[PATCH 1/2] ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- With a n2n connection .p12 certificate created wityh openssl-1.1.1x the line providers legacy default is required in the n2nconf file to enable it to start. - Any openssl-3.x attempt to open a .p12 file created with openssl-1.1.1x will result in a failure and an error message. All the openssl commands dealing with pkcs12 (.p12) files need to have the -legacy option added to them.
Fixes: Bug#13137 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5c4fad0a5..88106251e 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1115,6 +1115,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Activate Management Interface and Port\n"; if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"} else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"}; + print CLIENTCONF "providers legacy default\n"; close(CLIENTCONF);
} @@ -1648,7 +1649,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-cacerts', '-nokeys', '-in', $filename, '-out', "$tempdir/cacert.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; @@ -1671,7 +1672,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-clcerts', '-nokeys', '-in', $filename, '-out', "$tempdir/hostcert.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; @@ -1694,7 +1695,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-nocerts', '-nodes', '-in', $filename, '-out', "$tempdir/serverkey.pem")) { @@ -2156,6 +2157,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"} else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"}; print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n"; + print CLIENTCONF "providers legacy default\n";
close(CLIENTCONF); @@ -3296,6 +3298,7 @@ END print FILE "# Logfile\n"; print FILE "status-version 1\n"; print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n"; + print FILE "providers legacy default\n"; close FILE;
unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) { @@ -4242,7 +4245,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
# Create the pkcs12 file # The system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-export', + system('/usr/bin/openssl', 'pkcs12', '-legacy', '-export', '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", '-name', $cgiparams{'NAME'},
- This modification will check if ovpnconfig exists and is not empty. If so then it will check for all n2n connections and if they are Client configs will check if "providers legacy default" is not already present and if so will add it.
Fixes: Bug#13137 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/core/175/update.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh index 5e45c819f..82676bc72 100644 --- a/config/rootfiles/core/175/update.sh +++ b/config/rootfiles/core/175/update.sh @@ -177,6 +177,20 @@ if [ -e /boot/pakfire-kernel-update ]; then /boot/pakfire-kernel-update ${KVER} fi
+## Add providers legacy default line to n2n client config files +# Check if ovpnconfig exists and is not empty +if [ -s /var/ipfire/ovpn/ovpnconfig ]; then + # Identify all n2n connections + for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do + # Add the legacy option to all N2N client conf files + if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then + if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then + echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf + fi + fi + done +fi + # This update needs a reboot... touch /var/run/need_reboot
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
We need to consider that people might overwrite this when they restore an older backup.
So I am not sure whether we want those lines added to the backup scripts as well.
-Michael
On 4 Jun 2023, at 19:57, Adolf Belka adolf.belka@ipfire.org wrote:
- This modification will check if ovpnconfig exists and is not empty. If so then it will check for all n2n connections and if they are Client configs will check if "providers legacy default" is not already present and if so will add it.
Fixes: Bug#13137 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
config/rootfiles/core/175/update.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh index 5e45c819f..82676bc72 100644 --- a/config/rootfiles/core/175/update.sh +++ b/config/rootfiles/core/175/update.sh @@ -177,6 +177,20 @@ if [ -e /boot/pakfire-kernel-update ]; then /boot/pakfire-kernel-update ${KVER} fi
+## Add providers legacy default line to n2n client config files +# Check if ovpnconfig exists and is not empty +if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
# Identify all n2n connectionsfor y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do# Add the legacy option to all N2N client conf files- if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then
- if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then
- echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf
- fi
- fi
done+fi
# This update needs a reboot... touch /var/run/need_reboot
-- 2.40.1
Hi Michael,
On 05/06/2023 12:32, Michael Tremer wrote:
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
We need to consider that people might overwrite this when they restore an older backup.
So I am not sure whether we want those lines added to the backup scripts as well.
That is a good idea. I have created a patch to do that, tested it out and it worked. It only adds the line if it doesn't already exist. The patch has been submitted.
Regards, Adolf.
-Michael
On 4 Jun 2023, at 19:57, Adolf Belka adolf.belka@ipfire.org wrote:
- This modification will check if ovpnconfig exists and is not empty. If so then it will check for all n2n connections and if they are Client configs will check if "providers legacy default" is not already present and if so will add it.
Fixes: Bug#13137 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
config/rootfiles/core/175/update.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh index 5e45c819f..82676bc72 100644 --- a/config/rootfiles/core/175/update.sh +++ b/config/rootfiles/core/175/update.sh @@ -177,6 +177,20 @@ if [ -e /boot/pakfire-kernel-update ]; then /boot/pakfire-kernel-update ${KVER} fi
+## Add providers legacy default line to n2n client config files +# Check if ovpnconfig exists and is not empty +if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
# Identify all n2n connectionsfor y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do# Add the legacy option to all N2N client conf files- if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then
- if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then
- echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf
- fi
- fi
done+fi
# This update needs a reboot... touch /var/run/need_reboot
-- 2.40.1
Hello Adolf,
Thank you very much for putting all this effort in to solve such an annoying problem.
On 4 Jun 2023, at 19:57, Adolf Belka adolf.belka@ipfire.org wrote:
- With a n2n connection .p12 certificate created wityh openssl-1.1.1x the line providers legacy default is required in the n2nconf file to enable it to start.
- Any openssl-3.x attempt to open a .p12 file created with openssl-1.1.1x will result in a failure and an error message. All the openssl commands dealing with pkcs12 (.p12) files need to have the -legacy option added to them.
Fixes: Bug#13137 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
html/cgi-bin/ovpnmain.cgi | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5c4fad0a5..88106251e 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1115,6 +1115,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Activate Management Interface and Port\n"; if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"} else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
- print CLIENTCONF "providers legacy default\n"; close(CLIENTCONF);
} @@ -1648,7 +1649,7 @@ END goto ROOTCERT_ERROR; } } else { # child
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-cacerts', '-nokeys', '-in', $filename, '-out', "$tempdir/cacert.pem")) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!"; @@ -1671,7 +1672,7 @@ END goto ROOTCERT_ERROR; } } else { # child
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-clcerts', '-nokeys', '-in', $filename, '-out', "$tempdir/hostcert.pem")) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!"; @@ -1694,7 +1695,7 @@ END goto ROOTCERT_ERROR; } } else { # child
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-nocerts', '-nodes', '-in', $filename, '-out', "$tempdir/serverkey.pem")) {
@@ -2156,6 +2157,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"} else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"}; print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
print CLIENTCONF "providers legacy default\n";
close(CLIENTCONF);
@@ -3296,6 +3298,7 @@ END print FILE "# Logfile\n"; print FILE "status-version 1\n"; print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
- print FILE "providers legacy default\n";
close FILE;
I just wanted to highlight that I believe that we won’t be dropping this line any time soon. Hopefully that won’t become a problem once distributions decide to no longer ship the legacy module - or if it gets removed from OpenSSL entirely.
I believe that at this point we have no other options.
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) { @@ -4242,7 +4245,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
# Create the pkcs12 file # The system call is safe, because all arguments are passed as an array.
- system('/usr/bin/openssl', 'pkcs12', '-export',
- system('/usr/bin/openssl', 'pkcs12', '-legacy', '-export',
'-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", '-name', $cgiparams{'NAME'}, -- 2.40.1
-
Adolf Belka -
Michael Tremer