* [PATCH 1/2] ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
@ 2023-06-04 18:57 Adolf Belka
  2023-06-04 18:57 ` [PATCH 2/2] update.sh: " Adolf Belka
  2023-06-05 10:31 ` [PATCH 1/2] ovpnmain.cgi: " Michael Tremer
  0 siblings, 2 replies; 5+ messages in thread
From: Adolf Belka @ 2023-06-04 18:57 UTC (permalink / raw)
  To: development
[-- Attachment #1: Type: text/plain, Size: 3537 bytes --]
- With a n2n connection .p12 certificate created wityh openssl-1.1.1x the line
   providers legacy default is required in the n2nconf file to enable it to start.
- Any openssl-3.x attempt to open a .p12 file created with openssl-1.1.1x will result in
   a failure and an error message. All the openssl commands dealing with pkcs12 (.p12)
   files need to have the -legacy option added to them.
Fixes: Bug#13137
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 5c4fad0a5..88106251e 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1115,6 +1115,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print CLIENTCONF "# Activate Management Interface and Port\n";
   if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
   else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
+  print CLIENTCONF "providers legacy default\n";
   close(CLIENTCONF);
 
 }
@@ -1648,7 +1649,7 @@ END
 		goto ROOTCERT_ERROR;
 	    }
 	} else {	# child
-	    unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
+	    unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-cacerts', '-nokeys',
 		    '-in', $filename,
 		    '-out', "$tempdir/cacert.pem")) {
 		$errormessage = "$Lang::tr{'cant start openssl'}: $!";
@@ -1671,7 +1672,7 @@ END
 		goto ROOTCERT_ERROR;
 	    }
 	} else {	# child
-	    unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
+	    unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-clcerts', '-nokeys',
 		    '-in', $filename,
 		    '-out', "$tempdir/hostcert.pem")) {
 		$errormessage = "$Lang::tr{'cant start openssl'}: $!";
@@ -1694,7 +1695,7 @@ END
 		goto ROOTCERT_ERROR;
 	    }
 	} else {	# child
-	    unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
+	    unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-nocerts',
 		    '-nodes',
 		    '-in', $filename,
 		    '-out', "$tempdir/serverkey.pem")) {
@@ -2156,6 +2157,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
    if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"}
     else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"};
    print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
+   print CLIENTCONF "providers legacy default\n";
 
 
     close(CLIENTCONF);
@@ -3296,6 +3298,7 @@ END
 	print FILE "# Logfile\n";
 	print FILE "status-version 1\n";
 	print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
+	print FILE "providers legacy default\n";
 	close FILE;
 
 	unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) {
@@ -4242,7 +4245,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
 
 	    # Create the pkcs12 file
 	    # The system call is safe, because all arguments are passed as an array.
-	    system('/usr/bin/openssl', 'pkcs12', '-export',
+	    system('/usr/bin/openssl', 'pkcs12', '-legacy', '-export',
 		'-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
 		'-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
 		'-name', $cgiparams{'NAME'},
-- 
2.40.1
^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH 2/2] update.sh: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
  2023-06-04 18:57 [PATCH 1/2] ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x Adolf Belka
@ 2023-06-04 18:57 ` Adolf Belka
  2023-06-05 10:32   ` Michael Tremer
  2023-06-05 10:31 ` [PATCH 1/2] ovpnmain.cgi: " Michael Tremer
  1 sibling, 1 reply; 5+ messages in thread
From: Adolf Belka @ 2023-06-04 18:57 UTC (permalink / raw)
  To: development
[-- Attachment #1: Type: text/plain, Size: 1549 bytes --]
- This modification will check if ovpnconfig exists and is not empty. If so then it will
   check for all n2n connections and if they are Client configs will check if
   "providers legacy default" is not already present and if so will add it.
Fixes: Bug#13137
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/rootfiles/core/175/update.sh | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh
index 5e45c819f..82676bc72 100644
--- a/config/rootfiles/core/175/update.sh
+++ b/config/rootfiles/core/175/update.sh
@@ -177,6 +177,20 @@ if [ -e /boot/pakfire-kernel-update ]; then
     /boot/pakfire-kernel-update ${KVER}
 fi
 
+## Add providers legacy default line to n2n client config files
+# Check if ovpnconfig exists and is not empty
+if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
+       # Identify all n2n connections
+       for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
+           # Add the legacy option to all N2N client conf files
+		if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then
+			if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then
+				echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf
+			fi
+		fi
+       done
+fi
+
 # This update needs a reboot...
 touch /var/run/need_reboot
 
-- 
2.40.1
^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
  2023-06-04 18:57 [PATCH 1/2] ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x Adolf Belka
  2023-06-04 18:57 ` [PATCH 2/2] update.sh: " Adolf Belka
@ 2023-06-05 10:31 ` Michael Tremer
  1 sibling, 0 replies; 5+ messages in thread
From: Michael Tremer @ 2023-06-05 10:31 UTC (permalink / raw)
  To: development
[-- Attachment #1: Type: text/plain, Size: 4136 bytes --]
Hello Adolf,
Thank you very much for putting all this effort in to solve such an annoying problem.
> On 4 Jun 2023, at 19:57, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> - With a n2n connection .p12 certificate created wityh openssl-1.1.1x the line
>   providers legacy default is required in the n2nconf file to enable it to start.
> - Any openssl-3.x attempt to open a .p12 file created with openssl-1.1.1x will result in
>   a failure and an error message. All the openssl commands dealing with pkcs12 (.p12)
>   files need to have the -legacy option added to them.
> 
> Fixes: Bug#13137
> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> html/cgi-bin/ovpnmain.cgi | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 5c4fad0a5..88106251e 100755
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -1115,6 +1115,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
>   print CLIENTCONF "# Activate Management Interface and Port\n";
>   if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
>   else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
> +  print CLIENTCONF "providers legacy default\n";
>   close(CLIENTCONF);
> 
> }
> @@ -1648,7 +1649,7 @@ END
> goto ROOTCERT_ERROR;
>    }
> } else { # child
> -    unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
> +    unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-cacerts', '-nokeys',
>    '-in', $filename,
>    '-out', "$tempdir/cacert.pem")) {
> $errormessage = "$Lang::tr{'cant start openssl'}: $!";
> @@ -1671,7 +1672,7 @@ END
> goto ROOTCERT_ERROR;
>    }
> } else { # child
> -    unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
> +    unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-clcerts', '-nokeys',
>    '-in', $filename,
>    '-out', "$tempdir/hostcert.pem")) {
> $errormessage = "$Lang::tr{'cant start openssl'}: $!";
> @@ -1694,7 +1695,7 @@ END
> goto ROOTCERT_ERROR;
>    }
> } else { # child
> -    unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
> +    unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-nocerts',
>    '-nodes',
>    '-in', $filename,
>    '-out', "$tempdir/serverkey.pem")) {
> @@ -2156,6 +2157,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
>    if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"}
>     else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"};
>    print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
> +   print CLIENTCONF "providers legacy default\n";
> 
> 
>     close(CLIENTCONF);
> @@ -3296,6 +3298,7 @@ END
> print FILE "# Logfile\n";
> print FILE "status-version 1\n";
> print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
> + print FILE "providers legacy default\n";
> close FILE;
I just wanted to highlight that I believe that we won’t be dropping this line any time soon. Hopefully that won’t become a problem once distributions decide to no longer ship the legacy module - or if it gets removed from OpenSSL entirely.
I believe that at this point we have no other options.
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
> unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) {
> @@ -4242,7 +4245,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
> 
>    # Create the pkcs12 file
>    # The system call is safe, because all arguments are passed as an array.
> -    system('/usr/bin/openssl', 'pkcs12', '-export',
> +    system('/usr/bin/openssl', 'pkcs12', '-legacy', '-export',
> '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
> '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
> '-name', $cgiparams{'NAME'},
> -- 
> 2.40.1
> 
^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] update.sh: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
  2023-06-04 18:57 ` [PATCH 2/2] update.sh: " Adolf Belka
@ 2023-06-05 10:32   ` Michael Tremer
  2023-06-05 12:00     ` Adolf Belka
  0 siblings, 1 reply; 5+ messages in thread
From: Michael Tremer @ 2023-06-05 10:32 UTC (permalink / raw)
  To: development
[-- Attachment #1: Type: text/plain, Size: 1937 bytes --]
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
We need to consider that people might overwrite this when they restore an older backup.
So I am not sure whether we want those lines added to the backup scripts as well.
-Michael
> On 4 Jun 2023, at 19:57, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> - This modification will check if ovpnconfig exists and is not empty. If so then it will
>   check for all n2n connections and if they are Client configs will check if
>   "providers legacy default" is not already present and if so will add it.
> 
> Fixes: Bug#13137
> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> config/rootfiles/core/175/update.sh | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
> 
> diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh
> index 5e45c819f..82676bc72 100644
> --- a/config/rootfiles/core/175/update.sh
> +++ b/config/rootfiles/core/175/update.sh
> @@ -177,6 +177,20 @@ if [ -e /boot/pakfire-kernel-update ]; then
>     /boot/pakfire-kernel-update ${KVER}
> fi
> 
> +## Add providers legacy default line to n2n client config files
> +# Check if ovpnconfig exists and is not empty
> +if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
> +       # Identify all n2n connections
> +       for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
> +           # Add the legacy option to all N2N client conf files
> + if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then
> + if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then
> + echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf
> + fi
> + fi
> +       done
> +fi
> +
> # This update needs a reboot...
> touch /var/run/need_reboot
> 
> -- 
> 2.40.1
> 
^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] update.sh: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
  2023-06-05 10:32   ` Michael Tremer
@ 2023-06-05 12:00     ` Adolf Belka
  0 siblings, 0 replies; 5+ messages in thread
From: Adolf Belka @ 2023-06-05 12:00 UTC (permalink / raw)
  To: development
[-- Attachment #1: Type: text/plain, Size: 2239 bytes --]
Hi Michael,
On 05/06/2023 12:32, Michael Tremer wrote:
> Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
> 
> We need to consider that people might overwrite this when they restore an older backup.
> 
> So I am not sure whether we want those lines added to the backup scripts as well.
That is a good idea. I have created a patch to do that, tested it out and it worked. It only adds the line if it doesn't already exist. The patch has been submitted.
Regards,
Adolf.
> 
> -Michael
> 
>> On 4 Jun 2023, at 19:57, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>
>> - This modification will check if ovpnconfig exists and is not empty. If so then it will
>>    check for all n2n connections and if they are Client configs will check if
>>    "providers legacy default" is not already present and if so will add it.
>>
>> Fixes: Bug#13137
>> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> ---
>> config/rootfiles/core/175/update.sh | 14 ++++++++++++++
>> 1 file changed, 14 insertions(+)
>>
>> diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh
>> index 5e45c819f..82676bc72 100644
>> --- a/config/rootfiles/core/175/update.sh
>> +++ b/config/rootfiles/core/175/update.sh
>> @@ -177,6 +177,20 @@ if [ -e /boot/pakfire-kernel-update ]; then
>>      /boot/pakfire-kernel-update ${KVER}
>> fi
>>
>> +## Add providers legacy default line to n2n client config files
>> +# Check if ovpnconfig exists and is not empty
>> +if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
>> +       # Identify all n2n connections
>> +       for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
>> +           # Add the legacy option to all N2N client conf files
>> + if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then
>> + if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then
>> + echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf
>> + fi
>> + fi
>> +       done
>> +fi
>> +
>> # This update needs a reboot...
>> touch /var/run/need_reboot
>>
>> -- 
>> 2.40.1
>>
> 
^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-06-05 12:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-04 18:57 [PATCH 1/2] ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x Adolf Belka
2023-06-04 18:57 ` [PATCH 2/2] update.sh: " Adolf Belka
2023-06-05 10:32   ` Michael Tremer
2023-06-05 12:00     ` Adolf Belka
2023-06-05 10:31 ` [PATCH 1/2] ovpnmain.cgi: " Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox