From patchwork Wed Feb 7 07:09:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 1644 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id EA7BC60AB5 for ; Tue, 6 Feb 2018 21:19:33 +0100 (CET) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 12FCF4715; Tue, 6 Feb 2018 21:19:32 +0100 (CET) Received: from localhost.localdomain (i59F4FA36.versanet.de [89.244.250.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 237E84716; Tue, 6 Feb 2018 21:09:40 +0100 (CET) From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH v2] CRL updater: Update script for OpenVPNs CRL Date: Tue, 6 Feb 2018 21:09:36 +0100 Message-Id: <1517947776-23744-1-git-send-email-erik.kapfer@ipfire.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1517553251-28156-1-git-send-email-erik.kapfer@ipfire.org> References: <1517553251-28156-1-git-send-email-erik.kapfer@ipfire.org> X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 . Script checks the next update field from the CRL and executes an update before it expires. Script is placed under fcron.daily for daily checks. Signed-off-by: Erik Kapfer --- config/ovpn/openvpn-crl-updater | 88 +++++++++++++++++++++++++++++++++++++++++ config/rootfiles/common/openvpn | 1 + lfs/openvpn | 6 +++ 3 files changed, 95 insertions(+) create mode 100644 config/ovpn/openvpn-crl-updater diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater new file mode 100644 index 0000000..9063b04 --- /dev/null +++ b/config/ovpn/openvpn-crl-updater @@ -0,0 +1,88 @@ +#!/bin/bash + +######################################################################################### +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire. If not, see . # +# # +# Copyright (C) 2007 IPFire-Team . # +# # +######################################################################################### +# # +# Script Name: openvpn-crl-updater # +# Description: This script checks the "Next Update:" field of the CRL # +# and renews it if needed, which prevents the expiration of OpenVPNs CRL. # +# With OpenVPN 2.4.x the CRL handling has been refactored, # +# whereby the verification logic has been removed from ssl_verify_.c . # +# For more infos: # +# https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 # +# # +# Run Information: If OpenVPNs CRL is presant, # +# this script provides a cronjob which checks daily if an update of the CRL # +# is needed. If the expiring date reaches the value # +# (defined in the 'UPDATE' variable in days) before the CRL expiration, an openssl # +# command will be executed to renew the CRL. # +# Script execution will be logged into /var/log/messages. # +# # +# Author: Erik Kapfer # +# # +# Date: 06.02.2018 # +# # +######################################################################################### + +# Check if OpenVPN is active or if the CRL is presant +if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then + exit 0; +fi + +## Paths +OVPN="/var/ipfire/ovpn" +CRL="${OVPN}/crls/cacrl.pem" +CAKEY="${OVPN}/ca/cakey.pem" +CACERT="${OVPN}/ca/cacert.pem" +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" + +## Values +# CRL check for the 'Next Update:' in seconds +EXPIRINGDATEINSEC="$(( +$(/bin/date -d "$(/usr/bin/openssl crl -in "${CRL}" -text | \ + /bin/grep -oP 'Next Update: *\K.*')" +%s) - \ + $(/bin/date +%s) \ +))" + +# Day in seconds to calculate +DAYINSEC="86400" + +# Convert seconds to days +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))" + +# Update of the CRL in days before CRL expiring date +UPDATE="14" + + +# Check if OpenVPNs CRL needs to be renewed +if [ ${NEXTUPDATE} -le ${UPDATE} ]; then + if /usr/bin/openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then + logger -t openvpn "CRL has been updated" + else + logger -t openvpn "error: Could not update CRL" + fi +fi + +exit 0 + + +# EOF + diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index 2b63424..131d798 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,4 @@ +etc/fcron.daily/openvpn-crl-updater #usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn diff --git a/lfs/openvpn b/lfs/openvpn index 3913f02..1ecc18c 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -96,5 +96,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify + # Add crl updater + mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily + chown root:root /etc/fcron.daily/openvpn-crl-updater + chmod 750 /etc/fcron.daily/openvpn-crl-updater + @rm -rf $(DIR_APP) @$(POSTBUILD) +