* [git.ipfire.org] IPFire 2.x development tree branch, core175, updated. 3d2beee7b11a5eb1f42fa6478469fa8827e2a5e5
@ 2023-06-05 19:56 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2023-06-05 19:56 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 13996 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, core175 has been updated
via 3d2beee7b11a5eb1f42fa6478469fa8827e2a5e5 (commit)
via 94aa82fa619448229737bf545b768f0ca7177b0c (commit)
via 495ea08478cb9520fb9d94fff43ace46f6c3a368 (commit)
via 9eb2086e0f3b6feb6e52d01c7faf5d79791650ea (commit)
via 2054306c632046c052e67eee1220abef42c34b5d (commit)
via 0b216134c2107ac0dccccac15a97db0082c84678 (commit)
from 9797af30061946db16ab7bbca1635865d9318336 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3d2beee7b11a5eb1f42fa6478469fa8827e2a5e5
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Jun 5 14:52:01 2023 +0000
Core Update 175: Ship vpnmain.cgi
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 94aa82fa619448229737bf545b768f0ca7177b0c
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Sat Jun 3 16:05:41 2023 +0200
vpnmain.cgi: Fixes bug#13138 - root/host certificate set fails to be created
- The change to openssl-3.x results in the openssl commands that start with ca failing
with the error message
OpenSSL produced an error: <br>40E7B4719B730000:error:0700006C:configuration file
routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:315:group=<NULL>
name=unique_subject
- The fix for this is to include the unique_subject = yes line into
/var/ipfire/certs/index.txt.attr
- Additionally, based on the learnings from bug#13137 on OpenVPN, any openssl commands
dealing with pkcs12 (.p12) files that were created with openssl-1.1.1x fail when being
accessed with openssl-3.x due to the no longer supported algorithm. These can be
accessed if the -legacy option is added to every openssl command dealing with pkcs12
Fixes: Bug#13138
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 495ea08478cb9520fb9d94fff43ace46f6c3a368
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Jun 5 14:51:09 2023 +0000
Core Update 175: Ship backup.pl
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 9eb2086e0f3b6feb6e52d01c7faf5d79791650ea
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Mon Jun 5 13:55:29 2023 +0200
backup.pl: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- This code adds the "providers legacy default" line into OpenVPN N2N Client config files
when restoring them in case it is missing from a backup earlier than CU175.
Only adds the line if it is not already present.
- Tested out on my vm testbed system
Fixes: Bug#13137
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 2054306c632046c052e67eee1220abef42c34b5d
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Sun Jun 4 20:57:09 2023 +0200
update.sh: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- This modification will check if ovpnconfig exists and is not empty. If so then it will
check for all n2n connections and if they are Client configs will check if
"providers legacy default" is not already present and if so will add it.
Fixes: Bug#13137
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0b216134c2107ac0dccccac15a97db0082c84678
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Sun Jun 4 20:57:08 2023 +0200
ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- With a n2n connection .p12 certificate created wityh openssl-1.1.1x the line
providers legacy default is required in the n2nconf file to enable it to start.
- Any openssl-3.x attempt to open a .p12 file created with openssl-1.1.1x will result in
a failure and an error message. All the openssl commands dealing with pkcs12 (.p12)
files need to have the -legacy option added to them.
Fixes: Bug#13137
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/backup/backup.pl | 15 +++++++++++++++
config/rootfiles/core/175/filelists/files | 2 ++
config/rootfiles/core/175/update.sh | 14 ++++++++++++++
html/cgi-bin/ovpnmain.cgi | 11 +++++++----
html/cgi-bin/vpnmain.cgi | 15 ++++++++-------
5 files changed, 46 insertions(+), 11 deletions(-)
Difference in files:
diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 96e794439..8d990c0f1 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -189,6 +189,21 @@ restore_backup() {
# Update OpenVPN CRL
/etc/fcron.daily/openvpn-crl-updater
+
+ # Update OpenVPN N2N Client Configs
+ ## Add providers legacy default line to n2n client config files
+ # Check if ovpnconfig exists and is not empty
+ if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
+ # Identify all n2n connections
+ for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
+ # Add the legacy option to all N2N client conf files if it does not already exist
+ if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then
+ if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then
+ echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf
+ fi
+ fi
+ done
+ fi
return 0
}
diff --git a/config/rootfiles/core/175/filelists/files b/config/rootfiles/core/175/filelists/files
index 8b36d5847..6ff583e76 100644
--- a/config/rootfiles/core/175/filelists/files
+++ b/config/rootfiles/core/175/filelists/files
@@ -85,5 +85,7 @@ lib/firmware/rtw89/rtw8852b_fw-1.bin
srv/web/ipfire/cgi-bin/backup.cgi
srv/web/ipfire/cgi-bin/logs.cgi/log.dat
srv/web/ipfire/cgi-bin/ovpnmain.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
usr/lib/dracut/dracut.conf.d/ipfire.conf
usr/lib/firewall/rules.pl
+var/ipfire/backup/bin/backup.pl
diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh
index 5e45c819f..82676bc72 100644
--- a/config/rootfiles/core/175/update.sh
+++ b/config/rootfiles/core/175/update.sh
@@ -177,6 +177,20 @@ if [ -e /boot/pakfire-kernel-update ]; then
/boot/pakfire-kernel-update ${KVER}
fi
+## Add providers legacy default line to n2n client config files
+# Check if ovpnconfig exists and is not empty
+if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
+ # Identify all n2n connections
+ for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
+ # Add the legacy option to all N2N client conf files
+ if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then
+ if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then
+ echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf
+ fi
+ fi
+ done
+fi
+
# This update needs a reboot...
touch /var/run/need_reboot
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 5c4fad0a5..88106251e 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1115,6 +1115,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print CLIENTCONF "# Activate Management Interface and Port\n";
if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
+ print CLIENTCONF "providers legacy default\n";
close(CLIENTCONF);
}
@@ -1648,7 +1649,7 @@ END
goto ROOTCERT_ERROR;
}
} else { # child
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
+ unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-cacerts', '-nokeys',
'-in', $filename,
'-out', "$tempdir/cacert.pem")) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
@@ -1671,7 +1672,7 @@ END
goto ROOTCERT_ERROR;
}
} else { # child
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
+ unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-clcerts', '-nokeys',
'-in', $filename,
'-out', "$tempdir/hostcert.pem")) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
@@ -1694,7 +1695,7 @@ END
goto ROOTCERT_ERROR;
}
} else { # child
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
+ unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-nocerts',
'-nodes',
'-in', $filename,
'-out', "$tempdir/serverkey.pem")) {
@@ -2156,6 +2157,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"}
else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"};
print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
+ print CLIENTCONF "providers legacy default\n";
close(CLIENTCONF);
@@ -3296,6 +3298,7 @@ END
print FILE "# Logfile\n";
print FILE "status-version 1\n";
print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
+ print FILE "providers legacy default\n";
close FILE;
unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) {
@@ -4242,7 +4245,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
# Create the pkcs12 file
# The system call is safe, because all arguments are passed as an array.
- system('/usr/bin/openssl', 'pkcs12', '-export',
+ system('/usr/bin/openssl', 'pkcs12', '-legacy', '-export',
'-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
'-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
'-name', $cgiparams{'NAME'},
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 6c1fd4cf0..f2aeecdf9 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -193,7 +193,7 @@ sub cleanssldatabase {
close FILE;
}
if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) {
- print FILE "";
+ print FILE "unique_subject = yes";
close FILE;
}
unlink ("${General::swroot}/certs/index.txt.old");
@@ -213,6 +213,7 @@ sub newcleanssldatabase {
}
if (! -s ">${General::swroot}/certs/index.txt.attr") {
open(FILE, ">${General::swroot}/certs/index.txt.attr");
+ print FILE "unique_subject = yes";
close(FILE);
}
unlink ("${General::swroot}/certs/index.txt.old");
@@ -907,7 +908,7 @@ END
# Extract the CA certificate from the file
&General::log("ipsec", "Extracting caroot from p12...");
if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -cacerts -nokeys";
+ my $opt = " pkcs12 -legacy -cacerts -nokeys";
$opt .= " -in $filename";
$opt .= " -out /tmp/newcacert";
$errormessage = &callssl ($opt);
@@ -920,7 +921,7 @@ END
if (!$errormessage) {
&General::log("ipsec", "Extracting host cert from p12...");
if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -clcerts -nokeys";
+ my $opt = " pkcs12 -legacy -clcerts -nokeys";
$opt .= " -in $filename";
$opt .= " -out /tmp/newhostcert";
$errormessage = &callssl ($opt);
@@ -934,7 +935,7 @@ END
if (!$errormessage) {
&General::log("ipsec", "Extracting private key from p12...");
if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -nocerts -nodes";
+ my $opt = " pkcs12 -legacy -nocerts -nodes";
$opt .= " -in $filename";
$opt .= " -out /tmp/newhostkey";
$errormessage = &callssl ($opt);
@@ -1939,7 +1940,7 @@ END
# Extract the CA certificate from the file
&General::log("ipsec", "Extracting caroot from p12...");
if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -cacerts -nokeys";
+ my $opt = " pkcs12 -legacy -cacerts -nokeys";
$opt .= " -in $filename";
$opt .= " -out /tmp/newcacert";
$errormessage = &callssl ($opt);
@@ -1952,7 +1953,7 @@ END
if (!$errormessage) {
&General::log("ipsec", "Extracting host cert from p12...");
if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -clcerts -nokeys";
+ my $opt = " pkcs12 -legacy -clcerts -nokeys";
$opt .= " -in $filename";
$opt .= " -out /tmp/newhostcert";
$errormessage = &callssl ($opt);
@@ -2197,7 +2198,7 @@ END
# Create the pkcs12 file
&General::log("ipsec", "Packing a pkcs12 file...");
- $opt = " pkcs12 -export";
+ $opt = " pkcs12 -legacy -export";
$opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
$opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
$opt .= " -name \"$cgiparams{'NAME'}\"";
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-06-05 19:56 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-05 19:56 [git.ipfire.org] IPFire 2.x development tree branch, core175, updated. 3d2beee7b11a5eb1f42fa6478469fa8827e2a5e5 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox