From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cCvtn3QBVz30Jj for ; Fri, 29 Aug 2025 10:40:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cCvtn39pdz2xQc for ; Fri, 29 Aug 2025 10:40:49 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bit raw public key) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4cCvtm0R68z1Mn for ; Fri, 29 Aug 2025 10:40:48 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1756464048; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=DZcuuhH7cKAPZRmKRO7z9R1WTMqR/hpEs0JkW5R5k88=; b=OFstf8Q0u2F3fU775Aj0Dsl9ENcuvn97LkLqqOQN56KpBkzjW8EfpH2Bh/cf8SXEGZ3EM5 lUag2CaRWaB+1hBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1756464048; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=DZcuuhH7cKAPZRmKRO7z9R1WTMqR/hpEs0JkW5R5k88=; b=MlTPCU2DGj2my3dEYGb5ZLn+ylKlguz4DTooNU5K7gGf73xeB+/Gvcyx0MiIhJ668NOwMR ndk83LCKnmybYM4cNSD9TnOzazFGpp3xnMWpgMuca5Ug/zG8Qy/8Y+azTqGbV4dlKCnXgy 6I3gzd2YhXaLSMR4D2gjCNwB3cEPkAPDLfS7Xdy1Q/4iC2TD08USUvD2tIsc6WhYo+4/vm gp2XuA9yB8uc47DnTaAQ5G4CyPHftS7/TEgIntuiL1JCLZtlf0qQgKl2wDtH5gJY8ruT3E UfF/N/7OrMZI3z+cXB0C1exL+CBB84mNLJ/GlCv35AimC/Foih1SpdnVMBEkIQ== Received: by people01.haj.ipfire.org (Postfix, from userid 1000) id 4cCvtl61BXz2xx8; Fri, 29 Aug 2025 10:40:47 +0000 (UTC) To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. 351113e21eecd730b33a2d73c1bb74eff9fcb845 X-Git-Refname: refs/heads/master X-Git-Reftype: branch X-Git-Oldrev: 198025111e37a80944dbab9ddd57967945e27949 X-Git-Newrev: 351113e21eecd730b33a2d73c1bb74eff9fcb845 Message-Id: <4cCvtl61BXz2xx8@people01.haj.ipfire.org> Date: Fri, 29 Aug 2025 10:40:47 +0000 (UTC) From: Michael Tremer Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, master has been updated via 351113e21eecd730b33a2d73c1bb74eff9fcb845 (commit) via 7c86a0354a4e5d0dc970c0500864a95ff60f04a3 (commit) via 676ce3b4cfdc72c758380da512ee3a00c370623e (commit) via 5339b5bc1ada6b4148384bc7db5e5b91b519c895 (commit) via 6c35b21c6760c6f9f6cfa57dbca0a5a917baa470 (commit) from 198025111e37a80944dbab9ddd57967945e27949 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 351113e21eecd730b33a2d73c1bb74eff9fcb845 Author: Michael Tremer Date: Fri Aug 29 11:40:06 2025 +0100 ovpnmain.cgi: Initialize some checkboxes when storing settiings This should hopefully resolve this problem: https://lists.ipfire.org/development/118761f0-24cd-4a62-b064-8d87dffc6b89@ipfire.org/ Signed-off-by: Michael Tremer commit 7c86a0354a4e5d0dc970c0500864a95ff60f04a3 Author: Michael Tremer Date: Fri Aug 29 11:35:50 2025 +0100 Revert "ovpnmain.cgi: Apply default settings when neccessary" This reverts commit e04f5376ba18767a6a9eccf104c472295a75340b. Signed-off-by: Michael Tremer commit 676ce3b4cfdc72c758380da512ee3a00c370623e Author: Michael Tremer Date: Fri Aug 29 11:33:48 2025 +0100 Revert "update.sh: Ensure ncp-disable is removed from config and DATACIPHERS added" This reverts commit 198025111e37a80944dbab9ddd57967945e27949. Signed-off-by: Michael Tremer commit 5339b5bc1ada6b4148384bc7db5e5b91b519c895 Author: Michael Tremer Date: Fri Aug 29 11:33:32 2025 +0100 Revert "backup.pl: Ensure ncp-disable is removed from old backups and DATACIPHERS added" This reverts commit 7245ddf773b78be5fd0675d2e260b3da7855ac2c. Signed-off-by: Michael Tremer commit 6c35b21c6760c6f9f6cfa57dbca0a5a917baa470 Author: Michael Tremer Date: Fri Aug 29 11:28:17 2025 +0100 ovpnmain.cgi: Remove dead code Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/backup/backup.pl | 5 ---- config/rootfiles/core/197/update.sh | 4 ---- html/cgi-bin/ovpnmain.cgi | 48 ++++++++++++++++--------------------- 3 files changed, 20 insertions(+), 37 deletions(-) Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 42d24aa3c..e79f510c6 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -350,11 +350,6 @@ restore_backup() { fi # Update the OpenVPN configuration and restart the openvpn daemons - if grep -q "ncp-disable" /var/ipfire/ovpn/server.conf; then - sed -r -e "/ncp-disable/d" -i /var/ipfire/ovpn/server.conf - echo "DATACIPHERS=AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305" >> \ - /var/ipfire/ovpn/settings - fi sudo -u nobody /srv/web/ipfire/cgi-bin/ovpnmain.cgi /etc/init.d/openvpn-n2n restart /etc/init.d/openvpn-rw restart diff --git a/config/rootfiles/core/197/update.sh b/config/rootfiles/core/197/update.sh index f1800b2c0..0fd5cc6f0 100644 --- a/config/rootfiles/core/197/update.sh +++ b/config/rootfiles/core/197/update.sh @@ -123,10 +123,6 @@ ldconfig /usr/local/bin/filesystem-cleanup # Update the OpenVPN configuration -if grep -q "ncp-disable" /var/ipfire/ovpn/server.conf; then - sed -r -e "/ncp-disable/d" -i /var/ipfire/ovpn/server.conf - echo "DATACIPHERS=AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305" >> /var/ipfire/ovpn/settings -fi sudo -u nobody /srv/web/ipfire/cgi-bin/ovpnmain.cgi # Apply SSH configuration diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dfe7f8ad5..0b2513174 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -132,7 +132,7 @@ my $col=""; "MAX_CLIENTS" => 100, "MSSFIX" => "off", "TLSAUTH" => "on", -}) unless (%vpnsettings); +}); # Load CGI parameters &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); @@ -211,6 +211,21 @@ sub deletebackupcert } } +# Writes the OpenVPN RW server settings and ensures that some values are set +sub writesettings() { + # Initialize TLSAUTH + if ($vpnsettings{"TLSAUTH"} eq "") { + $vpnsettings{"TLSAUTH"} = "off"; + } + + # Initialize MSSFIX + if ($vpnsettings{"MSSFIX"} eq "") { + $vpnsettings{"MSSFIX"} = "off"; + } + + &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); +} + sub writeserverconf { # Do we require the OpenSSL Legacy Provider? my $requires_legacy_provider = 0; @@ -1067,7 +1082,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { } if ($cgiparams{'MSSFIX'} ne 'on') { - delete $vpnsettings{'MSSFIX'}; + $vpnsettings{'MSSFIX'} = "off"; } else { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } @@ -1124,7 +1139,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { } # Store our configuration - &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); + &writesettings(); # Write the server configuration &writeserverconf(); @@ -1419,7 +1434,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'}; # Store our configuration - &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); + &writesettings(); # Write the OpenVPN server configuration &writeserverconf(); @@ -1596,7 +1611,6 @@ END $cahash{$key}[0] = $cgiparams{'CA_NAME'}; $cahash{$key}[1] = $casubject; &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash); -# system('/usr/local/bin/ipsecctrl', 'R'); UPLOADCA_ERROR: @@ -1652,22 +1666,15 @@ END foreach my $key (keys %confighash) { my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem"); if (grep(/: OK/, @test)) { - # Delete connection -# if ($vpnsettings{'ENABLED'} eq 'on' || -# $vpnsettings{'ENABLED_BLUE'} eq 'on') { -# system('/usr/local/bin/ipsecctrl', 'D', $key); -# } unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem"); unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12"); delete $confighash{$key}; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); -# &writeipsecfiles(); } } unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); delete $cahash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash); -# system('/usr/local/bin/ipsecctrl', 'R'); } else { $errormessage = $Lang::tr{'invalid key'}; } @@ -1710,7 +1717,6 @@ END unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); delete $cahash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash); -# system('/usr/local/bin/ipsecctrl', 'R'); } } else { $errormessage = $Lang::tr{'invalid key'}; @@ -1978,7 +1984,7 @@ END $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'}; $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'}; $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'}; - &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); + &writesettings(); # Replace empty strings with a . (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./; @@ -2178,10 +2184,6 @@ END ROOTCERT_SUCCESS: &General::system("chmod", "600", "${General::swroot}/ovpn/certs/serverkey.pem"); -# if ($vpnsettings{'ENABLED'} eq 'on' || -# $vpnsettings{'ENABLE_BLUE'} eq 'on') { -# system('/usr/local/bin/ipsecctrl', 'S'); -# } ### ### Enable/Disable connection @@ -3238,19 +3240,9 @@ END if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { $confighash{$cgiparams{'KEY'}}[0] = 'on'; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - #&writeserverconf(); -# if ($vpnsettings{'ENABLED'} eq 'on' || -# $vpnsettings{'ENABLED_BLUE'} eq 'on') { -# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); -# } } else { $confighash{$cgiparams{'KEY'}}[0] = 'off'; -# if ($vpnsettings{'ENABLED'} eq 'on' || -# $vpnsettings{'ENABLED_BLUE'} eq 'on') { -# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); -# } &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - #&writeserverconf(); } } else { $errormessage = $Lang::tr{'invalid key'}; hooks/post-receive -- IPFire 2.x development tree