From patchwork Sat Oct 7 00:14:48 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 1441 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 2F5BA60AB1 for ; Fri, 6 Oct 2017 15:15:22 +0200 (CEST) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id A2E54281B; Fri, 6 Oct 2017 15:15:20 +0200 (CEST) Received: from localhost.localdomain (p5DC0BBEC.dip0.t-ipconnect.de [93.192.187.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 1D3032818; Fri, 6 Oct 2017 15:15:18 +0200 (CEST) From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH] OpenVPN: Fix for '--ns-cert-type server is deprecated' . Date: Fri, 6 Oct 2017 15:14:48 +0200 Message-Id: <1507295688-7140-1-git-send-email-erik.kapfer@ipfire.org> X-Mailer: git-send-email 2.7.4 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Added extended key usage based on RFC3280 TLS rules for OpenVPNs OpenSSL configuration, so '--remote-cert-tls' can be used instead of the old and deprecated '--ns-cert-type' if the host certificate are newely generated with this options. Nevertheless both directives (old and new) will work also with old CAs. - Automatic detection if the host certificate uses the new options. If it does, '--remote-cert-tls server' will be automatically set into the client configuration files for Net-to-Net and Roadwarriors connections. If it does NOT, the old '--ns-cert-type server' directive will be set in the client configuration file. --- config/ovpn/openssl/ovpn.cnf | 4 ++++ html/cgi-bin/ovpnmain.cgi | 31 +++++++++++++++++++++++++++---- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf index ab026c1..40daf2a 100644 --- a/config/ovpn/openssl/ovpn.cnf +++ b/config/ovpn/openssl/ovpn.cnf @@ -77,6 +77,8 @@ basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always +extendedKeyUsage = clientAuth +keyUsage = digitalSignature [ server ] @@ -86,6 +88,8 @@ nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always +extendedKeyUsage = serverAuth +keyUsage = digitalSignature, keyEncipherment [ v3_req ] basicConstraints = CA:FALSE diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index d46a14e..ceb88c1 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1061,8 +1061,15 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General } } } - - print CLIENTCONF "ns-cert-type server\n"; + # Check host certificate if X509 is RFC3280 compliant. + # If not, old --ns-cert-type directive will be used. + # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. + my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($hostcert !~ /TLS Web Server Authentication/) { + print CLIENTCONF "ns-cert-type server\n"; + } else { + print CLIENTCONF "remote-cert-tls server\n"; + } print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; @@ -2173,7 +2180,15 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ } } } - print CLIENTCONF "ns-cert-type server\n"; + # Check host certificate if X509 is RFC3280 compliant. + # If not, old --ns-cert-type directive will be used. + # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. + my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($hostcert !~ /TLS Web Server Authentication/) { + print CLIENTCONF "ns-cert-type server\n"; + } else { + print CLIENTCONF "remote-cert-tls server\n"; + } print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; @@ -2332,7 +2347,15 @@ else print CLIENTCONF "comp-lzo\r\n"; } print CLIENTCONF "verb 3\r\n"; - print CLIENTCONF "ns-cert-type server\r\n"; + # Check host certificate if X509 is RFC3280 compliant. + # If not, old --ns-cert-type directive will be used. + # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. + my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($hostcert !~ /TLS Web Server Authentication/) { + print CLIENTCONF "ns-cert-type server\r\n"; + } else { + print CLIENTCONF "remote-cert-tls server\r\n"; + } print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n"; if ($vpnsettings{MSSFIX} eq 'on') { print CLIENTCONF "mssfix\r\n";