diff mbox series

[v2,3/7] OpenVPN: Warning for broken algorithms

Message ID	20201210165925.25037-3-erik.kapfer@ipfire.org
State	Dropped
Headers	From: ummeegge <erik.kapfer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH v2 3/7] OpenVPN: Warning for broken algorithms Date: Thu, 10 Dec 2020 16:59:21 +0000 Message-Id: <20201210165925.25037-3-erik.kapfer@ipfire.org> In-Reply-To: <20201210165925.25037-1-erik.kapfer@ipfire.org> References: <20201203120807.20694-1-erik.kapfer@ipfire.org> <20201210165925.25037-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	[v2,1/7] OpenVPN: Introduce advanced encryption section \| [v2,1/7] OpenVPN: Introduce advanced encryption section [v2,2/7] OpenVPN: Substitute --cipher with --data-cipher-fallback [v2,3/7] OpenVPN: Warning for broken algorithms [v2,4/7] OpenVPN: New ciphers and HMACs for N2N [v2,5/7] OpenVPN: Control-Channel encryption settings [v2,6/7] OpenVPN: Moved HMAC to advanced crypto section [v2,7/7] OpenVPN: Moved TLS auth to advanced encryption section

Commit Message

Erik Kapfer Dec. 10, 2020, 4:59 p.m. UTC

  The user will be warned in the WUI if he uses BF, CAST, DES* or SHA1
since those algorithms will "soon be removed".

Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 17 +++++++++++++++++
 langs/de/cgi-bin/de.pl    |  2 ++
 langs/en/cgi-bin/en.pl    |  2 ++
 langs/es/cgi-bin/es.pl    |  4 ++++
 langs/fr/cgi-bin/fr.pl    |  2 ++
 langs/it/cgi-bin/it.pl    |  4 ++++
 langs/nl/cgi-bin/nl.pl    |  5 +++++
 langs/pl/cgi-bin/pl.pl    |  4 ++++
 langs/ru/cgi-bin/ru.pl    |  4 ++++
 langs/tr/cgi-bin/tr.pl    |  4 ++++
 10 files changed, 48 insertions(+)

diff mbox series

Patch

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index dbf8a8d2e..7a2f8a5a3 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -250,6 +250,20 @@  sub pkiconfigcheck
 		}
 	}
 
+	# Warning if deprecated 64-bit-block ciphers or weak HMAC is in usage
+	if (-f "${General::swroot}/ovpn/server.conf") {
+		my $oldciphers = "${General::swroot}/ovpn/server.conf";
+		open(FH, $oldciphers);
+		while(my $cipherstring = <FH>) {
+			if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) {
+				my @tempcipherstring = split(" ", $cipherstring);
+				$cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block cipher'}";
+				goto CRYPTO_WARNING;
+			}
+		}
+		close(FH);
+	}
+
 	CRYPTO_WARNING:
 }
 
@@ -5242,6 +5256,9 @@  END
 
     my @status = `/bin/cat /var/run/ovpnserver.log`;
 
+	# Perform crypto and configration test to display warnings or errors
+	&pkiconfigcheck;
+
     if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
 		if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
 		    my $ipaddr = <IPADDR>;
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 08827b08a..ae05d5e55 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1948,6 +1948,8 @@ 
 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.',
 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit  ',
 'ovpn tls auth' => 'TLS-Kanalabsicherung:',
+'ovpn warning 64 bit block cipher' => 'Diser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte ändern Sie dies so schnell wie möglich!</br>',
+'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert',
 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_fragment' => 'Fragmentgrösse',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 880cae5f7..321503d67 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1980,6 +1980,8 @@ 
 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
 'ovpn tls auth' => 'TLS Channel Protection:',
+'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this as soon as possible!</br>',
+'ovpn warning algorithm' => 'You configured the algorithm',
 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_mssfix' => 'MSSFIX Size',
diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl
index c86580e81..752093552 100644
--- a/langs/es/cgi-bin/es.pl
+++ b/langs/es/cgi-bin/es.pl
@@ -552,6 +552,8 @@ 
 'credits' => 'Creditos',
 'crl' => 'Lista de revocación de certificados',
 'cron server' => 'Servidor CRON',
+'crypto error' => 'Error de criptografía',
+'crypto warning' => 'Advertencias sobre la criptografía',
 'current' => 'Actual',
 'current aliases' => 'Alias actuales',
 'current class' => 'Clase actual',
@@ -1345,6 +1347,8 @@ 
 'ovpn subnet' => 'Subred de OpenVPN (ej. 10.0.10.0/255.255.255.0',
 'ovpn subnet is invalid' => 'Subred de OpenVPN no es válida.',
 'ovpn subnet overlap' => 'La subred de OpenVPN se traslapa con:',
+'ovpn warning 64 bit block cipher' => 'Este algoritmo de cifrado del  está roto y pronto se eliminará. <br>¡Por favor, cambie esto lo antes posible!</br>',
+'ovpn warning algorithm' => 'Se configuró el siguiente algoritmo',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_fragment' => 'Tamaño de Fragmento',
 'ovpn_mssfix' => 'Tamaño MSSFIX',
diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
index 1a1f37cbe..f931bc70e 100644
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -1981,6 +1981,8 @@ 
 'ovpn subnet is invalid' => 'Sous-réseau OpenVPN non valide.',
 'ovpn subnet overlap' => 'Le sous-réseau OpenVPN se chevauche avec : ',
 'ovpn tls auth' => 'Protection du canal TLS :',
+'ovpn warning 64 bit block cipher' => 'Ce L\'algorithme de chiffage du n\'est plus sûr et sera bientôt supprimé. <br>Veuillez changer cela dès que possible!</br>',
+'ovpn warning algorithm' => 'L\'algorithme suivant a été configuré',
 'ovpn warning rfc3280' => 'Votre certificat d\'hôte n\'est pas conforme avec la RFC3280.<br>Veuillez mettre à jour la dernière version d\'IPFire et générer dès que possible un nouveau certificat racine et hôte.</br><br>Tous les clients OpenVPN doivent ensuite être renouvelés !</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_fragment' => 'Taille du fragment',
diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
index 2c1dc9559..3779de3f6 100644
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -622,6 +622,8 @@ 
 'credits' => 'Credits',
 'crl' => 'Certificate Revocation List',
 'cron server' => 'CRON Server',
+'crypto error' => 'Errore di crittografia',
+'crypto warning' => 'Avvertenze di crittografia',
 'current' => 'Current',
 'current aliases' => 'Current aliases',
 'current class' => 'Current class',
@@ -1733,6 +1735,8 @@ 
 'ovpn subnet' => 'OpenVPN subnet (e.g. 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
+'ovpn warning 64 bit block cipher' => 'L\'algoritmo di crittografia è insicuro e verrà presto disinstallato.<br>Si prega di cambiare il più presto possibile!</br>',
+'ovpn warning algorithm' => 'È stato configurato il seguente algoritmo',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_mssfix' => 'MSSFIX Size',
 'ovpn_mtudisc' => 'MTU-Discovery',
diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
index 635cbd3b8..dc9ea350f 100644
--- a/langs/nl/cgi-bin/nl.pl
+++ b/langs/nl/cgi-bin/nl.pl
@@ -616,6 +616,8 @@ 
 'credits' => 'Credits',
 'crl' => 'Certificaatintrekkingslijst',
 'cron server' => 'CRON Server',
+'crypto error' => 'Cryptografische fout',
+'crypto warning' => 'Cryptografie waarschuwingen',
 'current' => 'Huidig',
 'current aliases' => 'Huidige aliassen:',
 'current class' => 'Huidige klasse',
@@ -1686,6 +1688,9 @@ 
 'ovpn subnet' => 'OpenVPN subnet (bijv. 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' => 'OpenVPN subnet is ongeldig.',
 'ovpn subnet overlap' => 'OpenVPN subnet overlapt met : ',
+'ovpn warning 64 bit block cipher' => 'Dit encryptie algoritme is verbroken en zal binnenkort worden verwijderd. <br>Verander dit zo snel mogelijk!</br>',
+'ovpn warning algorithm' => 'U hebt het algoritme geconfigureerd',
+'ovpn warning rfc3280' => 'Uw gastheercertificaat is niet RFC3280-conform. <br>Please-update naar de nieuwste IPFire-versie en genereer zo snel mogelijk een nieuw root- en host-certificaat.</br><br>Alle OpenVPN-clients moeten dan vernieuwd worden!</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_fragment' => 'Fragmentgrootte',
 'ovpn_mssfix' => 'MSSFIX-grootte',
diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl
index 4ceaeef8a..96e9a95ae 100644
--- a/langs/pl/cgi-bin/pl.pl
+++ b/langs/pl/cgi-bin/pl.pl
@@ -553,6 +553,8 @@ 
 'credits' => 'Credits',
 'crl' => 'Lista odwołań certyfikatów',
 'cron server' => 'Serwer CRON',
+'crypto error' => 'Błąd kryptograficzny',
+'crypto warning' => 'Ostrzeżenia kryptograficzne',
 'current' => 'Aktualne',
 'current aliases' => 'Aktualne alias:',
 'current class' => 'Aktualna klasa',
@@ -1357,6 +1359,8 @@ 
 'ovpn subnet' => 'Podsieć OpenVPN (np. 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' => 'Podsieć OpenVPN jest niepoprawna.',
 'ovpn subnet overlap' => 'Podsieć OpenVPN zachodzi na : ',
+'ovpn warning 64 bit block cipher' => 'Szyfr danych wymaga co najmniej jednego szyfru. <br>Proszę to zmienić jak najszybciej!</br>',
+'ovpn warning algorithm' => 'Skonfigurowałeś algorytm',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_fragment' => 'Rozmiar fragmentu',
 'ovpn_mssfix' => 'MSSFIX Size',
diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl
index 1d81eb62c..5ba44ce29 100644
--- a/langs/ru/cgi-bin/ru.pl
+++ b/langs/ru/cgi-bin/ru.pl
@@ -551,6 +551,8 @@ 
 'credits' => 'О Проекте',
 'crl' => 'Список отозванных сертификатов',
 'cron server' => 'CRON Сервер',
+'crypto error' => 'Ошибка криптографии',
+'crypto warning' => 'крипто-предупреждение',
 'current' => 'Current',
 'current aliases' => 'Действующие псевдонимы:',
 'current class' => 'Текущий класс',
@@ -1352,6 +1354,8 @@ 
 'ovpn subnet' => 'Подсеть OpenVPN (e.g. 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' => 'Подсеть OpenVPN задана неверно.',
 'ovpn subnet overlap' => 'Подсеть OpenVPN пересекается с: ',
+'ovpn warning 64 bit block cipher' => 'Этот алгоритм шифрования сломан и вскоре будет удален. <br>Пожалуйста, измените это как можно скорее!</br>',
+'ovpn warning algorithm' => 'Вы настроили алгоритм',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_fragment' => 'Fragmentsize',
 'ovpn_mssfix' => 'MSSFIX Size',
diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
index 5fbd9f3d3..b459401c9 100644
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -682,6 +682,8 @@ 
 'credits' => 'Yazarlar',
 'crl' => 'Sertifika İptal Listesi',
 'cron server' => 'CRON Sunucusu',
+'crypto error' => 'Kriptografi hatası',
+'crypto warning' => 'Kriptografi uyarıları',
 'current' => 'Geçerli',
 'current aliases' => 'Geçerli takma adlar:',
 'current class' => 'Geçerli sınıflar',
@@ -1878,6 +1880,8 @@ 
 'ovpn subnet' => 'OpenVPN alt ağı (örneğin 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' => 'Geçersiz OpenVPN alt ağı.',
 'ovpn subnet overlap' => 'OpenVPN alt ağı ile örtüşenler: ',
+'ovpn warning 64 bit block cipher' => 'Bu şifreleme algoritması bozuldu ve yakında kaldırılacak. <br> Lütfen bunu mümkün olan en kısa sürede değiştirin!</br>',
+'ovpn warning algorithm' => 'Algoritmayı sen yapılandırdın',
 'ovpn_fastio' => 'Hızlı-IO',
 'ovpn_mssfix' => 'MSSFIX Boyutu',
 'ovpn_mtudisc' => 'MTU-Keşfi',