IPsec: Mark MODP<=1024 and MD5 as broken and SHA1 as weak

Since we somehow have to support these algorithms this patch adds some information for the user that it is very strongly discouraged to use them in production. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2017-04-20 12:53:53 +01:00
parent 2c2cf3918b
commit c94d1976d3
11 changed files with 34 additions and 8 deletions
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1143,6 +1143,7 @@ WARNING: untranslated string: uptime load average
 WARNING: untranslated string: urlfilter redirect template
 WARNING: untranslated string: vendor
 WARNING: untranslated string: visit us at
+WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn keyexchange
 WARNING: untranslated string: vpn on-demand
@@ -1152,6 +1153,7 @@ WARNING: untranslated string: vpn start action start
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
 WARNING: untranslated string: vpn statistics n2n
+WARNING: untranslated string: vpn weak
 WARNING: untranslated string: wlan client
 WARNING: untranslated string: wlan client advanced settings
 WARNING: untranslated string: wlan client and
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -1160,6 +1160,7 @@ WARNING: untranslated string: urlfilter mode block
 WARNING: untranslated string: urlfilter redirect template
 WARNING: untranslated string: vendor
 WARNING: untranslated string: visit us at
+WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn keyexchange
 WARNING: untranslated string: vpn on-demand
@@ -1169,6 +1170,7 @@ WARNING: untranslated string: vpn start action start
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
 WARNING: untranslated string: vpn statistics n2n
+WARNING: untranslated string: vpn weak
 WARNING: untranslated string: wlan client
 WARNING: untranslated string: wlan client advanced settings
 WARNING: untranslated string: wlan client and
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -819,6 +819,7 @@ WARNING: untranslated string: search
 WARNING: untranslated string: unblock
 WARNING: untranslated string: unblock all
 WARNING: untranslated string: uncheck all
+WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn on-demand
 WARNING: untranslated string: vpn start action
@@ -827,3 +828,4 @@ WARNING: untranslated string: vpn start action start
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
 WARNING: untranslated string: vpn statistics n2n
+WARNING: untranslated string: vpn weak
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -867,6 +867,7 @@ WARNING: untranslated string: unblock all
 WARNING: untranslated string: uncheck all
 WARNING: untranslated string: upload dh key
 WARNING: untranslated string: vendor
+WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn on-demand
 WARNING: untranslated string: vpn start action
@@ -875,3 +876,4 @@ WARNING: untranslated string: vpn start action start
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
 WARNING: untranslated string: vpn statistics n2n
+WARNING: untranslated string: vpn weak
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1143,6 +1143,7 @@ WARNING: untranslated string: uptime load average
 WARNING: untranslated string: urlfilter redirect template
 WARNING: untranslated string: vendor
 WARNING: untranslated string: visit us at
+WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn keyexchange
 WARNING: untranslated string: vpn on-demand
@@ -1152,6 +1153,7 @@ WARNING: untranslated string: vpn start action start
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
 WARNING: untranslated string: vpn statistics n2n
+WARNING: untranslated string: vpn weak
 WARNING: untranslated string: wlan client
 WARNING: untranslated string: wlan client advanced settings
 WARNING: untranslated string: wlan client and
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1138,6 +1138,7 @@ WARNING: untranslated string: uptime load average
 WARNING: untranslated string: urlfilter redirect template
 WARNING: untranslated string: vendor
 WARNING: untranslated string: visit us at
+WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn keyexchange
 WARNING: untranslated string: vpn on-demand
@@ -1147,6 +1148,7 @@ WARNING: untranslated string: vpn start action start
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
 WARNING: untranslated string: vpn statistics n2n
+WARNING: untranslated string: vpn weak
 WARNING: untranslated string: wlan client
 WARNING: untranslated string: wlan client advanced settings
 WARNING: untranslated string: wlan client and
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -753,8 +753,10 @@ WARNING: untranslated string: route config changed
 WARNING: untranslated string: routing config added
 WARNING: untranslated string: routing config changed
 WARNING: untranslated string: routing table
+WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn on-demand
 WARNING: untranslated string: vpn start action
 WARNING: untranslated string: vpn start action route
 WARNING: untranslated string: vpn start action start
 WARNING: untranslated string: vpn statistics n2n
+WARNING: untranslated string: vpn weak
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -561,6 +561,7 @@
 < urlfilter redirect template
 < vendor
 < visit us at
+< vpn broken
 < vpn keyexchange
 < vpn on-demand
 < vpn start action
@@ -568,6 +569,7 @@
 < vpn start action start
 < vpn statistic n2n
 < vpn statistic rw
+< vpn weak
 < wlanap access point
 < wlanap channel
 < wlanap country
@@ -1180,6 +1182,7 @@
 < urlfilter redirect template
 < vendor
 < visit us at
+< vpn broken
 < vpn keyexchange
 < vpn on-demand
 < vpn start action
@@ -1187,6 +1190,7 @@
 < vpn start action start
 < vpn statistic n2n
 < vpn statistic rw
+< vpn weak
 < wlanap country
 < wlan client
 < wlan client advanced settings
@@ -1764,6 +1768,7 @@
 < urlfilter redirect template
 < vendor
 < visit us at
+< vpn broken
 < vpn keyexchange
 < vpn on-demand
 < vpn start action
@@ -1771,6 +1776,7 @@
 < vpn start action start
 < vpn statistic n2n
 < vpn statistic rw
+< vpn weak
 < wlanap country
 < wlan client
 < wlan client advanced settings
@@ -2353,6 +2359,7 @@
 < urlfilter redirect template
 < vendor
 < visit us at
+< vpn broken
 < vpn keyexchange
 < vpn on-demand
 < vpn start action
@@ -2360,6 +2367,7 @@
 < vpn start action start
 < vpn statistic n2n
 < vpn statistic rw
+< vpn weak
 < week-graph
 < wlanap country
 < wlan client
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2503,8 +2503,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 					<option value='sha2_384' $checked{'IKE_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
 					<option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
 					<option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
-					<option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1</option>
-					<option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option>
+					<option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1 ($Lang::tr{'vpn weak'})</option>
+					<option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5i ($Lang::tr{'vpn broken'})</option>
 				</select>
 			</td>
 			<td class='boldbase'>
@@ -2513,8 +2513,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 					<option value='sha2_384' $checked{'ESP_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
 					<option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
 					<option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
-					<option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option>
-					<option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option>
+					<option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1 ($Lang::tr{'vpn weak'})</option>
+					<option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5 ($Lang::tr{'vpn broken'})</option>
 				</select>
 			</td>
 		</tr>
@@ -2550,8 +2550,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 					<option value='2048s160' $checked{'IKE_GROUPTYPE'}{'2048s160'}>MODP-2048/160</option>
 					<option value='2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048</option>
 					<option value='1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536</option>
-					<option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024</option>
-					<option value='768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768</option>
+					<option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024 ($Lang::tr{'vpn broken'})</option>
+					<option value='768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768 ($Lang::tr{'vpn broken'})</option>
 				</select>
 			</td>
 			<td class='boldbase'>
@@ -2575,8 +2575,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 					<option value='2048s160' $checked{'ESP_GROUPTYPE'}{'2048s160'}>MODP-2048/160</option>
 					<option value='2048' $checked{'ESP_GROUPTYPE'}{'2048'}>MODP-2048</option>
 					<option value='1536' $checked{'ESP_GROUPTYPE'}{'1536'}>MODP-1536</option>
-					<option value='1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024</option>
-					<option value='768' $checked{'ESP_GROUPTYPE'}{'768'}>MODP-768</option>
+					<option value='1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024 ($Lang::tr{'vpn broken'})</option>
+					<option value='768' $checked{'ESP_GROUPTYPE'}{'768'}>MODP-768 ($Lang::tr{'vpn broken'})</option>
 					<option value='none' $checked{'ESP_GROUPTYPE'}{'none'}>- $Lang::tr{'none'} -</option>
 				</select>
 			</td>
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -2605,6 +2605,7 @@
 'vpn aggrmode' => 'IKE Aggressive Mode zugelassen. Wenn möglich, vermeiden (preshared Schlüssel wird im Klartext übertragen)!',
 'vpn altname syntax' => 'Der Subjekt Alternativ Name ist eine durch Komma getrennte Liste von Email, DNS, URI, RID und IP Objekten. <br />Email: eine Email Adresse. Syntax Email: \'copy\' benutzt die Email Adresse aus dem Zertifikatfeld. <br />DNS: ein gültiger Domain Name.<br />URI: eine gültige URI.<br />RID: Registriertes Objekt Identifikation.<br />IP: eine IP Adresse.<br />Bitte beachten: der Zeichensatz ist eingeschränkt und die Groß-/Kleinschreibung ist entscheidend.<br />Beispiel:<br /><b>email:</b>info@ipfire.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/nach/irgendwo',
 'vpn auth-dn' => 'Peer wird identifiziert durch entweder ein IPV4_ADDR, FQDN, USER_FQDN oder DER_ASN1_DN string in Remote ID Feld',
+'vpn broken' => 'Gebrochen',
 'vpn delayed start' => 'Verzögerung bevor VPN gestartet wird (Sekunden)',
 'vpn delayed start help' => 'Falls notwendig, kann diese Verzögerung dazu verwendet werden, um Dynamic-DNS-Updates ordnungsgemäß anzuwenden. 60 ist ein gängiger Wert, wenn ROT (RED) eine dynamische IP Adresse ist.',
 'vpn incompatible use of defaultroute' => 'Hostname=%defaultroute nicht zulässig',
@@ -2627,6 +2628,7 @@
 'vpn statistic rw' => 'OpenVPN-Roadwarrior-Statistik',
 'vpn subjectaltname' => 'Subjekt Alternativer Name',
 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).',
+'vpn weak' => 'Schwach',
 'waiting to synchronize clock' => 'Bitte warten, die Uhr wird synchronisiert',
 'warn when traffic reaches' => 'Warnen wenn Traffic x % erreicht',
 'warning messages' => 'Warnhinweise',
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2648,6 +2648,7 @@
 'vpn aggrmode' => 'IKE aggressive mode allowed. Avoid if possible (preshared key is transmitted in clear text)!',
 'vpn altname syntax' => 'SubjectAltName is a comma separated list of e-mail, dns, uri, rid and ip objects.<br />email:an email address. Syntax email:copy takes the email field from the cert to be used.<br />DNS:a valid domain name.<br />URI:any valid uri.<br />RID:registered object identifier.<br />IP:an IP address.<br />Note:charset is limited and case is significant.<br />Example:<br /><b>e-mail:</b>ipfire@foo.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/to/something',
 'vpn auth-dn' => 'Peer is identified by either IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN string in remote ID field',
+'vpn broken' => 'Broken',
 'vpn configuration main' => 'VPN Configuration',
 'vpn delayed start' => 'Delay before launching VPN (seconds)',
 'vpn delayed start help' => 'If required, this delay can be used to allow dynamic DNS updates to propagate properly. 60 is a common value when RED is a dynamic IP.',
@@ -2672,6 +2673,7 @@
 'vpn statistic rw' => 'OpenVPN Roadwarrior Statistics',
 'vpn subjectaltname' => 'Subject Alt Name',
 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).',
+'vpn weak' => 'Weak',
 'waiting to synchronize clock' => 'Waiting to synchronize clock',
 'warn when traffic reaches' => 'Warn when traffic reaches x %',
 'warning messages' => 'Warning messages',