This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, next has been updated via a2a695be02696854c73c74610f15152614fb4ee5 (commit) via 818dde8e8b8b8cbf571c7d02ba4c8272280f3e46 (commit) from 6376c155b8c02c37d891f91d9bf9e60564430d04 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit a2a695be02696854c73c74610f15152614fb4ee5 Author: Peter Müller peter.mueller@ipfire.org Date: Thu Nov 3 16:51:19 2022 +0000

Core Update 172: Ship (o|)vpnmain.cgi

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 818dde8e8b8b8cbf571c7d02ba4c8272280f3e46 Author: Peter Müller peter.mueller@ipfire.org Date: Thu Nov 3 15:29:32 2022 +0000

IPsec/OpenVPN: Use 4,096-bit RSA for host certificates as well

We already moved away from 2048-MODP in Core Update 170. Similarly, German Federal Office for Information Security (BSI) recommends shifting away from RSA keys below 3,000 bits by the end of 2022 at the latest.

The only place left in IPFire 2.x where we generate such keys is for IPsec and OpenVPN host certificates. This patch increases their key sizes to 4,096 bits as well - CA certificates already have this length.

Existing VPN connections cannot be migrated automatically. However, only the respective host certificate has to be regenerated - thanks to the CA certificates' key length being sufficient, there is no need to replace the entire VPN CA.

Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org

-----------------------------------------------------------------------

Summary of changes: config/rootfiles/core/172/filelists/files | 2 ++ html/cgi-bin/ovpnmain.cgi | 10 ++++------ html/cgi-bin/vpnmain.cgi | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-)

Difference in files: diff --git a/config/rootfiles/core/172/filelists/files b/config/rootfiles/core/172/filelists/files index f69f05489..d73430dae 100644 --- a/config/rootfiles/core/172/filelists/files +++ b/config/rootfiles/core/172/filelists/files @@ -2,5 +2,7 @@ usr/lib/firewall/rules.pl usr/local/bin/addonctrl usr/local/bin/openvpnctrl usr/local/bin/wirelessctrl +srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/services.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi var/ipfire/backup/bin/backup.pl diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 90d3710e4..f85d610d8 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,9 +18,7 @@ # along with this program. If not, see http://www.gnu.org/licenses/. # # # ############################################################################### -### -# Based on IPFireCore 77 -### + use CGI; use CGI qw/:standard/; use Imager::QRCode; @@ -1970,7 +1968,7 @@ END } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-nodes', - '-newkey', 'rsa:2048', + '-newkey', 'rsa:4096', '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", '-extensions', 'server', @@ -4363,7 +4361,7 @@ if ($cgiparams{'TYPE'} eq 'net') { } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-nodes', - '-newkey', 'rsa:2048', + '-newkey', 'rsa:4096', '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index fc250b1f5..6c1fd4cf0 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1093,7 +1093,7 @@ END &General::log("ipsec", "Creating host cert..."); if (open(STDIN, "-|")) { my $opt = " req -sha256 -nodes"; - $opt .= " -newkey rsa:2048"; + $opt .= " -newkey rsa:4096"; $opt .= " -keyout ${General::swroot}/certs/hostkey.pem"; $opt .= " -out ${General::swroot}/certs/hostreq.pem"; $errormessage = &callssl ($opt); @@ -2139,7 +2139,7 @@ END

if (open(STDIN, "-|")) { my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; - $opt .= " -newkey rsa:2048"; + $opt .= " -newkey rsa:4096"; $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";

hooks/post-receive -- IPFire 2.x development tree