Message ID | 1518669829-22328-1-git-send-email-erik.kapfer@ipfire.org |
---|---|
State | Accepted |
Commit | a4fd232541bf5002eb7e256727d2b10c89b6d1bf |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id 3AD7960B17 for <patchwork@web02.i.ipfire.org>; Thu, 15 Feb 2018 05:44:54 +0100 (CET) X-Virus-Scanned: ClamAV at mail01.ipfire.org Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 404B1111EC09; Thu, 15 Feb 2018 04:44:58 +0000 (GMT) Authentication-Results: mail01.ipfire.org; dmarc=pass (p=none dis=none) header.from=ipfire.org Authentication-Results: mail01.ipfire.org; spf=pass smtp.mailfrom=development-bounces@lists.ipfire.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ipfire.org; s=201801; t=1518669898; x=1521261898; bh=UKbMkpn6qQG44L6lgy3ril71x7vWq9ywhyx5RLDPP6g=; h=From:To:Subject:Date:Message-Id:Sender:From:To:Cc:Date: Content-Type:Message-ID:In-Reply-To:Subject:Reply-To:Sender; b=dmos0IPinch5LbDhdYvpzYX3iq1jPs8OtGQi7hgJtLru0cLi8YvV9Tnt6v7ssl3To hdnaRQxnJfd7jMKzwajY1hHRNQNqTcDyweVO+ihO92qgWvl4QxYSSjzKzoKKsZm5Ys HG6jenslxd4GP7UBv8LQLRNzBEpSP27orcNr23xLmQF+Qf0YpQ49n09RBgpdDYnOSb Q5Hg23rcOhYX5RRLOnGcJMXth1YLGSbm7hMH6/FSZLeyPaOhbKO4k+9eb83PARadhn e7UZyntRxxwsqFOaBmuKmuUKx4djv2MnMhF/tQ7bE79gqR3EzJ5nKIy0wRjJTjCRf6 i1I/KPBJ2c+tA== X-Virus-Scanned: ClamAV at mail01.ipfire.org Received: from localhost.localdomain (i59F4AE97.versanet.de [89.244.174.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 4C5D5111EC0F; Thu, 15 Feb 2018 04:44:00 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ipfire.org; s=201801; t=1518669840; x=1521261840; bh=UKbMkpn6qQG44L6lgy3ril71x7vWq9ywhyx5RLDPP6g=; h=From:To:Cc:Subject:Date:Message-Id:From:To:Cc:Date:Content-Type: Message-ID:In-Reply-To:Subject:Reply-To:Sender; b=Yze93NeahqN2CGZa+1jlK72y3yEeqqDJqbPcBAm2PJo1ErUc+qsCx/rPY++iNggQN ZJFffUhOjpeugP1c5dhPErWySg3W5uhjVa54hndrOdh8BSyfZOCqsX4x5K+8yIhkG3 2CJC6xPfoihPkhkewmy0ytA64fev54cVsna2zU3fZOag8KLF6e8e8gR+9Df5WSioNy ECd1//6jvPpGaFbqCZPanP9XBI4jCCadMze/dU5nHPrl/VL0R23p/IbMtpDPq2x87Y SVlwMUvYSm8UF1qhwNO+iKSv0Ud2wRQfNsFFrtmEkgdt9ZlU0VpqNfsmXTT+cGqxpW BGQvZVQ97OV/g== From: Erik Kapfer <erik.kapfer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] OpenVPN: Added needed directive for v2.4 update Date: Thu, 15 Feb 2018 05:43:49 +0100 Message-Id: <1518669829-22328-1-git-send-email-erik.kapfer@ipfire.org> X-Mailer: git-send-email 2.7.4 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
OpenVPN: Added needed directive for v2.4 update
|
|
Commit Message
Erik Kapfer
Feb. 15, 2018, 3:43 p.m. UTC
script-security: The support for the 'system' flag has been removed due to security implications
with shell expansions when executing scripts via system() call.
For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .
ncp-disable: Negotiable crypto parameters has been disabled for the first.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Comments
Hi, this looks good. I will merge this soon. How do we convert existing configuration files? -Michael On Thu, 2018-02-15 at 05:43 +0100, Erik Kapfer wrote: > script-security: The support for the 'system' flag has been removed due to > security implications > with shell expansions when executing scripts via system() call. > For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn2 > 4ManPage . > > ncp-disable: Negotiable crypto parameters has been disabled for the first. > > Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> > --- > html/cgi-bin/ovpnmain.cgi | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index 0a18ec7..a7daf89 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -216,7 +216,7 @@ sub writeserverconf { > print CONF "dev tun\n"; > print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; > print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; > - print CONF "script-security 3 system\n"; > + print CONF "script-security 3\n"; > print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db > 3600\n"; > print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; > print CONF "tls-server\n"; > @@ -289,6 +289,7 @@ sub writeserverconf { > } > print CONF "status-version 1\n"; > print CONF "status /var/run/ovpnserver.log 30\n"; > + print CONF "ncp-disable\n"; > print CONF "cipher $sovpnsettings{DCIPHER}\n"; > if ($sovpnsettings{'DAUTH'} eq '') { > print CONF "";
Hi Michael, Am Donnerstag, den 15.02.2018, 10:40 +0000 schrieb Michael Tremer: > Hi, > > this looks good. I will merge this soon. > > How do we convert existing configuration files? i would do it like this: #!/bin/bash # Changed and new OpenVPN-2.4 directives will wrote to server.conf and renew CRL while update an core update if [ -e /var/ipfire/ovpn/server.conf ]; then if pgrep openvpn >/dev/null; then openvpnctrl -k sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf openvpnctrl -s else sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf fi fi # EOF which includes also an update of the CRL to stay save also in that manner Best, Erik
Hi, okay, that's fine. I will add this to the update script of that core update then. -Michael On Thu, 2018-02-15 at 11:56 +0100, ummeegge wrote: > Hi Michael, > > > Am Donnerstag, den 15.02.2018, 10:40 +0000 schrieb Michael Tremer: > > Hi, > > > > this looks good. I will merge this soon. > > > > How do we convert existing configuration files? > > i would do it like this: > > #!/bin/bash > > # Changed and new OpenVPN-2.4 directives will wrote to server.conf and renew > CRL while update an core update > if [ -e /var/ipfire/ovpn/server.conf ]; then > if pgrep openvpn >/dev/null; then > openvpnctrl -k > sed -i -e 's/script-security 3 system/script-security 3/' -e > '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf > openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert > /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config > /var/ipfire/ovpn/openssl/ovpn.cnf > openvpnctrl -s > else > sed -i -e 's/script-security 3 system/script-security 3/' -e > '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf > openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert > /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config > /var/ipfire/ovpn/openssl/ovpn.cnf > fi > fi > > # EOF > > > which includes also an update of the CRL to stay save also in that > manner > > > Best, > > Erik
Am Donnerstag, den 15.02.2018, 11:00 +0000 schrieb Michael Tremer: > Hi, > > okay, that's fine. I will add this to the update script of that core > update > then. Great thanks. I think we should be then OpenVPN-2.4 ready for the first... > > -Michael > > On Thu, 2018-02-15 at 11:56 +0100, ummeegge wrote: > > > > Hi Michael, > > > > > > Am Donnerstag, den 15.02.2018, 10:40 +0000 schrieb Michael Tremer: > > > > > > Hi, > > > > > > this looks good. I will merge this soon. > > > > > > How do we convert existing configuration files? > > i would do it like this: > > > > #!/bin/bash > > > > # Changed and new OpenVPN-2.4 directives will wrote to server.conf > > and renew > > CRL while update an core update > > if [ -e /var/ipfire/ovpn/server.conf ]; then > > if pgrep openvpn >/dev/null; then > > openvpnctrl -k > > sed -i -e 's/script-security 3 system/script-security > > 3/' -e > > '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf > > openssl ca -gencrl -keyfile > > /var/ipfire/ovpn/ca/cakey.pem -cert > > /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem > > -config > > /var/ipfire/ovpn/openssl/ovpn.cnf > > openvpnctrl -s > > else > > sed -i -e 's/script-security 3 system/script-security > > 3/' -e > > '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf > > openssl ca -gencrl -keyfile > > /var/ipfire/ovpn/ca/cakey.pem -cert > > /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem > > -config > > /var/ipfire/ovpn/openssl/ovpn.cnf > > fi > > fi > > > > # EOF > > > > > > which includes also an update of the CRL to stay save also in that > > manner > > > > > > Best, > > > > Erik
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 0a18ec7..a7daf89 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -216,7 +216,7 @@ sub writeserverconf { print CONF "dev tun\n"; print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; - print CONF "script-security 3 system\n"; + print CONF "script-security 3\n"; print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; print CONF "tls-server\n"; @@ -289,6 +289,7 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; + print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; if ($sovpnsettings{'DAUTH'} eq '') { print CONF "";