This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, core175 has been updated via 3d2beee7b11a5eb1f42fa6478469fa8827e2a5e5 (commit) via 94aa82fa619448229737bf545b768f0ca7177b0c (commit) via 495ea08478cb9520fb9d94fff43ace46f6c3a368 (commit) via 9eb2086e0f3b6feb6e52d01c7faf5d79791650ea (commit) via 2054306c632046c052e67eee1220abef42c34b5d (commit) via 0b216134c2107ac0dccccac15a97db0082c84678 (commit) from 9797af30061946db16ab7bbca1635865d9318336 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 3d2beee7b11a5eb1f42fa6478469fa8827e2a5e5 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 5 14:52:01 2023 +0000
Core Update 175: Ship vpnmain.cgi
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 94aa82fa619448229737bf545b768f0ca7177b0c Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Jun 3 16:05:41 2023 +0200
vpnmain.cgi: Fixes bug#13138 - root/host certificate set fails to be created
- The change to openssl-3.x results in the openssl commands that start with ca failing with the error message OpenSSL produced an error: <br>40E7B4719B730000:error:0700006C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:315:group=<NULL> name=unique_subject - The fix for this is to include the unique_subject = yes line into /var/ipfire/certs/index.txt.attr - Additionally, based on the learnings from bug#13137 on OpenVPN, any openssl commands dealing with pkcs12 (.p12) files that were created with openssl-1.1.1x fail when being accessed with openssl-3.x due to the no longer supported algorithm. These can be accessed if the -legacy option is added to every openssl command dealing with pkcs12
Fixes: Bug#13138 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 495ea08478cb9520fb9d94fff43ace46f6c3a368 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 5 14:51:09 2023 +0000
Core Update 175: Ship backup.pl
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 9eb2086e0f3b6feb6e52d01c7faf5d79791650ea Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Jun 5 13:55:29 2023 +0200
backup.pl: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- This code adds the "providers legacy default" line into OpenVPN N2N Client config files when restoring them in case it is missing from a backup earlier than CU175. Only adds the line if it is not already present. - Tested out on my vm testbed system
Fixes: Bug#13137 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 2054306c632046c052e67eee1220abef42c34b5d Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Jun 4 20:57:09 2023 +0200
update.sh: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- This modification will check if ovpnconfig exists and is not empty. If so then it will check for all n2n connections and if they are Client configs will check if "providers legacy default" is not already present and if so will add it.
Fixes: Bug#13137 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 0b216134c2107ac0dccccac15a97db0082c84678 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Jun 4 20:57:08 2023 +0200
ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- With a n2n connection .p12 certificate created wityh openssl-1.1.1x the line providers legacy default is required in the n2nconf file to enable it to start. - Any openssl-3.x attempt to open a .p12 file created with openssl-1.1.1x will result in a failure and an error message. All the openssl commands dealing with pkcs12 (.p12) files need to have the -legacy option added to them.
Fixes: Bug#13137 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/backup/backup.pl | 15 +++++++++++++++ config/rootfiles/core/175/filelists/files | 2 ++ config/rootfiles/core/175/update.sh | 14 ++++++++++++++ html/cgi-bin/ovpnmain.cgi | 11 +++++++---- html/cgi-bin/vpnmain.cgi | 15 ++++++++------- 5 files changed, 46 insertions(+), 11 deletions(-)
Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 96e794439..8d990c0f1 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -189,6 +189,21 @@ restore_backup() {
# Update OpenVPN CRL /etc/fcron.daily/openvpn-crl-updater + + # Update OpenVPN N2N Client Configs + ## Add providers legacy default line to n2n client config files + # Check if ovpnconfig exists and is not empty + if [ -s /var/ipfire/ovpn/ovpnconfig ]; then + # Identify all n2n connections + for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do + # Add the legacy option to all N2N client conf files if it does not already exist + if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then + if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then + echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf + fi + fi + done + fi
return 0 } diff --git a/config/rootfiles/core/175/filelists/files b/config/rootfiles/core/175/filelists/files index 8b36d5847..6ff583e76 100644 --- a/config/rootfiles/core/175/filelists/files +++ b/config/rootfiles/core/175/filelists/files @@ -85,5 +85,7 @@ lib/firmware/rtw89/rtw8852b_fw-1.bin srv/web/ipfire/cgi-bin/backup.cgi srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi usr/lib/dracut/dracut.conf.d/ipfire.conf usr/lib/firewall/rules.pl +var/ipfire/backup/bin/backup.pl diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh index 5e45c819f..82676bc72 100644 --- a/config/rootfiles/core/175/update.sh +++ b/config/rootfiles/core/175/update.sh @@ -177,6 +177,20 @@ if [ -e /boot/pakfire-kernel-update ]; then /boot/pakfire-kernel-update ${KVER} fi
+## Add providers legacy default line to n2n client config files +# Check if ovpnconfig exists and is not empty +if [ -s /var/ipfire/ovpn/ovpnconfig ]; then + # Identify all n2n connections + for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do + # Add the legacy option to all N2N client conf files + if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then + if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then + echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf + fi + fi + done +fi + # This update needs a reboot... touch /var/run/need_reboot
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5c4fad0a5..88106251e 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1115,6 +1115,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Activate Management Interface and Port\n"; if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"} else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"}; + print CLIENTCONF "providers legacy default\n"; close(CLIENTCONF);
} @@ -1648,7 +1649,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-cacerts', '-nokeys', '-in', $filename, '-out', "$tempdir/cacert.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; @@ -1671,7 +1672,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-clcerts', '-nokeys', '-in', $filename, '-out', "$tempdir/hostcert.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; @@ -1694,7 +1695,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-nocerts', '-nodes', '-in', $filename, '-out', "$tempdir/serverkey.pem")) { @@ -2156,6 +2157,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"} else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"}; print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n"; + print CLIENTCONF "providers legacy default\n";
close(CLIENTCONF); @@ -3296,6 +3298,7 @@ END print FILE "# Logfile\n"; print FILE "status-version 1\n"; print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n"; + print FILE "providers legacy default\n"; close FILE;
unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) { @@ -4242,7 +4245,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
# Create the pkcs12 file # The system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-export', + system('/usr/bin/openssl', 'pkcs12', '-legacy', '-export', '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", '-name', $cgiparams{'NAME'}, diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 6c1fd4cf0..f2aeecdf9 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -193,7 +193,7 @@ sub cleanssldatabase { close FILE; } if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) { - print FILE ""; + print FILE "unique_subject = yes"; close FILE; } unlink ("${General::swroot}/certs/index.txt.old"); @@ -213,6 +213,7 @@ sub newcleanssldatabase { } if (! -s ">${General::swroot}/certs/index.txt.attr") { open(FILE, ">${General::swroot}/certs/index.txt.attr"); + print FILE "unique_subject = yes"; close(FILE); } unlink ("${General::swroot}/certs/index.txt.old"); @@ -907,7 +908,7 @@ END # Extract the CA certificate from the file &General::log("ipsec", "Extracting caroot from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -cacerts -nokeys"; + my $opt = " pkcs12 -legacy -cacerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newcacert"; $errormessage = &callssl ($opt); @@ -920,7 +921,7 @@ END if (!$errormessage) { &General::log("ipsec", "Extracting host cert from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -clcerts -nokeys"; + my $opt = " pkcs12 -legacy -clcerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newhostcert"; $errormessage = &callssl ($opt); @@ -934,7 +935,7 @@ END if (!$errormessage) { &General::log("ipsec", "Extracting private key from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -nocerts -nodes"; + my $opt = " pkcs12 -legacy -nocerts -nodes"; $opt .= " -in $filename"; $opt .= " -out /tmp/newhostkey"; $errormessage = &callssl ($opt); @@ -1939,7 +1940,7 @@ END # Extract the CA certificate from the file &General::log("ipsec", "Extracting caroot from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -cacerts -nokeys"; + my $opt = " pkcs12 -legacy -cacerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newcacert"; $errormessage = &callssl ($opt); @@ -1952,7 +1953,7 @@ END if (!$errormessage) { &General::log("ipsec", "Extracting host cert from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -clcerts -nokeys"; + my $opt = " pkcs12 -legacy -clcerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newhostcert"; $errormessage = &callssl ($opt); @@ -2197,7 +2198,7 @@ END
# Create the pkcs12 file &General::log("ipsec", "Packing a pkcs12 file..."); - $opt = " pkcs12 -export"; + $opt = " pkcs12 -legacy -export"; $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; $opt .= " -name "$cgiparams{'NAME'}"";
hooks/post-receive -- IPFire 2.x development tree