@@ -64,6 +64,8 @@ my %cahash=();
my %selected=();
my $warnmessage = '';
my $errormessage = '';
+my $cryptoerror = '';
+my $cryptowarning = '';
my %settings=();
my $routes_push_file = '';
my $confighost="${General::swroot}/fwhosts/customhosts";
@@ -1069,7 +1071,42 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
close(CLIENTCONF);
}
-
+
+###
+### Check for cryptography problems
+###
+
+# Warning if DH parameter is 1024 bit
+if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
+ my $dhlenght = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`;
+ if ($dhlenght =~ /1024 bit/) {
+ $cryptoerror = "$Lang::tr{'ovpn error dh'}";
+ goto CRYPTO_ERROR;
+ }
+}
+
+# Warning if md5 is in usage
+if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($signature =~ /md5WithRSAEncryption/) {
+ $cryptoerror = "$Lang::tr{'ovpn error md5'}";
+ goto CRYPTO_ERROR;
+ }
+}
+
+CRYPTO_ERROR:
+
+# Warning if certificate is not compliant to RFC3280 TLS rules
+if (-f "${General::swroot}/ovpn/openssl/ovpn.cnf") {
+ my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($extendkeyusage =~ /TLS Web Server Authentication/) {
+ $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+ goto CRYPTO_WARNING;
+ }
+}
+
+CRYPTO_WARNING:
+
###
### Save main settings
###
@@ -5135,6 +5172,20 @@ END
&Header::closebox();
}
+ if ($cryptoerror) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
+ print "<class name='base'>$cryptoerror";
+ print " </class>";
+ &Header::closebox();
+ }
+
+ if ($cryptowarning) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
+ print "<class name='base'>$cryptowarning";
+ print " </class>";
+ &Header::closebox();
+ }
+
if ($warnmessage) {
&Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
print "$warnmessage<br>";
@@ -661,6 +661,8 @@
'credits' => 'Credits',
'crl' => 'Certificate Revocation List',
'cron server' => 'Cron-Server',
+'crypto error' => 'Kryptografiefehler',
+'crypto warning' => 'Kryptografiewarnungen',
'current' => 'Aktuell',
'current aliases' => 'Aktuelle Alias-Adresse',
'current class' => 'Aktuelle Klasse',
@@ -1817,6 +1819,8 @@
'ovpn engines' => 'Krypto Engine',
'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
+'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>',
+'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.',
'ovpn ha' => 'Hash-Algorithmus',
'ovpn hmac' => 'HMAC-Optionen',
@@ -1841,6 +1845,7 @@
'ovpn subnet' => 'OpenVPN-Subnetz:',
'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.',
'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ',
+'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
'ovpn_fastio' => 'Fast-IO',
'ovpn_fragment' => 'Fragmentgrösse',
'ovpn_mssfix' => 'MSSFIX-Grösse',
@@ -682,6 +682,8 @@
'credits' => 'Credits',
'crl' => 'Certificate Revocation List',
'cron server' => 'CRON Server',
+'crypto error' => 'Cryptographic error',
+'crypto warning' => 'Cryptographic warning',
'current' => 'Current',
'current aliases' => 'Current aliases',
'current class' => 'Current class',
@@ -1850,6 +1852,8 @@
'ovpn engines' => 'Crypto engine',
'ovpn errmsg green already pushed' => 'Route for green network is always set',
'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
+'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>',
+'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.',
'ovpn ha' => 'Hash algorithm',
'ovpn hmac' => 'HMAC options',
@@ -1874,6 +1878,7 @@
'ovpn subnet' => 'OpenVPN subnet:',
'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
+'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
'ovpn_fastio' => 'Fast-IO',
'ovpn_mssfix' => 'MSSFIX Size',
'ovpn_mtudisc' => 'MTU-Discovery',