* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. d38aabc45e2ef60da07178340e30e563c40a6052
@ 2025-04-02 9:59 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2025-04-02 9:59 UTC (permalink / raw)
To: ipfire-scm
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via d38aabc45e2ef60da07178340e30e563c40a6052 (commit)
via 3014979c75a6e63cdb2698d1cf5c3ed9316fdccf (commit)
via 973f41b88d6ea9864a0a63b634b111e9fbc04a75 (commit)
via 2639101b2dcf28dee6100d199c70591490f931de (commit)
via 1fda10e584da6b99237c94aa4e652d97589c7df6 (commit)
via 85c0d3c1c73dfd8f625c99256f0e1706979b895e (commit)
via 41c7cc325e1e2f922de803842d0625e564f6771e (commit)
via 65434dcc7bc297e7d2feabd68f93de1eace598f3 (commit)
from 7ee3ce2371504df0e14b6cb19437d5290f38a6f1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d38aabc45e2ef60da07178340e30e563c40a6052
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue Apr 1 22:50:02 2025 +0200
backup.pl: Fixes bug13737 - restarts ipsec to use the restored certs etc
- This adds a check if the ipsec server is enabled. If it is then ipsecctrl is run to
restart ipsec and ensure that the restored certs are all being used.
- Tested this out on my vm testbed and confirmed that with this I could restore a backup
and make the client connection as previously set up.
- Without this I had to press the Save button on the ipsec WUI page to get the certs
etc being used.
Fixes: bug13737
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 3014979c75a6e63cdb2698d1cf5c3ed9316fdccf
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed Apr 2 09:59:12 2025 +0000
Revert "backup.pl: Fixes bug13737 - restarts ipsec to use the restored certs etc"
This reverts commit 1fda10e584da6b99237c94aa4e652d97589c7df6.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 973f41b88d6ea9864a0a63b634b111e9fbc04a75
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue Apr 1 20:08:02 2025 +0200
core194: Ship the backup file changes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 2639101b2dcf28dee6100d199c70591490f931de
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue Apr 1 20:08:01 2025 +0200
core194: Ship the vpnmain.cgi changes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 1fda10e584da6b99237c94aa4e652d97589c7df6
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue Apr 1 20:08:00 2025 +0200
backup.pl: Fixes bug13737 - restarts ipsec to use the restored certs etc
- This adds a check if the ipsec server is enabled. If it is then ipsecctrl is run to
restart ipsec and ensure that the restored certs are all being used.
- Tested this out on my vm testbed and confirmed that with this I could restore a backup
and make the client connection as previously set up.
- Without this I had to press the Save button on the ipsec WUI page to get the certs
etc being used.
Fixes: bug13737
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 85c0d3c1c73dfd8f625c99256f0e1706979b895e
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue Apr 1 20:07:59 2025 +0200
include: Add the contents of the ipsec certs directory to the backup
- Previously only the .pem files were bacdked up from the /var/ipfire/certs/ directory.
That was okay in the past as the serial and index files never changed after the
root/host cert set waqs created.
- With the renew process then the serial and index files get updated and these are needed
to match with the cert status that was backed up. Otherwise you could end up with one
set of values in the serial and index files that did not match with the restored
certs.
- This patch adds all the contents of the certs directory to the backup.
- Tested out on my vm testbed and successfully restored a backup and was able to connect
with the same client settings.
Fixes: bug13737
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 41c7cc325e1e2f922de803842d0625e564f6771e
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue Apr 1 20:07:58 2025 +0200
vpnmain.cgi: Fixes bug13737 - revoke any deleted client certificate
- As the serial number is incremented now for each new cert that is created, then when a
client cert is deleted from the ipsec list in the wui then that cert must be revoked
otherwise it will still be listed in the .index file as a valid certificate and then
the certificate name and DN could never be used again.
- Running the revoke command when deleting a client cert leaves the details in the .index
file but the same name can then be re-used and will get a new serial number etc.
Fixes: bug13737
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 65434dcc7bc297e7d2feabd68f93de1eace598f3
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue Apr 1 20:07:57 2025 +0200
vpnmain.cgi: Fixes bug13737 - remove unneeded &cleanssldatabase calls
- This first part removes all usages of &cleanssldatabase with the client certificates.
This is not needed here. If used then the serial number would be moved back to 01 when
an existing client certificate is removged or a new one created, even if no errors
occurred.
- The usage of &cleanssldatabase has also been removed from the root/host cert creation
if it was successful, otherwise the index file is moved back to being empty and the
serial file to containing 01.
- The only usage now of the &cleanssldatabase is for when the root/host cert set is
being created or if an uploaded cert has been checked as good to install.
- This now means that each time a new client certificate is created the serial number
is incremented.
- The removal of the x509 root/host cert also unlinks all .pem files in the certs
directory and therefore also all the 01.pem, 02.pem etc files so the
&cleanssldatabase routine no longer needs to unlink the 01.pem file
- The &newcleanssldatabase script is no longer needed, as the &cleanssldatabase commands
used covers the required cleaning, so it has been removed.
- This patch together with the others from this set have been tested out on my vm system
and I was able to create a new root/host cert set and then new client certs and make
an ipsec certificate connection successfully. I could then renew the host cert and
the client connection still worked.
Fixes: bug13737
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/backup/backup.pl | 6 ++++
config/backup/include | 1 +
config/rootfiles/core/194/filelists/files | 3 ++
html/cgi-bin/vpnmain.cgi | 60 +++++++++++--------------------
4 files changed, 30 insertions(+), 40 deletions(-)
Difference in files:
diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 1c8c87d0a..0cfbd4fc3 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -307,6 +307,12 @@ restore_backup() {
# start collectd after restore
/etc/rc.d/init.d/collectd start
+ # Restart ipsec if enabled
+ # This will ensure that the restored certs and secrets etc are loaded and used
+ if [ $(grep -c "ENABLED=on" /var/ipfire/vpn/settings) -eq 1 ] ; then
+ /usr/local/bin/ipsecctrl S
+ fi
+
return 0
}
diff --git a/config/backup/include b/config/backup/include
index 0bf9440d3..7e1e9a76a 100644
--- a/config/backup/include
+++ b/config/backup/include
@@ -28,6 +28,7 @@ var/ipfire/backup/addons/backup
var/ipfire/backup/exclude.user
var/ipfire/backup/include.user
var/ipfire/captive/*
+var/ipfire/certs
var/ipfire/*/*.conf
var/ipfire/*/config
var/ipfire/dhcp/*
diff --git a/config/rootfiles/core/194/filelists/files b/config/rootfiles/core/194/filelists/files
index a16782a5c..03dfa2929 100644
--- a/config/rootfiles/core/194/filelists/files
+++ b/config/rootfiles/core/194/filelists/files
@@ -3,3 +3,6 @@ etc/rc.d/init.d/functions
srv/web/ipfire/cgi-bin/aliases.cgi
srv/web/ipfire/cgi-bin/pakfire.cgi
etc/ssl/openssl.cnf
+srv/web/ipfire/cgi-bin/vpnmain.cgi
+var/ipfire/backup/include
+var/ipfire/backup/bin/backup.pl
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index e30506fdf..1c9f9243b 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -200,27 +200,6 @@ sub cleanssldatabase {
unlink ("${General::swroot}/certs/index.txt.old");
unlink ("${General::swroot}/certs/index.txt.attr.old");
unlink ("${General::swroot}/certs/serial.old");
- unlink ("${General::swroot}/certs/01.pem");
-}
-sub newcleanssldatabase {
- if (! -s "${General::swroot}/certs/serial" ) {
- open(FILE, ">${General::swroot}/certs/serial");
- print FILE "01";
- close FILE;
- }
- if (! -s ">${General::swroot}/certs/index.txt") {
- open(FILE, ">${General::swroot}/certs/index.txt");
- close(FILE);
- }
- if (! -s ">${General::swroot}/certs/index.txt.attr") {
- open(FILE, ">${General::swroot}/certs/index.txt.attr");
- print FILE "unique_subject = yes";
- close(FILE);
- }
- unlink ("${General::swroot}/certs/index.txt.old");
- unlink ("${General::swroot}/certs/index.txt.attr.old");
- unlink ("${General::swroot}/certs/serial.old");
-# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete
}
###
@@ -889,8 +868,6 @@ END
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
$cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
- &newcleanssldatabase();
-
if (-f "${General::swroot}/ca/cacert.pem") {
$errormessage = $Lang::tr{'valid root certificate already exists'};
goto ROOTCERT_SKIP;
@@ -1004,7 +981,6 @@ END
# IPFire can only import certificates
&General::log("charon", "p12 import completed!");
- &cleanssldatabase();
goto ROOTCERT_SUCCESS;
} elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
@@ -1170,7 +1146,6 @@ END
# Successfully build CA / CERT!
if (!$errormessage) {
- &cleanssldatabase();
goto ROOTCERT_SUCCESS;
}
@@ -1620,17 +1595,25 @@ END
&General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
- if ($confighash{$cgiparams{'KEY'}}) {
- unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
- unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
- delete $confighash{$cgiparams{'KEY'}};
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
- &writeipsecfiles();
- &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
- } else {
- $errormessage = $Lang::tr{'invalid key'};
- }
- &General::firewall_reload();
+ if ($confighash{$cgiparams{'KEY'}}) {
+ # Revoke the removed certificate
+ if (!$errormessage) {
+ &General::log("charon", "Revoking the removed client cert...");
+ my $opt = " ca -revoke ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem";
+ $errormessage = &callssl($opt);
+ unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+ unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
+ delete $confighash{$cgiparams{'KEY'}};
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
+ } else {
+ goto VPNCONF_ERROR;
+ }
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
+ &General::firewall_reload();
###
### Choose between adding a host-net or net-net connection
###
@@ -1933,11 +1916,9 @@ END
if ( $errormessage = &callssl ($opt) ) {
unlink ($filename);
unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
- &cleanssldatabase();
goto VPNCONF_ERROR;
} else {
unlink ($filename);
- &cleanssldatabase();
}
$cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
@@ -2220,7 +2201,6 @@ END
} else {
unlink ($v3extname);
unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
- &cleanssldatabase();
}
# Create the pkcs12 file
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-04-02 9:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-04-02 9:59 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. d38aabc45e2ef60da07178340e30e563c40a6052 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox