mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-27 11:13:24 +02:00
OpenVPN: Clarify fundamental crypto errors but also warnings in WUI
Since OpenVPN-2.4.x, a lot of changes has been introduced. This patch should help the users for better understanding of errors in the cryptography. It includes also potential warnings for upcoming changes and needed adjustments in the system. This can also be extended in the future for upcoming configuration changes. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Erik Kapfer
committed by
Michael Tremer
Michael Tremer
parent
8ae4010b31
commit
15a3aa45cf
@@ -64,6 +64,8 @@ my %cahash=();
|
||||
my %selected=();
|
||||
my $warnmessage = '';
|
||||
my $errormessage = '';
|
||||
my $cryptoerror = '';
|
||||
my $cryptowarning = '';
|
||||
my %settings=();
|
||||
my $routes_push_file = '';
|
||||
my $confighost="${General::swroot}/fwhosts/customhosts";
|
||||
@@ -1069,7 +1071,42 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
|
||||
close(CLIENTCONF);
|
||||
|
||||
}
|
||||
|
||||
|
||||
###
|
||||
### Check for cryptography problems
|
||||
###
|
||||
|
||||
# Warning if DH parameter is 1024 bit
|
||||
if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
|
||||
my $dhlenght = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`;
|
||||
if ($dhlenght =~ /1024 bit/) {
|
||||
$cryptoerror = "$Lang::tr{'ovpn error dh'}";
|
||||
goto CRYPTO_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
# Warning if md5 is in usage
|
||||
if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
|
||||
my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
|
||||
if ($signature =~ /md5WithRSAEncryption/) {
|
||||
$cryptoerror = "$Lang::tr{'ovpn error md5'}";
|
||||
goto CRYPTO_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
CRYPTO_ERROR:
|
||||
|
||||
# Warning if certificate is not compliant to RFC3280 TLS rules
|
||||
if (-f "${General::swroot}/ovpn/openssl/ovpn.cnf") {
|
||||
my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
|
||||
if ($extendkeyusage =~ /TLS Web Server Authentication/) {
|
||||
$cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
|
||||
goto CRYPTO_WARNING;
|
||||
}
|
||||
}
|
||||
|
||||
CRYPTO_WARNING:
|
||||
|
||||
###
|
||||
### Save main settings
|
||||
###
|
||||
@@ -5135,6 +5172,20 @@ END
|
||||
&Header::closebox();
|
||||
}
|
||||
|
||||
if ($cryptoerror) {
|
||||
&Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
|
||||
print "<class name='base'>$cryptoerror";
|
||||
print " </class>";
|
||||
&Header::closebox();
|
||||
}
|
||||
|
||||
if ($cryptowarning) {
|
||||
&Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
|
||||
print "<class name='base'>$cryptowarning";
|
||||
print " </class>";
|
||||
&Header::closebox();
|
||||
}
|
||||
|
||||
if ($warnmessage) {
|
||||
&Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
|
||||
print "$warnmessage<br>";
|
||||
|
||||
Reference in New Issue
Block a user