From patchwork Fri Jan 26 21:22:38 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Erik Kapfer <erik.kapfer@ipfire.org>
X-Patchwork-Id: 1633
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.ipfire.org (Postfix) with ESMTP id A631460250
	for <patchwork@ipfire.org>; Fri, 26 Jan 2018 11:22:59 +0100 (CET)
Received: from mail01.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id B028F468D;
	Fri, 26 Jan 2018 11:22:58 +0100 (CET)
Received: from localhost.localdomain (i59F4A00B.versanet.de [89.244.160.11])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id D647C468B;
	Fri, 26 Jan 2018 11:22:55 +0100 (CET)
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] [PATCH] OpenVPN: Update to version 2.4.4 .
Date: Fri, 26 Jan 2018 11:22:38 +0100
Message-Id: <1516962158-17324-1-git-send-email-erik.kapfer@ipfire.org>
X-Mailer: git-send-email 2.7.4
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

ovpnmain.cgi includes new directive '--ncp-disable' to disable for the first the cipher negotiation.
    script-security flag 'system' has been dropped cause of security concerns.
    Directive changes/explanations can be found in here https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .

Update script for OpenVPN CRL has been integrated since OpenVPN refactors the CRL handling since v.2.4.0 .
    Script checks the next update field from the CRL and preforms an update two days before it expires.
    Script is placed under fcron.daily for daily checks.
    Changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 .

update.sh for Core 118 includes needed server.conf changes but also an update of the CRL to prevent connection problems
    if systems have already an expired CRL.
    Server stop and start if active will be also executed.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
 config/rootfiles/common/openvpn     |  5 ++++-
 config/rootfiles/core/118/update.sh | 13 +++++++++++++
 html/cgi-bin/ovpnmain.cgi           |  3 ++-
 lfs/openvpn                         | 11 ++++++++---
 4 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index b58e30c..cbfd03e 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -1,3 +1,5 @@
+etc/fcron.daily/ovpn_crl_updater.sh
+#usr/include/openvpn-msg.h
 #usr/include/openvpn-plugin.h
 #usr/lib/openvpn
 #usr/lib/openvpn/plugins
@@ -10,11 +12,12 @@ usr/sbin/openvpn
 #usr/share/doc/openvpn
 #usr/share/doc/openvpn/COPYING
 #usr/share/doc/openvpn/COPYRIGHT.GPL
+#usr/share/doc/openvpn/Changes.rst
 #usr/share/doc/openvpn/README
 #usr/share/doc/openvpn/README.IPv6
 #usr/share/doc/openvpn/README.auth-pam
 #usr/share/doc/openvpn/README.down-root
-#usr/share/doc/openvpn/README.polarssl
+#usr/share/doc/openvpn/README.mbedtls
 #usr/share/doc/openvpn/management-notes.txt
 #usr/share/man/man8/openvpn.8
 var/ipfire/ovpn/ca
diff --git a/config/rootfiles/core/118/update.sh b/config/rootfiles/core/118/update.sh
index 545c8ef..ea56832 100644
--- a/config/rootfiles/core/118/update.sh
+++ b/config/rootfiles/core/118/update.sh
@@ -58,6 +58,19 @@ ldconfig
 /etc/init.d/apache restart
 /etc/init.d/snort start
 
+# Add changed and new OpenVPN-2.4 directives to server.conf and renew CRL
+if [ -e /var/ipfire/ovpn/server.conf ]; then
+    if pgrep openvpn >/dev/null; then
+        openvpnctrl -k
+        sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
+        openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf
+        openvpnctrl -s
+    else
+        sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
+        openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf
+    fi
+fi
+
 # This update need a reboot...
 touch /var/run/need_reboot
 
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 9f5e682..424a5c9 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -216,7 +216,7 @@ sub writeserverconf {
     print CONF "dev tun\n";
     print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
     print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
-    print CONF "script-security 3 system\n";
+    print CONF "script-security 3\n";
     print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
     print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
     print CONF "tls-server\n";
@@ -289,6 +289,7 @@ sub writeserverconf {
     }	
     print CONF "status-version 1\n";
     print CONF "status /var/run/ovpnserver.log 30\n";
+    print CONF "ncp-disable\n";
     print CONF "cipher $sovpnsettings{DCIPHER}\n";
     if ($sovpnsettings{'DAUTH'} eq '') {
         print CONF "";
diff --git a/lfs/openvpn b/lfs/openvpn
index 8307d01..e7f9bc2 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2017  IPFire Team  <info@ipfire.org>                          #
+# Copyright (C) 2018  IPFire Team  <info@ipfire.org>                          #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 2.3.18
+VER        = 2.4.4
 
 THISAPP    = openvpn-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881
+$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
 
 install : $(TARGET)
 
@@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
 	chown root:root /usr/lib/openvpn/verify
 	chmod 755 /usr/lib/openvpn/verify
+	mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
+	chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
+	chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
+