This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via ebf697a097f38c11a603e22f7f742e24bba601a2 (commit) via b66b02ab73863bcb9130300d8ef0eecdc51efde3 (commit) from b0b4d09c56774e84938109963a32916716e96f85 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit ebf697a097f38c11a603e22f7f742e24bba601a2 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Oct 11 11:56:07 2017 +0100
core115: Ship latest OpenVPN changes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b66b02ab73863bcb9130300d8ef0eecdc51efde3 Author: Erik Kapfer erik.kapfer@ipfire.org Date: Fri Oct 6 15:14:48 2017 +0200
OpenVPN: Fix for '--ns-cert-type server is deprecated' .
- Added extended key usage based on RFC3280 TLS rules for OpenVPNs OpenSSL configuration, so '--remote-cert-tls' can be used instead of the old and deprecated '--ns-cert-type' if the host certificate are newely generated with this options. Nevertheless both directives (old and new) will work also with old CAs.
- Automatic detection if the host certificate uses the new options. If it does, '--remote-cert-tls server' will be automatically set into the client configuration files for Net-to-Net and Roadwarriors connections.
If it does NOT, the old '--ns-cert-type server' directive will be set in the client configuration file.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/ovpn/openssl/ovpn.cnf | 4 ++++ config/rootfiles/core/115/filelists/files | 2 ++ html/cgi-bin/ovpnmain.cgi | 31 +++++++++++++++++++++++++++---- 3 files changed, 33 insertions(+), 4 deletions(-)
Difference in files: diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf index ab026c1..40daf2a 100644 --- a/config/ovpn/openssl/ovpn.cnf +++ b/config/ovpn/openssl/ovpn.cnf @@ -77,6 +77,8 @@ basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always +extendedKeyUsage = clientAuth +keyUsage = digitalSignature
[ server ]
@@ -86,6 +88,8 @@ nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always +extendedKeyUsage = serverAuth +keyUsage = digitalSignature, keyEncipherment
[ v3_req ] basicConstraints = CA:FALSE diff --git a/config/rootfiles/core/115/filelists/files b/config/rootfiles/core/115/filelists/files index 75001c2..33937ae 100644 --- a/config/rootfiles/core/115/filelists/files +++ b/config/rootfiles/core/115/filelists/files @@ -6,6 +6,7 @@ srv/web/ipfire/cgi-bin/captive/index.cgi srv/web/ipfire/cgi-bin/captive/logo.cgi srv/web/ipfire/cgi-bin/captive/redirect.cgi srv/web/ipfire/cgi-bin/captive.cgi +srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi srv/web/ipfire/html/captive @@ -21,4 +22,5 @@ var/ipfire/langs var/ipfire/menu.d/30-network.menu var/ipfire/modem-lib.pl var/ipfire/network-functions.pl +var/ipfire/ovpn/openssl/ovpn.cnf var/log/httpd/captive diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index d46a14e..ceb88c1 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1061,8 +1061,15 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General } } } - - print CLIENTCONF "ns-cert-type server\n"; + # Check host certificate if X509 is RFC3280 compliant. + # If not, old --ns-cert-type directive will be used. + # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. + my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($hostcert !~ /TLS Web Server Authentication/) { + print CLIENTCONF "ns-cert-type server\n"; + } else { + print CLIENTCONF "remote-cert-tls server\n"; + } print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; @@ -2173,7 +2180,15 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ } } } - print CLIENTCONF "ns-cert-type server\n"; + # Check host certificate if X509 is RFC3280 compliant. + # If not, old --ns-cert-type directive will be used. + # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. + my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($hostcert !~ /TLS Web Server Authentication/) { + print CLIENTCONF "ns-cert-type server\n"; + } else { + print CLIENTCONF "remote-cert-tls server\n"; + } print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; @@ -2332,7 +2347,15 @@ else print CLIENTCONF "comp-lzo\r\n"; } print CLIENTCONF "verb 3\r\n"; - print CLIENTCONF "ns-cert-type server\r\n"; + # Check host certificate if X509 is RFC3280 compliant. + # If not, old --ns-cert-type directive will be used. + # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. + my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($hostcert !~ /TLS Web Server Authentication/) { + print CLIENTCONF "ns-cert-type server\r\n"; + } else { + print CLIENTCONF "remote-cert-tls server\r\n"; + } print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n"; if ($vpnsettings{MSSFIX} eq 'on') { print CLIENTCONF "mssfix\r\n";
hooks/post-receive -- IPFire 2.x development tree