs his weekly check (no 24/7er) the next check will be made one/two week(s) later which might be a long time if you do not know where the problem is. I would do make there possibly a daily check and would also set the UPDATE to a week or 5 days instead of the current 2 before expiration date so more days can be grabbed even the check should be a fast one.
Cron will take care of this. It will automatically perform the cron jobs a little while after the system has been booted and when the cron jobs should have been executed while it was shut down.
https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561... 43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13
It's the "bootrun" argument there.
Thanks for clarification haven´t had that in mind. Will deliver the updater then to 'frcon.weekly'. Will also set the update before expiration interval to 10 days before, 8 might be also OK for a weekly cronjob but possibly better to have 2 days + ?!
if successful: Feb 3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from /var/ipfire/ovpn/openssl/ovpn.cnf
which equals to the OpenSSL command output ( 2>&1 | logger ).
Do we need to log the output of OpenSSL? A line that says something like "Could not update the OpenVPN CA CRL" should do, shouldn't it? People should run the script themselves then and see what is going wrong.
No i don´t think so, lines in messages looks even better then. Did that now like you suggested.
Otherwise all other quested changes has been made and are ready so far, might be nice to push the remaining CGI changes soon i think :-) .
Cool.
Let me know if I can be of any more help.
Great thanks for your offer and your help. If there is no veto for the above changes i will deliver the patch today in the evening.
Have also fetched the actual openssl-11 branch with all needed changes, thanks for keeping this up to date :-) .
All the best,
Erik
Hi,
On Tue, 2018-02-06 at 10:24 +0100, ummeegge wrote:
Hello,
In case machines are off while the script performs his weekly check (no 24/7er) the next check will be made one/two week(s) later which might be a long time if you do not know where the problem is. I would do make there possibly a daily check and would also set the UPDATE to a week or 5 days instead of the current 2 before expiration date so more days can be grabbed even the check should be a fast one.
Cron will take care of this. It will automatically perform the cron jobs a little while after the system has been booted and when the cron jobs should have been executed while it was shut down.
https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cron/crontab;h=4561 f4a2 43239b8b5bd3525c067dc6a70395489c;hb=HEAD#l13
It's the "bootrun" argument there.
Thanks for clarification haven´t had that in mind. Will deliver the updater then to 'frcon.weekly'. Will also set the update before expiration interval to 10 days before, 8 might be also OK for a weekly cronjob but possibly better to have 2 days + ?!
I think daily is better. That makes things more predictable and it does not hurt to renew every 14 days to never get close to the expiration date.
if successful: Feb 3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from /var/ipfire/ovpn/openssl/ovpn.cnf
which equals to the OpenSSL command output ( 2>&1 | logger ).
Do we need to log the output of OpenSSL? A line that says something like "Could not update the OpenVPN CA CRL" should do, shouldn't it? People should run the script themselves then and see what is going wrong.
No i don´t think so, lines in messages looks even better then. Did that now like you suggested.
Otherwise all other quested changes has been made and are ready so far, might be nice to push the remaining CGI changes soon i think :-) .
Cool.
Let me know if I can be of any more help.
Great thanks for your offer and your help. If there is no veto for the above changes i will deliver the patch today in the evening.
Have also fetched the actual openssl-11 branch with all needed changes, thanks for keeping this up to date :-) .
All the best,
Erik
-Michael
Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 . Script checks the next update field from the CRL and executes an update before it expires. Script is placed under fcron.daily for daily checks.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- config/ovpn/openvpn-crl-updater | 88 +++++++++++++++++++++++++++++++++++++++++ config/rootfiles/common/openvpn | 1 + lfs/openvpn | 6 +++ 3 files changed, 95 insertions(+) create mode 100644 config/ovpn/openvpn-crl-updater
diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater new file mode 100644 index 0000000..9063b04 --- /dev/null +++ b/config/ovpn/openvpn-crl-updater @@ -0,0 +1,88 @@ +#!/bin/bash + +######################################################################################### +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire. If not, see http://www.gnu.org/licenses/. # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +######################################################################################### +# # +# Script Name: openvpn-crl-updater # +# Description: This script checks the "Next Update:" field of the CRL # +# and renews it if needed, which prevents the expiration of OpenVPNs CRL. # +# With OpenVPN 2.4.x the CRL handling has been refactored, # +# whereby the verification logic has been removed from ssl_verify_<backend>.c . # +# For more infos: # +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e070... # +# # +# Run Information: If OpenVPNs CRL is presant, # +# this script provides a cronjob which checks daily if an update of the CRL # +# is needed. If the expiring date reaches the value # +# (defined in the 'UPDATE' variable in days) before the CRL expiration, an openssl # +# command will be executed to renew the CRL. # +# Script execution will be logged into /var/log/messages. # +# # +# Author: Erik Kapfer # +# # +# Date: 06.02.2018 # +# # +######################################################################################### + +# Check if OpenVPN is active or if the CRL is presant +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then + exit 0; +fi + +## Paths +OVPN="/var/ipfire/ovpn" +CRL="${OVPN}/crls/cacrl.pem" +CAKEY="${OVPN}/ca/cakey.pem" +CACERT="${OVPN}/ca/cacert.pem" +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" + +## Values +# CRL check for the 'Next Update:' in seconds +EXPIRINGDATEINSEC="$(( +$(/bin/date -d "$(/usr/bin/openssl crl -in "${CRL}" -text | \ + /bin/grep -oP 'Next Update: *\K.*')" +%s) - \ + $(/bin/date +%s) \ +))" + +# Day in seconds to calculate +DAYINSEC="86400" + +# Convert seconds to days +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))" + +# Update of the CRL in days before CRL expiring date +UPDATE="14" + + +# Check if OpenVPNs CRL needs to be renewed +if [ ${NEXTUPDATE} -le ${UPDATE} ]; then + if /usr/bin/openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then + logger -t openvpn "CRL has been updated" + else + logger -t openvpn "error: Could not update CRL" + fi +fi + +exit 0 + + +# EOF + diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index 2b63424..131d798 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,4 @@ +etc/fcron.daily/openvpn-crl-updater #usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn diff --git a/lfs/openvpn b/lfs/openvpn index 3913f02..1ecc18c 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -96,5 +96,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify + # Add crl updater + mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily + chown root:root /etc/fcron.daily/openvpn-crl-updater + chmod 750 /etc/fcron.daily/openvpn-crl-updater + @rm -rf $(DIR_APP) @$(POSTBUILD) +
Hi,
On Tue, 2018-02-06 at 21:09 +0100, Erik Kapfer wrote:
Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 . Script checks the next update field from the CRL and executes an update before it expires. Script is placed under fcron.daily for daily checks.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
config/ovpn/openvpn-crl-updater | 88 +++++++++++++++++++++++++++++++++++++++++ config/rootfiles/common/openvpn | 1 + lfs/openvpn | 6 +++ 3 files changed, 95 insertions(+) create mode 100644 config/ovpn/openvpn-crl-updater
diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater new file mode 100644 index 0000000..9063b04 --- /dev/null +++ b/config/ovpn/openvpn-crl-updater @@ -0,0 +1,88 @@ +#!/bin/bash
+############################################################################# ############
There is an extra empty line before the header and an extra hash in the first line of the header.
+# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire. If not, see http://www.gnu.org/licenses/. # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +############################################################################# ############ +# # +# Script Name: openvpn-crl-updater # +# Description: This script checks the "Next Update:" field of the CRL # +# and renews it if needed, which prevents the expiration of OpenVPNs CRL. # +# With OpenVPN 2.4.x the CRL handling has been refactored, # +# whereby the verification logic has been removed from ssl_verify_<backend>.c . # +# For more infos: # +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e 07016a336 # +# # +# Run Information: If OpenVPNs CRL is presant,
*present*
#+# this script provides a cronjob which checks daily if an update of the CRL # +# is needed. If the expiring date reaches the value # +# (defined in the 'UPDATE' variable in days) before the CRL expiration, an openssl # +# command will be executed to renew the CRL. # +# Script execution will be logged into /var/log/messages. # +# # +# Author: Erik Kapfer # +# # +# Date: 06.02.2018
Dates are not required. Git does this for us.
# +# # +############################################################################# ############
+# Check if OpenVPN is active or if the CRL is presant +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
- exit 0;
+fi
You got a hardcoded path here. Variables are set after this. It probably makes sense to move the check after the initialisation block and then check things and/or exit.
+## Paths +OVPN="/var/ipfire/ovpn" +CRL="${OVPN}/crls/cacrl.pem" +CAKEY="${OVPN}/ca/cakey.pem" +CACERT="${OVPN}/ca/cacert.pem" +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
+## Values +# CRL check for the 'Next Update:' in seconds +EXPIRINGDATEINSEC="$(( +$(/bin/date -d "$(/usr/bin/openssl crl -in "${CRL}" -text | \
- /bin/grep -oP 'Next Update: *\K.*')" +%s) - \
- $(/bin/date +%s) \
+))"
You never need to use "/bin" or so before a command. The shell will find it. Just use date, grep, and (further down) openssl.
And I didn't mean just breaking the lines. I meant splitting this into smaller chunks that are easy to understand and modify if we need to. Like:
NOW="$(date "+%s")" EXPIRES_AT="$(openssl ... | grep ...)"
# Convert into seconds from epoch EXPIRES_AT="$(date "${EXPIRES_AT}" "+%s")"
EXPIRINGDATEINSEC=$(( EXPIRES_AT - NOW ))
I find this way easier to read and audit and it will execute in the same amount of time.
+# Day in seconds to calculate +DAYINSEC="86400"
+# Convert seconds to days +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"
Here this is super easy to read and understand. Way better.
+# Update of the CRL in days before CRL expiring date +UPDATE="14"
+# Check if OpenVPNs CRL needs to be renewed +if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
- if /usr/bin/openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out
"${CRL}" -config "${OPENSSLCONF}"; then
- logger -t openvpn "CRL has been updated"
- else
- logger -t openvpn "error: Could not update CRL"
- fi
+fi
+exit 0
+# EOF
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index 2b63424..131d798 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,4 @@ +etc/fcron.daily/openvpn-crl-updater #usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn diff --git a/lfs/openvpn b/lfs/openvpn index 3913f02..1ecc18c 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -96,5 +96,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify
- # Add crl updater
- mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily
- chown root:root /etc/fcron.daily/openvpn-crl-updater
- chmod 750 /etc/fcron.daily/openvpn-crl-updater
- @rm -rf $(DIR_APP) @$(POSTBUILD)
There is an extra empty line at the end of the LFS file.
Best, -Michael
Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 . Script checks the next update field from the CRL and executes an update before it expires. Script is placed under fcron.daily for daily checks.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- config/ovpn/openvpn-crl-updater | 90 +++++++++++++++++++++++++++++++++++++++++ config/rootfiles/common/openvpn | 1 + lfs/openvpn | 5 +++ 3 files changed, 96 insertions(+) create mode 100644 config/ovpn/openvpn-crl-updater
diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater new file mode 100644 index 0000000..5fbe210 --- /dev/null +++ b/config/ovpn/openvpn-crl-updater @@ -0,0 +1,90 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2018 IPFire Team erik.kapfer@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# # +# Script Location/Name: /etc/fcron.daily/openvpn-crl-updater # +# # +# Description: This script checks the "Next Update:" field of the CRL # +# and renews it if needed, which prevents the expiration of OpenVPNs CRL. # +# With OpenVPN 2.4.x the CRL handling has been refactored, # +# whereby the verification logic has been removed # +# from ssl_verify_<backend>.c . # +# # +# Run Information: If OpenVPNs CRL is present, # +# this script provides a cronjob which checks daily if an update # +# of the CRL is needed. If the expiring date reaches the value # +# (defined in the 'UPDATE' variable in days) before the CRL expiration, # +# an openssl command will be executed to renew the CRL. # +# Script execution will be logged into /var/log/messages. # +# # +############################################################################### + +## Paths +OVPN="/var/ipfire/ovpn" +CRL="${OVPN}/crls/cacrl.pem" +CAKEY="${OVPN}/ca/cakey.pem" +CACERT="${OVPN}/ca/cacert.pem" +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" + +# Check if CRL is presant or if OpenVPN is active +if [ ! -e "${CAKEY}" ]; then + exit 0; +fi + +## Values +# Actual time in epoch format +NOW="$(date +%s)" + +# Investigate CRLs 'Next Update' date +EXPIRES_CRL="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" + +# Convert 'Next Update:' date from epoch to seconds +EXPIRES_AT="$(date -d "${EXPIRES_CRL}" "+%s")" + +# Seconds left until CRL expires +EXPIRINGDATEINSEC="$(( EXPIRES_AT - NOW ))" + +# Day in seconds to calculate +DAYINSEC="86400" + +# Convert seconds to days +NEXTUPDATE="$(( EXPIRINGDATEINSEC / DAYINSEC ))" + +# Update of the CRL in days before CRL expiring date +UPDATE="14" + + +## Mainpart +# Check if OpenVPNs CRL needs to be renewed +if [ ${NEXTUPDATE} -le ${UPDATE} ]; then + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then + logger -t openvpn "CRL has been updated" + else + logger -t openvpn "error: Could not update CRL" + fi +fi + +exit 0 + + +# EOF + diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index 2b63424..131d798 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,4 @@ +etc/fcron.daily/openvpn-crl-updater #usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn diff --git a/lfs/openvpn b/lfs/openvpn index 3913f02..ef25c25 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify + # Add crl updater + mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily + chown root:root /etc/fcron.daily/openvpn-crl-updater + chmod 750 /etc/fcron.daily/openvpn-crl-updater + @rm -rf $(DIR_APP) @$(POSTBUILD)
Hello,
I merged this patch into the openssl-11 branch and rebased the branch.
What other steps are urgently necessary that we can roll out OpenVPN 2.4? Are the CGI changes necessary or new features?
Best, -Michael
On Wed, 2018-02-07 at 18:31 +0100, Erik Kapfer wrote:
Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 . Script checks the next update field from the CRL and executes an update before it expires. Script is placed under fcron.daily for daily checks.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
config/ovpn/openvpn-crl-updater | 90 +++++++++++++++++++++++++++++++++++++++++ config/rootfiles/common/openvpn | 1 + lfs/openvpn | 5 +++ 3 files changed, 96 insertions(+) create mode 100644 config/ovpn/openvpn-crl-updater
diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater new file mode 100644 index 0000000..5fbe210 --- /dev/null +++ b/config/ovpn/openvpn-crl-updater @@ -0,0 +1,90 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2018 IPFire Team erik.kapfer@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +###############################################################################
+############################################################################### +# # +# Script Location/Name: /etc/fcron.daily/openvpn-crl-updater # +# # +# Description: This script checks the "Next Update:" field of the CRL # +# and renews it if needed, which prevents the expiration of OpenVPNs CRL. # +# With OpenVPN 2.4.x the CRL handling has been refactored, # +# whereby the verification logic has been removed # +# from ssl_verify_<backend>.c . # +# # +# Run Information: If OpenVPNs CRL is present, # +# this script provides a cronjob which checks daily if an update # +# of the CRL is needed. If the expiring date reaches the value # +# (defined in the 'UPDATE' variable in days) before the CRL expiration, # +# an openssl command will be executed to renew the CRL. # +# Script execution will be logged into /var/log/messages. # +# # +###############################################################################
+## Paths +OVPN="/var/ipfire/ovpn" +CRL="${OVPN}/crls/cacrl.pem" +CAKEY="${OVPN}/ca/cakey.pem" +CACERT="${OVPN}/ca/cacert.pem" +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
+# Check if CRL is presant or if OpenVPN is active +if [ ! -e "${CAKEY}" ]; then
- exit 0;
+fi
+## Values +# Actual time in epoch format +NOW="$(date +%s)"
+# Investigate CRLs 'Next Update' date +EXPIRES_CRL="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')"
+# Convert 'Next Update:' date from epoch to seconds +EXPIRES_AT="$(date -d "${EXPIRES_CRL}" "+%s")"
+# Seconds left until CRL expires +EXPIRINGDATEINSEC="$(( EXPIRES_AT - NOW ))"
+# Day in seconds to calculate +DAYINSEC="86400"
+# Convert seconds to days +NEXTUPDATE="$(( EXPIRINGDATEINSEC / DAYINSEC ))"
+# Update of the CRL in days before CRL expiring date +UPDATE="14"
+## Mainpart +# Check if OpenVPNs CRL needs to be renewed +if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
- if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
logger -t openvpn "CRL has been updated"- else
logger -t openvpn "error: Could not update CRL"- fi
+fi
+exit 0
+# EOF
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index 2b63424..131d798 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,4 @@ +etc/fcron.daily/openvpn-crl-updater #usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn diff --git a/lfs/openvpn b/lfs/openvpn index 3913f02..ef25c25 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify
- # Add crl updater
- mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily
- chown root:root /etc/fcron.daily/openvpn-crl-updater
- chmod 750 /etc/fcron.daily/openvpn-crl-updater
- @rm -rf $(DIR_APP) @$(POSTBUILD)
Hi Michael, thanks for merging.
Am Sonntag, den 11.02.2018, 22:25 +0000 schrieb Michael Tremer:
Hello,
I merged this patch into the openssl-11 branch and rebased the branch.
What other steps are urgently necessary that we can roll out OpenVPN 2.4? Are the CGI changes necessary or new features?
there is the need to make the changes for '--script-security' and to add '--ncp-disable' in ovpnmain.cgi.
Also the integration of the directives via update.sh for the core update needs to be made since a server stop|start do not includes the changes into server.conf.
So there are two steps left for a roll out of a 2.4 minimum version. Should i send this in two patches or better in one ?
In which core update should this be delivered ?
Greetings,
Erik
Hi all,
On February 13, 2018 8:02:57 AM GMT+02:00, ummeegge ummeegge@ipfire.org wrote:
Hi Michael, thanks for merging.
Am Sonntag, den 11.02.2018, 22:25 +0000 schrieb Michael Tremer:
Hello,
I merged this patch into the openssl-11 branch and rebased the branch.
What other steps are urgently necessary that we can roll out OpenVPN 2.4? Are the CGI changes necessary or new features?
there is the need to make the changes for '--script-security' and to add '--ncp-disable' in ovpnmain.cgi.
Please consider to add auth-nocache also in order to get rid of the warnings for caching credentials.
Also the integration of the directives via update.sh for the core update needs to be made since a server stop|start do not includes the changes into server.conf.
So there are two steps left for a roll out of a 2.4 minimum version. Should i send this in two patches or better in one ?
In which core update should this be delivered ?
Greetings,
Erik
-- Horace Michael (aka H&M) Please excuse my typos and brevity. Sent from a Smartphone.
Hi Michael,
Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael:
Please consider to add auth-nocache also in order to get rid of the warnings for caching credentials.
just to bear in mind, if we set auth-nocache and a user/password authentication has been configured manually by the user (IPFire do not provides this currently), there is the need to authenticate again after a session key has been expired.
With OpenVPN-2.3.13 and above the rekeying are managed by '--reneg- bytes 64000000' (after 64 MB data transfer) if 64 bit block ciphers are used which IPFire do provides at this time.
So by the usage of an old deprecated configuration (old ciphers) and a faster and heavily loaded connection there is the need to authenticate every few minutes.
This warning looks not so nice but is in regular configurations, which has been made via WUI, useless since there is no user/password authentication currently available.
If someone has configured it manually (in most cases via server{client}.conf.local i think) it is there also possible to set ' --auth-nocache' for each configuration individually if needed ?
Just some thoughts from here.
Greetings,
Erik
Hi Erik,
On February 13, 2018 12:00:12 PM GMT+02:00, ummeegge ummeegge@ipfire.org wrote:
Hi Michael,
Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael:
Please consider to add auth-nocache also in order to get rid of the warnings for caching credentials.
just to bear in mind, if we set auth-nocache and a user/password authentication has been configured manually by the user (IPFire do not provides this currently), there is the need to authenticate again after a session key has been expired.
If an IPFire user manually changed the standard configuration of OpenVPN and add passwd authentication then he/she should assume also the impact - entering the credentials on key renewing or changing the config and removal of --auth-nocache directive.
With OpenVPN-2.3.13 and above the rekeying are managed by '--reneg- bytes 64000000' (after 64 MB data transfer) if 64 bit block ciphers are used which IPFire do provides at this time.
So by the usage of an old deprecated configuration (old ciphers) and a faster and heavily loaded connection there is the need to authenticate every few minutes.
This warning looks not so nice but is in regular configurations, which has been made via WUI, useless since there is no user/password authentication currently available.
Indeed is just a warning - no problem for tunnel being established. But is a warning that might be wrongly understood - who knows to what "credentials" the user will think of and the overall image of the user for IPFire security will be poor...
If someone has configured it manually (in most cases via server{client}.conf.local i think) it is there also possible to set ' --auth-nocache' for each configuration individually if needed ?
Just some thoughts from here.
Greetings,
Erik
-- Horace Michael (aka H&M) Please excuse my typos and brevity. Sent from a Smartphone.
Hi Michael,
Am Dienstag, den 13.02.2018, 16:21 +0200 schrieb Horace Michael:
Hi Erik,
On February 13, 2018 12:00:12 PM GMT+02:00, ummeegge <ummeegge@ipfire .org> wrote:
Hi Michael,
Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael:
Please consider to add auth-nocache also in order to get rid of the warnings for caching credentials.
just to bear in mind, if we set auth-nocache and a user/password authentication has been configured manually by the user (IPFire do not provides this currently), there is the need to authenticate again after a session key has been expired.
If an IPFire user manually changed the standard configuration of OpenVPN and add passwd authentication then he/she should assume also the impact - entering the credentials on key renewing or changing the config and removal of --auth-nocache directive.
The removal is kind of unpractical if we hardcode --auth-nocache it can be indeed manually deleted in ovpnmain.cgi but it won´t be consistent for coming updates. If someone uses user/pwd auth via manual configuration it might be easier for the first to add also --auth-nocache into the local configs if wanted ? In some cases this might be also a problem e.g. for every kind of automation (such as larger backups e.g.) whereby processes will be stopped if no user interaction is made.
In my opinion there should be a checkbox for this available but this kind of contradicts also the current usability for keeping it as easy as possible even this option is for an default IPFire configuration useless.
But this are only my two cents on this topic, if this is wanted from the core developer side this should be made very quickly but i would do/discuss this in an own topic but also after we have finished the OpenVPN-2.4 update. There is also the need to think about a lowered --script-security level (from 3 to 2) which matches also this topic i think and also some other possible (and already fixed) warnings --> https://bugzilla.ipfire.org/s how_bug.cgi?id=11364 like e.g. the MTU warning which should also be thinking about but also better tested...
Nevertheless it might be nice if you stay tuned in this topic.
Greetings,
Erik
Have forgot one more thing, we should also add the new AES-GCM cipher for N2N and RWs . Would push this one may before the directive changes ?
Will track all that to openssl-11 branch.
Greetings,
Erik
Am Dienstag, den 13.02.2018, 07:02 +0100 schrieb ummeegge:
Hi Michael, thanks for merging.
Am Sonntag, den 11.02.2018, 22:25 +0000 schrieb Michael Tremer:
Hello,
I merged this patch into the openssl-11 branch and rebased the branch.
What other steps are urgently necessary that we can roll out OpenVPN 2.4? Are the CGI changes necessary or new features?
there is the need to make the changes for '--script-security' and to add '--ncp-disable' in ovpnmain.cgi.
Also the integration of the directives via update.sh for the core update needs to be made since a server stop|start do not includes the changes into server.conf.
So there are two steps left for a roll out of a 2.4 minimum version. Should i send this in two patches or better in one ?
In which core update should this be delivered ?
Greetings,
Erik
Hi,
On Tue, 2018-02-13 at 07:02 +0100, ummeegge wrote:
Hi Michael, thanks for merging.
Am Sonntag, den 11.02.2018, 22:25 +0000 schrieb Michael Tremer:
Hello,
I merged this patch into the openssl-11 branch and rebased the branch.
What other steps are urgently necessary that we can roll out OpenVPN 2.4? Are the CGI changes necessary or new features?
there is the need to make the changes for '--script-security' and to add '--ncp-disable' in ovpnmain.cgi.
Okay. I will wait with merging OpenSSL until we have this sorted.
Also the integration of the directives via update.sh for the core update needs to be made since a server stop|start do not includes the changes into server.conf.
And this, too.
So there are two steps left for a roll out of a 2.4 minimum version. Should i send this in two patches or better in one ?
Please try this in two patches.
In which core update should this be delivered ?
I am not sure, yet. 119 would have been good, but we already have a lot in there and I think we should not delay this too much. But 120 at the latest.
It is really important that we get the latest OpenSSL out there as soon as possible.
Best, -Michael
Greetings,
Erik
Hi Michael,
Am Mittwoch, den 14.02.2018, 12:22 +0000 schrieb Michael Tremer:
What other steps are urgently necessary that we can roll out OpenVPN 2.4? Are the CGI changes necessary or new features?
there is the need to make the changes for '--script-security' and to add '--ncp-disable' in ovpnmain.cgi.
Okay. I will wait with merging OpenSSL until we have this sorted.
Have send the forgotten AES-GCM patch --> https://lists.ipfire.org/pipe rmail/development/2018-February/004063.html would you merge it to openssl-11 if the review is OK, i would pull the chnages then and prepare/send the last ovpnmain.cgi patch ?
Also the integration of the directives via update.sh for the core update needs to be made since a server stop|start do not includes the changes into server.conf.
And this, too.
Since there is currently no config/rootfiles/core/config/rootfiles/core directory for openssl-11 should i make one for core 119 (or 120 ?) and add there the commands in update.sh ?
So there are two steps left for a roll out of a 2.4 minimum version. Should i send this in two patches or better in one ?
Please try this in two patches.
No problem if i am clear about the quest above.
In which core update should this be delivered ?
I am not sure, yet. 119 would have been good, but we already have a lot in there and I think we should not delay this too much. But 120 at the latest.
It is really important that we get the latest OpenSSL out there as soon as possible.
Have successfully installed yesterday an IPFire ISO with OpenSSL-1.1.0g i think the last changes from commit 59d77d2eae265304887408b1d36074269f6075a4 did it :D . Great work Michael. Two more commits and from the OpenVPN side all should be for the first OK. After that i would step then into testing mode...
Greetings,
Erik
Hi,
On Wed, 2018-02-14 at 14:24 +0100, ummeegge wrote:
Hi Michael,
Am Mittwoch, den 14.02.2018, 12:22 +0000 schrieb Michael Tremer:
What other steps are urgently necessary that we can roll out OpenVPN 2.4? Are the CGI changes necessary or new features?
there is the need to make the changes for '--script-security' and to add '--ncp-disable' in ovpnmain.cgi.
Okay. I will wait with merging OpenSSL until we have this sorted.
Have send the forgotten AES-GCM patch --> https://lists.ipfire.org/pipe rmail/development/2018-February/004063.html would you merge it to openssl-11 if the review is OK, i would pull the chnages then and prepare/send the last ovpnmain.cgi patch ?
You can work on the other patches independently from this one.
Also the integration of the directives via update.sh for the core update needs to be made since a server stop|start do not includes the changes into server.conf.
And this, too.
Since there is currently no config/rootfiles/core/config/rootfiles/core directory for openssl-11 should i make one for core 119 (or 120 ?) and add there the commands in update.sh ?
Please provide that in an extra script. I do not know when this will land in a Core Update.
So there are two steps left for a roll out of a 2.4 minimum version. Should i send this in two patches or better in one ?
Please try this in two patches.
No problem if i am clear about the quest above.
In which core update should this be delivered ?
I am not sure, yet. 119 would have been good, but we already have a lot in there and I think we should not delay this too much. But 120 at the latest.
It is really important that we get the latest OpenSSL out there as soon as possible.
Have successfully installed yesterday an IPFire ISO with OpenSSL-1.1.0g i think the last changes from commit 59d77d2eae265304887408b1d36074269f6075a4 did it :D . Great work Michael. Two more commits and from the OpenVPN side all should be for the first OK. After that i would step then into testing mode...
Greetings,
Erik
Hello,
Am Mittwoch, den 14.02.2018, 20:27 +0000 schrieb Michael Tremer:
Hi,
On Wed, 2018-02-14 at 14:24 +0100, ummeegge wrote:
Hi Michael,
Am Mittwoch, den 14.02.2018, 12:22 +0000 schrieb Michael Tremer:
What other steps are urgently necessary that we can roll out OpenVPN 2.4? Are the CGI changes necessary or new features?
there is the need to make the changes for '--script-security' and to add '--ncp-disable' in ovpnmain.cgi.
Okay. I will wait with merging OpenSSL until we have this sorted.
Have send the forgotten AES-GCM patch --> https://lists.ipfire.org/ pipe rmail/development/2018-February/004063.html would you merge it to openssl-11 if the review is OK, i would pull the chnages then and prepare/send the last ovpnmain.cgi patch ?
You can work on the other patches independently from this one.
If we leave the AES-GCM patch for the first behind there is not much more to do in ovpnmain.cgi . This directives https://lists.ipfire.org/pipermail/development/2018-February/004085.html should bring OpenVPN-2.4 to life again.
Also the integration of the directives via update.sh for the core update needs to be made since a server stop|start do not includes the changes into server.conf.
And this, too.
Since there is currently no config/rootfiles/core/config/rootfiles/core directory for openssl-11 should i make one for core 119 (or 120 ?) and add there the commands in update.sh ?
Please provide that in an extra script. I do not know when this will land in a Core Update.
OK, where is a good place for this until then ?
Greetings,
Erik
On Thu, 2018-02-15 at 07:18 +0100, ummeegge wrote:
Hello,
Am Mittwoch, den 14.02.2018, 20:27 +0000 schrieb Michael Tremer:
Hi,
On Wed, 2018-02-14 at 14:24 +0100, ummeegge wrote:
Hi Michael,
Am Mittwoch, den 14.02.2018, 12:22 +0000 schrieb Michael Tremer:
What other steps are urgently necessary that we can roll out OpenVPN 2.4? Are the CGI changes necessary or new features?
there is the need to make the changes for '--script-security' and to add '--ncp-disable' in ovpnmain.cgi.
Okay. I will wait with merging OpenSSL until we have this sorted.
Have send the forgotten AES-GCM patch --> https://lists.ipfire.org/ pipe rmail/development/2018-February/004063.html would you merge it to openssl-11 if the review is OK, i would pull the chnages then and prepare/send the last ovpnmain.cgi patch ?
You can work on the other patches independently from this one.
If we leave the AES-GCM patch for the first behind there is not much more to do in ovpnmain.cgi . This directives https://lists.ipfire.org/pipermail/development/2018-February/0 04085.html should bring OpenVPN-2.4 to life again.
Also the integration of the directives via update.sh for the core update needs to be made since a server stop|start do not includes the changes into server.conf.
And this, too.
Since there is currently no config/rootfiles/core/config/rootfiles/core directory for openssl-11 should i make one for core 119 (or 120 ?) and add there the commands in update.sh ?
Please provide that in an extra script. I do not know when this will land in a Core Update.
OK, where is a good place for this until then ?
Just by email for now as you did.
This isn't too great for many of these things, but I cannot think of an easier way for this one time.
-Michael
Greetings,
Erik
-
Erik Kapfer -
Horace Michael -
Michael Tremer -
ummeegge