From mboxrd@z Thu Jan 1 00:00:00 1970 From: git@ipfire.org To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. a51b877f6923d804c4ac7bb85cd4b0fb6beaf061 Date: Tue, 03 Jul 2018 15:35:53 +0100 Message-ID: <20180703143553.F2AD31081BA5@git01.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3495759732545268954==" List-Id: --===============3495759732545268954== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via a51b877f6923d804c4ac7bb85cd4b0fb6beaf061 (commit) via 400c8afd9841bed350c192099a34bc84f3a04535 (commit) via 55d590518d80b091cefc69991d43964e32cfe1aa (commit) from 37458540bf727df09989c10d640ad13c1a989029 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit a51b877f6923d804c4ac7bb85cd4b0fb6beaf061 Author: Michael Tremer Date: Tue Jul 3 15:33:04 2018 +0100 Update translations =20 Signed-off-by: Michael Tremer commit 400c8afd9841bed350c192099a34bc84f3a04535 Author: Erik Kapfer Date: Wed Jun 27 09:34:21 2018 +0200 OpenVPN: x509 and DH-parameter check with Warnings and error messages in = WUI =20 Changes includes: Own crypto warning and error message in WUI (can be extended to configura= tion too). Check if DH-parameter is < 2048 bit with an error message and howto fix i= t. Check if md5 is still in use with an error message and suggestion how to = proceed further to fix it. Check for soon needed RFC3280 TLS rules compliants and suggestion how to = proceed further to fix it. Disabled 1024 bit DH-parameter upload. Changed de and en language files for DH-parameter upload (deleted 1024 bi= t). Added explanations to de and en language files for the above changes. Fixed Typo in en language file. =20 Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 55d590518d80b091cefc69991d43964e32cfe1aa Author: Michael Tremer Date: Tue Jul 3 15:32:42 2018 +0100 Revert "OpenVPN: Clarify fundamental crypto errors but also warnings in W= UI" =20 This reverts commit 15a3aa45cf27c61a581f892b5f3a3905335a12b0. =20 Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: html/cgi-bin/ovpnmain.cgi | 78 +++++++++++++++++++++++++--------------------= -- langs/de/cgi-bin/de.pl | 4 +-- langs/en/cgi-bin/en.pl | 6 ++-- 3 files changed, 47 insertions(+), 41 deletions(-) Difference in files: diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c0c7cff6d..f06e7cf03 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -99,6 +99,8 @@ $cgiparams{'DCIPHER'} =3D ''; $cgiparams{'DAUTH'} =3D ''; $cgiparams{'TLSAUTH'} =3D ''; $routes_push_file =3D "${General::swroot}/ovpn/routes_push"; +# Perform crypto and configration test +&pkiconfigcheck; =20 # Add CCD files if not already presant unless (-e $routes_push_file) { @@ -201,6 +203,45 @@ sub deletebackupcert } } =20 +### +### Check for PKI and configure problems +### + +sub pkiconfigcheck +{ + # Warning if DH parameter is 1024 bit + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + my $dhparameter =3D `/usr/bin/openssl dhparam -text -in ${General::swroot}= /ovpn/ca/$cgiparams{'DH_NAME'}`; + my @dhbit =3D ($dhparameter =3D~ /(\d+)/); + if ($1 < 2048) { + $cryptoerror =3D "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } + } + + # Warning if md5 is in usage + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $signature =3D `/usr/bin/openssl x509 -noout -text -in ${General::swroo= t}/ovpn/certs/servercert.pem`; + if ($signature =3D~ /md5WithRSAEncryption/) { + $cryptoerror =3D "$Lang::tr{'ovpn error md5'}"; + goto CRYPTO_ERROR; + } + } + + CRYPTO_ERROR: + + # Warning if certificate is not compliant to RFC3280 TLS rules + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $extendkeyusage =3D `/usr/bin/openssl x509 -noout -text -in ${General::= swroot}/ovpn/certs/servercert.pem`; + if ($extendkeyusage !~ /TLS Web Server Authentication/) { + $cryptowarning =3D "$Lang::tr{'ovpn warning rfc3280'}"; + goto CRYPTO_WARNING; + } + } + + CRYPTO_WARNING: +} + sub writeserverconf { my %sovpnsettings =3D (); =20 my @temp =3D (); =20 @@ -1072,41 +1113,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{= 'NAME'}"){mkdir "${General =20 } =20 -### -### Check for cryptography problems -### - -# Warning if DH parameter is 1024 bit -if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { - my $dhlenght =3D `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovp= n/ca/dh1024.pem`; - if ($dhlenght =3D~ /1024 bit/) { - $cryptoerror =3D "$Lang::tr{'ovpn error dh'}"; - goto CRYPTO_ERROR; - } -} - -# Warning if md5 is in usage -if (-f "${General::swroot}/ovpn/certs/servercert.pem") { - my $signature =3D `/usr/bin/openssl x509 -noout -text -in ${General::swroot= }/ovpn/certs/servercert.pem`; - if ($signature =3D~ /md5WithRSAEncryption/) { - $cryptoerror =3D "$Lang::tr{'ovpn error md5'}"; - goto CRYPTO_ERROR; - } -} - -CRYPTO_ERROR: - -# Warning if certificate is not compliant to RFC3280 TLS rules -if (-f "${General::swroot}/ovpn/openssl/ovpn.cnf") { - my $extendkeyusage =3D `/usr/bin/openssl x509 -noout -text -in ${General::s= wroot}/ovpn/certs/servercert.pem`; - if ($extendkeyusage =3D~ /TLS Web Server Authentication/) { - $cryptowarning =3D "$Lang::tr{'ovpn warning rfc3280'}"; - goto CRYPTO_WARNING; - } -} - -CRYPTO_WARNING: - ### ### Save main settings ### @@ -1373,7 +1379,7 @@ END goto UPLOADCA_ERROR; } my $temp =3D `/usr/bin/openssl dhparam -text -in $filename`; - if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) { + if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) { $errormessage =3D $Lang::tr{'not a valid dh key'}; unlink ($filename); goto UPLOADCA_ERROR; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index e1e9c970c..6e3dba4db 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -732,7 +732,7 @@ 'devices on blue' =3D> 'Ger=C3=A4te auf BLAU', 'dh' =3D> 'Diffie-Hellman-Parameter', 'dh key move failed' =3D> 'Verschieben der Diffie-Hellman-Parameter fehlgesc= hlagen.', -'dh key warn' =3D> 'Das Generieren der DH-Parameter mit 1024 oder 2048 Bit d= auert =C3=BCblicherweise mehrere Minuten. Schl=C3=BCssell=C3=A4ngen von 3072 = oder 4096 Bit beanspruchen mehrere Stunden. Bitte haben Sie etwas Geduld.', +'dh key warn' =3D> 'Das Generieren eines DH-Parameter mit 2048 Bit dauert = =C3=BCblicherweise mehrere Minuten. Schl=C3=BCssell=C3=A4ngen von 3072 oder 4= 096 Bit beanspruchen mehrere Stunden. Bitte haben Sie etwas Geduld.', 'dh key warn1' =3D> 'Bei schwachen Systemen oder Systeme mit wenig Entropie = wird empfohlen lange Diffie-Hellman-Parameter =C3=BCber die Upload-Funktion h= ochzuladen.', 'dh parameter' =3D> 'Diffie-Hellman-Parameter', 'dhcp advopt add' =3D> 'DHCP Option hinzuf=C3=BCgen', @@ -1710,7 +1710,7 @@ 'nonetworkname' =3D> 'Kein Netzwerkname wurde eingegeben', 'noservicename' =3D> 'Kein Dienstname wurde eingegeben', 'not a valid ca certificate' =3D> 'Kein g=C3=BCltiges CA Zertifikat.', -'not a valid dh key' =3D> 'Kein g=C3=BCltiger Diffie-Hellman-Parameter. Es s= ind nur Parameter mit einer L=C3=A4nge von 1024, 2048, 3072 oder 4096 Bit im = PKCS#3-Format erlaubt.', +'not a valid dh key' =3D> 'Kein g=C3=BCltiger Diffie-Hellman-Parameter. Es s= ind nur Parameter mit einer L=C3=A4nge von 2048, 3072 oder 4096 Bit im PKCS#3= -Format erlaubt.', 'not enough disk space' =3D> 'Nicht gen=C3=BCgend Plattenplatz vorhanden', 'not present' =3D> 'Nicht vorhanden', 'not running' =3D> 'nicht gestartet', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index d3847c92d..3ec5af57e 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -754,7 +754,7 @@ 'devices on blue' =3D> 'Devices on BLUE', 'dh' =3D> 'Diffie-Hellman parameters', 'dh key move failed' =3D> 'Diffie-Hellman parameters move failed.', -'dh key warn' =3D> 'Creating DH-parameters with lengths of 1024 or 2048 bits= takes up to several minutes. Lengths of 3072 or 4096 bits might needs severa= l hours. Please be patient.', +'dh key warn' =3D> 'Creating DH-parameters with a length of 2048 bits takes = up to several minutes. Lengths of 3072 or 4096 bits might needs several hours= . Please be patient.', 'dh key warn1' =3D> 'For weak systems or systems with little entropy, it is = recommended to upload long Diffie-Hellman parameters by usage of the upload f= unction.', 'dh name is invalid' =3D> 'Name is invalid, please use "dh1024.pem".', 'dh parameter' =3D> 'Diffie-Hellman parameters', @@ -1742,7 +1742,7 @@ 'nonetworkname' =3D> 'No Network Name entered', 'noservicename' =3D> 'No Service Name entered', 'not a valid ca certificate' =3D> 'Not a valid CA certificate.', -'not a valid dh key' =3D> 'Not a valid Diffie-Hellman parameters file. Pleas= e use a length of 1024, 2048, 3072 or 4096 bits and the PKCS#3 format.', +'not a valid dh key' =3D> 'Not a valid Diffie-Hellman parameters file. Pleas= e use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.', 'not enough disk space' =3D> 'Not enough disk space', 'not present' =3D> 'Not present', 'not running' =3D> 'not running', @@ -1854,7 +1854,7 @@ 'ovpn errmsg invalid ip or mask' =3D> 'Invalid network-address or subnetmask= ', 'ovpn error dh' =3D> 'The Diffie-Hellman parameter needs to be in minimum 20= 48 bit!
Please generate or upload a new Diffie-Hellman parameter, this ca= n be made below in the section "Diffie-Hellman parameters options".
', 'ovpn error md5' =3D> 'You host certificate uses MD5 for the signature which= is not accepted anymore.
Please update to the latest IPFire version and = generate a new root and host certificate.

All OpenVPN clients needs t= hen to be renewed!
', -'ovpn generating the root and host certificates' =3D> 'Generating the root a= nd host certifictae can take a long time.', +'ovpn generating the root and host certificates' =3D> 'Generating the root a= nd host certificate can take a long time.', 'ovpn ha' =3D> 'Hash algorithm', 'ovpn hmac' =3D> 'HMAC options', 'ovpn log' =3D> 'OVPN-Log', hooks/post-receive -- IPFire 2.x development tree --===============3495759732545268954==--