Changes includes:
Own crypto warning and error message in WUI (can be extended to configuration too).
Check if DH-parameter is < 2048 bit with an error message and howto fix it.
Check if md5 is still in use with an error message and suggestion how to proceed further to fix it.
Check for soon needed RFC3280 TLS rules compliants and suggestion how to proceed further to fix it.
Disabled 1024 bit DH-parameter upload.
Changed de and en language files for DH-parameter upload (deleted 1024 bit).
Added explanations to de and en language files for the above changes.
Fixed Typo in en language file.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since OpenVPN-2.4.x, a lot of changes has been introduced. This patch should help the users for better understanding of errors in the cryptography.
It includes also potential warnings for upcoming changes and needed adjustments in the system.
This can also be extended in the future for upcoming configuration changes.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This fixes#11772 .
If the X509 are deleted, the openvpnctrl output generates a bad header wrapper error from the CGI
which causes an internal server error. The redirection of the openvpnctrl output fixes this.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since OpenVPN-2.4.x do not accepts 1024 bit DH-parameter for security concerns anymore,
it has been removed from the menu.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fix for #11766 .
Since the new OpenSSL output differs in the 'Subject' section, the regex needed to be adapted.
Old and new output should now be possible.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since OpenSSL 1.1.0x it is required to set a value for the 'valid til (days)' field.
The WUI delivers now a guide value of two years.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Check has been integrated that the OpenSSL maximum of '999999' valid days can not be exceeded.
Check for needed entry in 'Valid til days' field has been integrated.
Asterisk for 'Valid til days' field has been set to mark it as required field.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This makes debugging easier, especially when it comes to
GeoIP related firewall rules and database related issues
such as #11482.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These have to be dropped since the entire system does not
support Path MTU discovery any more. This should not have
any disadvantage on any tunnels since PMTU didn't really
work in the first place.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section.
HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC).
'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N.
HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs
which uses the configuered HMAC even AES-GCM has been applied.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
script-security: The support for the 'system' flag has been removed due to security implications
with shell expansions when executing scripts via system() call.
For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .
ncp-disable: Negotiable crypto parameters has been disabled for the first.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These are not considered secure anymore but are unfortunately
still needed in some cases (legacy hardware, ...).
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Added extended key usage based on RFC3280 TLS rules for OpenVPNs OpenSSL configuration,
so '--remote-cert-tls' can be used instead of the old and deprecated '--ns-cert-type'
if the host certificate are newely generated with this options.
Nevertheless both directives (old and new) will work also with old CAs.
- Automatic detection if the host certificate uses the new options.
If it does, '--remote-cert-tls server' will be automatically set into the client
configuration files for Net-to-Net and Roadwarriors connections.
If it does NOT, the old '--ns-cert-type server' directive will be set in the client
configuration file.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will break compatibility with old clients like
Windows XP, but these are too old now to be supported.
SHA1 is considered to be weak and should not be used any more
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The tls-remote directive is deprecated and will be removed with
OpenVPN version 2.4 . Added instead --verify-x509-name HOST name
into ovpnmain.cgi.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will allow to import just the configuration file
into iOS and establish the VPN connection. Also works
with many other OpenVPN clients.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch adds the option to download a client package
that comes with a regular PEM and key file instead of a
PKCS12 file which is easier to use with clients that
don't support PKCS12 (like iOS) opposed to converting
the file manually.
This requires that the connection is created without
using a password for the certificate. Then the certificate
is already stored in an insecure way.
This patch also adds this to the Core Update 95 updater.
Fixes: #10966
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
CC: Alexander Marx <alexander.marx@ipfire.org>
Mark required input fields with a star as nowadays this is
the de-facto default. Before, it was the other way around and
optional fields were marked.
Signed-off-by: Lars Schumacher <larsen007@web.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
