From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. ebf697a097f38c11a603e22f7f742e24bba601a2
Date: Wed, 11 Oct 2017 11:56:52 +0100 [thread overview]
Message-ID: <20171011105652.F25711081BCF@git01.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 6374 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via ebf697a097f38c11a603e22f7f742e24bba601a2 (commit)
via b66b02ab73863bcb9130300d8ef0eecdc51efde3 (commit)
from b0b4d09c56774e84938109963a32916716e96f85 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ebf697a097f38c11a603e22f7f742e24bba601a2
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Oct 11 11:56:07 2017 +0100
core115: Ship latest OpenVPN changes
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b66b02ab73863bcb9130300d8ef0eecdc51efde3
Author: Erik Kapfer <erik.kapfer(a)ipfire.org>
Date: Fri Oct 6 15:14:48 2017 +0200
OpenVPN: Fix for '--ns-cert-type server is deprecated' .
- Added extended key usage based on RFC3280 TLS rules for OpenVPNs OpenSSL configuration,
so '--remote-cert-tls' can be used instead of the old and deprecated '--ns-cert-type'
if the host certificate are newely generated with this options.
Nevertheless both directives (old and new) will work also with old CAs.
- Automatic detection if the host certificate uses the new options.
If it does, '--remote-cert-tls server' will be automatically set into the client
configuration files for Net-to-Net and Roadwarriors connections.
If it does NOT, the old '--ns-cert-type server' directive will be set in the client
configuration file.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/ovpn/openssl/ovpn.cnf | 4 ++++
config/rootfiles/core/115/filelists/files | 2 ++
html/cgi-bin/ovpnmain.cgi | 31 +++++++++++++++++++++++++++----
3 files changed, 33 insertions(+), 4 deletions(-)
Difference in files:
diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf
index ab026c1..40daf2a 100644
--- a/config/ovpn/openssl/ovpn.cnf
+++ b/config/ovpn/openssl/ovpn.cnf
@@ -77,6 +77,8 @@ basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = clientAuth
+keyUsage = digitalSignature
[ server ]
@@ -86,6 +88,8 @@ nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = serverAuth
+keyUsage = digitalSignature, keyEncipherment
[ v3_req ]
basicConstraints = CA:FALSE
diff --git a/config/rootfiles/core/115/filelists/files b/config/rootfiles/core/115/filelists/files
index 75001c2..33937ae 100644
--- a/config/rootfiles/core/115/filelists/files
+++ b/config/rootfiles/core/115/filelists/files
@@ -6,6 +6,7 @@ srv/web/ipfire/cgi-bin/captive/index.cgi
srv/web/ipfire/cgi-bin/captive/logo.cgi
srv/web/ipfire/cgi-bin/captive/redirect.cgi
srv/web/ipfire/cgi-bin/captive.cgi
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
srv/web/ipfire/cgi-bin/proxy.cgi
srv/web/ipfire/cgi-bin/vpnmain.cgi
srv/web/ipfire/html/captive
@@ -21,4 +22,5 @@ var/ipfire/langs
var/ipfire/menu.d/30-network.menu
var/ipfire/modem-lib.pl
var/ipfire/network-functions.pl
+var/ipfire/ovpn/openssl/ovpn.cnf
var/log/httpd/captive
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index d46a14e..ceb88c1 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1061,8 +1061,15 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
}
}
}
-
- print CLIENTCONF "ns-cert-type server\n";
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\n";
+ }
print CLIENTCONF "# Auth. Client\n";
print CLIENTCONF "tls-client\n";
print CLIENTCONF "# Cipher\n";
@@ -2173,7 +2180,15 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
}
}
}
- print CLIENTCONF "ns-cert-type server\n";
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\n";
+ }
print CLIENTCONF "# Auth. Client\n";
print CLIENTCONF "tls-client\n";
print CLIENTCONF "# Cipher\n";
@@ -2332,7 +2347,15 @@ else
print CLIENTCONF "comp-lzo\r\n";
}
print CLIENTCONF "verb 3\r\n";
- print CLIENTCONF "ns-cert-type server\r\n";
+ # Check host certificate if X509 is RFC3280 compliant.
+ # If not, old --ns-cert-type directive will be used.
+ # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+ my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($hostcert !~ /TLS Web Server Authentication/) {
+ print CLIENTCONF "ns-cert-type server\r\n";
+ } else {
+ print CLIENTCONF "remote-cert-tls server\r\n";
+ }
print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
if ($vpnsettings{MSSFIX} eq 'on') {
print CLIENTCONF "mssfix\r\n";
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2017-10-11 10:56 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171011105652.F25711081BCF@git01.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox