[v2] CRL updater: Update script for OpenVPNs CRL

  Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 .
    Script checks the next update field from the CRL and executes an update before it expires.
    Script is placed under fcron.daily for daily checks.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
 config/ovpn/openvpn-crl-updater | 90 +++++++++++++++++++++++++++++++++++++++++
 config/rootfiles/common/openvpn |  1 +
 lfs/openvpn                     |  5 +++
 3 files changed, 96 insertions(+)
 create mode 100644 config/ovpn/openvpn-crl-updater
  

Hello,

I merged this patch into the openssl-11 branch and rebased the branch.

What other steps are urgently necessary that we can roll out OpenVPN
2.4? Are the CGI changes necessary or new features?

Best,
-Michael

On Wed, 2018-02-07 at 18:31 +0100, Erik Kapfer wrote:
> Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 .
>     Script checks the next update field from the CRL and executes an update before it expires.
>     Script is placed under fcron.daily for daily checks.
> 
> Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
> ---
>  config/ovpn/openvpn-crl-updater | 90 +++++++++++++++++++++++++++++++++++++++++
>  config/rootfiles/common/openvpn |  1 +
>  lfs/openvpn                     |  5 +++
>  3 files changed, 96 insertions(+)
>  create mode 100644 config/ovpn/openvpn-crl-updater
> 
> diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater
> new file mode 100644
> index 0000000..5fbe210
> --- /dev/null
> +++ b/config/ovpn/openvpn-crl-updater
> @@ -0,0 +1,90 @@
> +#!/bin/bash
> +###############################################################################
> +#                                                                             #
> +# IPFire.org - A linux based firewall                                         #
> +# Copyright (C) 2018  IPFire Team  <erik.kapfer@ipfire.org>                   #
> +#                                                                             #
> +# This program is free software: you can redistribute it and/or modify        #
> +# it under the terms of the GNU General Public License as published by        #
> +# the Free Software Foundation, either version 3 of the License, or           #
> +# (at your option) any later version.                                         #
> +#                                                                             #
> +# This program is distributed in the hope that it will be useful,             #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
> +# GNU General Public License for more details.                                #
> +#                                                                             #
> +# You should have received a copy of the GNU General Public License           #
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
> +#                                                                             #
> +###############################################################################
> +
> +###############################################################################
> +#                                                                             #
> +# Script Location/Name: /etc/fcron.daily/openvpn-crl-updater                  #
> +#                                                                             #
> +# Description: This script checks the "Next Update:" field of the CRL         #
> +#   and renews it if needed, which prevents the expiration of OpenVPNs CRL.   #
> +#   With OpenVPN 2.4.x the CRL handling has been refactored,                  #
> +#   whereby the verification logic has been removed                           #
> +#   from ssl_verify_<backend>.c .                                             #
> +#                                                                             #
> +# Run Information: If OpenVPNs CRL is present,                                #
> +#   this script provides a cronjob which checks daily if an update            #
> +#   of the CRL is needed. If the expiring date reaches the value              #
> +#   (defined in the 'UPDATE' variable in days) before the CRL expiration,     #
> +#   an openssl command will be executed to renew the CRL.                     #
> +#   Script execution will be logged into /var/log/messages.                   #
> +#                                                                             #
> +###############################################################################
> +
> +## Paths
> +OVPN="/var/ipfire/ovpn"
> +CRL="${OVPN}/crls/cacrl.pem"
> +CAKEY="${OVPN}/ca/cakey.pem"
> +CACERT="${OVPN}/ca/cacert.pem"
> +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
> +
> +# Check if CRL is presant or if OpenVPN is active
> +if [ ! -e "${CAKEY}" ]; then
> +	exit 0;
> +fi
> +
> +## Values
> +# Actual time in epoch format
> +NOW="$(date +%s)"
> +
> +# Investigate CRLs 'Next Update' date
> +EXPIRES_CRL="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')"
> +
> +# Convert 'Next Update:' date from epoch to seconds
> +EXPIRES_AT="$(date -d "${EXPIRES_CRL}" "+%s")"
> +
> +# Seconds left until CRL expires
> +EXPIRINGDATEINSEC="$(( EXPIRES_AT - NOW ))"
> +
> +# Day in seconds to calculate
> +DAYINSEC="86400"
> +
> +# Convert seconds to days
> +NEXTUPDATE="$(( EXPIRINGDATEINSEC / DAYINSEC ))"
> +
> +# Update of the CRL in days before CRL expiring date
> +UPDATE="14"
> +
> +
> +## Mainpart
> +# Check if OpenVPNs CRL needs to be renewed
> +if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
> +    if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
> +		logger -t openvpn "CRL has been updated"
> +    else
> +		logger -t openvpn "error: Could not update CRL"
> +    fi
> +fi
> +
> +exit 0
> +
> +
> +# EOF
> +
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
> index 2b63424..131d798 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -1,3 +1,4 @@
> +etc/fcron.daily/openvpn-crl-updater
>  #usr/include/openvpn-msg.h
>  #usr/include/openvpn-plugin.h
>  #usr/lib/openvpn
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 3913f02..ef25c25 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
>  	chown root:root /usr/lib/openvpn/verify
>  	chmod 755 /usr/lib/openvpn/verify
> +	# Add crl updater
> +	mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily
> +	chown root:root /etc/fcron.daily/openvpn-crl-updater
> +	chmod 750 /etc/fcron.daily/openvpn-crl-updater
> +
>  	@rm -rf $(DIR_APP)
>  	@$(POSTBUILD)
  

Hi Michael,
thanks for merging.


Am Sonntag, den 11.02.2018, 22:25 +0000 schrieb Michael Tremer:
> Hello,
> 
> I merged this patch into the openssl-11 branch and rebased the
> branch.
> 
> What other steps are urgently necessary that we can roll out OpenVPN
> 2.4? Are the CGI changes necessary or new features?

there is the need to make the changes for '--script-security' and to
add '--ncp-disable' in ovpnmain.cgi. 

Also the integration of the directives via update.sh for the core
update needs to be made since a server stop|start do not includes the
changes into server.conf.

So there are two steps left for a roll out of a 2.4 minimum version.
Should i send this in two patches or better in one ?

In which core update should this be delivered ?

Greetings,

Erik
  

Hi all,

On February 13, 2018 8:02:57 AM GMT+02:00, ummeegge <ummeegge@ipfire.org> wrote:
>Hi Michael,
>thanks for merging.
>
>
>Am Sonntag, den 11.02.2018, 22:25 +0000 schrieb Michael Tremer:
>> Hello,
>> 
>> I merged this patch into the openssl-11 branch and rebased the
>> branch.
>> 
>> What other steps are urgently necessary that we can roll out OpenVPN
>> 2.4? Are the CGI changes necessary or new features?
>
>there is the need to make the changes for '--script-security' and to
>add '--ncp-disable' in ovpnmain.cgi. 
>

Please consider to add auth-nocache also in order to get rid of the warnings for caching credentials.


>Also the integration of the directives via update.sh for the core
>update needs to be made since a server stop|start do not includes the
>changes into server.conf.
>
>So there are two steps left for a roll out of a 2.4 minimum version.
>Should i send this in two patches or better in one ?
>
>In which core update should this be delivered ?
>
>Greetings,
>
>Erik

--
Horace Michael (aka H&M)
 Please excuse my typos and brevity. Sent from a Smartphone.
  

Hi Michael,

Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael:
> 
> Please consider to add auth-nocache also in order to get rid of the
> warnings for caching credentials.

just to bear in mind, if we set auth-nocache and a user/password
authentication has been configured manually by the user (IPFire do not
provides this currently), there is the need to authenticate again after
a session key has been expired.

With OpenVPN-2.3.13 and above the rekeying are managed by '--reneg-
bytes 64000000' (after 64 MB data transfer) if 64 bit block ciphers are
used which IPFire do provides at this time.

So by the usage of an old deprecated configuration (old ciphers) and a
faster and heavily loaded connection there is the need to authenticate
every few minutes.

This warning looks not so nice but is in regular configurations, which
has been made via WUI, useless since there is no user/password
authentication currently available.

If someone has configured it manually (in most cases via
server{client}.conf.local i think) it is there also possible to set '
--auth-nocache' for each configuration individually if needed ?

Just some thoughts from here.


Greetings,

Erik
  

Have forgot one more thing,
we should also add the new AES-GCM cipher for N2N and RWs . Would push
this one may before the directive changes ?

Will track all that to openssl-11 branch.

Greetings,

Erik


Am Dienstag, den 13.02.2018, 07:02 +0100 schrieb ummeegge:
> Hi Michael,
> thanks for merging.
> 
> 
> Am Sonntag, den 11.02.2018, 22:25 +0000 schrieb Michael Tremer:
> > 
> > Hello,
> > 
> > I merged this patch into the openssl-11 branch and rebased the
> > branch.
> > 
> > What other steps are urgently necessary that we can roll out
> > OpenVPN
> > 2.4? Are the CGI changes necessary or new features?
> there is the need to make the changes for '--script-security' and to
> add '--ncp-disable' in ovpnmain.cgi. 
> 
> Also the integration of the directives via update.sh for the core
> update needs to be made since a server stop|start do not includes the
> changes into server.conf.
> 
> So there are two steps left for a roll out of a 2.4 minimum version.
> Should i send this in two patches or better in one ?
> 
> In which core update should this be delivered ?
> 
> Greetings,
> 
> Erik
  

Hi Erik,

On February 13, 2018 12:00:12 PM GMT+02:00, ummeegge <ummeegge@ipfire.org> wrote:
>Hi Michael,
>
>Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael:
>> 
>> Please consider to add auth-nocache also in order to get rid of the
>> warnings for caching credentials.
>
>just to bear in mind, if we set auth-nocache and a user/password
>authentication has been configured manually by the user (IPFire do not
>provides this currently), there is the need to authenticate again after
>a session key has been expired.

If an IPFire user manually changed the standard configuration of OpenVPN and add passwd authentication then he/she should assume also the impact - entering the credentials on key renewing or changing the config and removal of --auth-nocache directive.

>
>With OpenVPN-2.3.13 and above the rekeying are managed by '--reneg-
>bytes 64000000' (after 64 MB data transfer) if 64 bit block ciphers are
>used which IPFire do provides at this time.
>
>So by the usage of an old deprecated configuration (old ciphers) and a
>faster and heavily loaded connection there is the need to authenticate
>every few minutes.
>
>This warning looks not so nice but is in regular configurations, which
>has been made via WUI, useless since there is no user/password
>authentication currently available.
>

Indeed is just a warning - no problem for tunnel being established. But is a warning that might be wrongly understood - who knows to what "credentials" the user will think of and the overall image of the user for IPFire security will be poor...
>If someone has configured it manually (in most cases via
>server{client}.conf.local i think) it is there also possible to set '
>--auth-nocache' for each configuration individually if needed ?
>
>Just some thoughts from here.
>

>
>Greetings,
>
>Erik

--
Horace Michael (aka H&M)
 Please excuse my typos and brevity. Sent from a Smartphone.
  

Hi,

On Tue, 2018-02-13 at 07:02 +0100, ummeegge wrote:
> Hi Michael,
> thanks for merging.
> 
> 
> Am Sonntag, den 11.02.2018, 22:25 +0000 schrieb Michael Tremer:
> > Hello,
> > 
> > I merged this patch into the openssl-11 branch and rebased the
> > branch.
> > 
> > What other steps are urgently necessary that we can roll out OpenVPN
> > 2.4? Are the CGI changes necessary or new features?
> 
> there is the need to make the changes for '--script-security' and to
> add '--ncp-disable' in ovpnmain.cgi. 

Okay. I will wait with merging OpenSSL until we have this sorted.

> Also the integration of the directives via update.sh for the core
> update needs to be made since a server stop|start do not includes the
> changes into server.conf.

And this, too.

> So there are two steps left for a roll out of a 2.4 minimum version.
> Should i send this in two patches or better in one ?

Please try this in two patches.

> In which core update should this be delivered ?

I am not sure, yet. 119 would have been good, but we already have a lot in there
and I think we should not delay this too much. But 120 at the latest.

It is really important that we get the latest OpenSSL out there as soon as
possible.

Best,
-Michael

> 
> Greetings,
> 
> Erik
  

Hi Michael,

Am Mittwoch, den 14.02.2018, 12:22 +0000 schrieb Michael Tremer:

> > > What other steps are urgently necessary that we can roll out
> > > OpenVPN
> > > 2.4? Are the CGI changes necessary or new features?
> > there is the need to make the changes for '--script-security' and
> > to
> > add '--ncp-disable' in ovpnmain.cgi. 
> Okay. I will wait with merging OpenSSL until we have this sorted.

Have send the forgotten AES-GCM patch --> https://lists.ipfire.org/pipe
rmail/development/2018-February/004063.html would you merge it to
openssl-11 if the review is OK, i would pull the chnages then and
prepare/send the last ovpnmain.cgi patch ?

> 
> > 
> > Also the integration of the directives via update.sh for the core
> > update needs to be made since a server stop|start do not includes
> > the
> > changes into server.conf.
> And this, too.

Since there is currently no config/rootfiles/core/config/rootfiles/core
directory for openssl-11 should i make one for core 119 (or 120 ?) and
add there the commands in update.sh ?

> 
> > 
> > So there are two steps left for a roll out of a 2.4 minimum
> > version.
> > Should i send this in two patches or better in one ?
> Please try this in two patches.

No problem if i am clear about the quest above.

> 
> > 
> > In which core update should this be delivered ?
> I am not sure, yet. 119 would have been good, but we already have a
> lot in there
> and I think we should not delay this too much. But 120 at the latest.
> 
> It is really important that we get the latest OpenSSL out there as
> soon as
> possible.

Have successfully installed yesterday an IPFire ISO with OpenSSL-1.1.0g 
i think the last changes from commit
59d77d2eae265304887408b1d36074269f6075a4
did it :D . Great work Michael. Two more commits and from the OpenVPN
side all should be for the first OK. After that i would step then into
testing mode...

Greetings,

Erik
  

Hi Michael,

Am Dienstag, den 13.02.2018, 16:21 +0200 schrieb Horace Michael:
> Hi Erik,
> 
> On February 13, 2018 12:00:12 PM GMT+02:00, ummeegge <ummeegge@ipfire
> .org> wrote:
> > 
> > Hi Michael,
> > 
> > Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael:
> > > 
> > >  
> > > Please consider to add auth-nocache also in order to get rid of
> > > the
> > > warnings for caching credentials.
> > just to bear in mind, if we set auth-nocache and a user/password
> > authentication has been configured manually by the user (IPFire do
> > not
> > provides this currently), there is the need to authenticate again
> > after
> > a session key has been expired.
> If an IPFire user manually changed the standard configuration of
> OpenVPN and add passwd authentication then he/she should assume also
> the impact - entering the credentials on key renewing or changing the
> config and removal of --auth-nocache directive.
> 
The removal is kind of unpractical if we hardcode --auth-nocache it can
be indeed manually deleted in ovpnmain.cgi but it won´t be consistent
for coming updates.
If someone uses user/pwd auth via manual configuration it might be
easier for the first to add also --auth-nocache into the local configs
if wanted ? In some cases this might be also a problem e.g. for every
kind of automation (such as larger backups e.g.) whereby processes will
be stopped if no user interaction is made.

In my opinion there should be a checkbox for this available but this
kind of contradicts also the current usability for keeping it as easy
as possible even this option is for an default IPFire configuration
useless.

But this are only my two cents on this topic, if this is wanted from
the core developer side this should be made very quickly but i would
do/discuss this in an own topic but also after we have finished the
OpenVPN-2.4 update.
There is also the need to think about a lowered --script-security level
(from 3 to 2) which matches also this topic i think and also some other
possible (and already fixed) warnings --> https://bugzilla.ipfire.org/s
how_bug.cgi?id=11364 like e.g. the MTU warning which should also be
thinking about but also better tested...

Nevertheless it might be nice if you stay tuned in this topic.

Greetings,

Erik
  

Hi,

On Wed, 2018-02-14 at 14:24 +0100, ummeegge wrote:
> Hi Michael,
> 
> Am Mittwoch, den 14.02.2018, 12:22 +0000 schrieb Michael Tremer:
> 
> > > > What other steps are urgently necessary that we can roll out
> > > > OpenVPN
> > > > 2.4? Are the CGI changes necessary or new features?
> > > 
> > > there is the need to make the changes for '--script-security' and
> > > to
> > > add '--ncp-disable' in ovpnmain.cgi. 
> > 
> > Okay. I will wait with merging OpenSSL until we have this sorted.
> 
> Have send the forgotten AES-GCM patch --> https://lists.ipfire.org/pipe
> rmail/development/2018-February/004063.html would you merge it to
> openssl-11 if the review is OK, i would pull the chnages then and
> prepare/send the last ovpnmain.cgi patch ?

You can work on the other patches independently from this one.

> > 
> > > 
> > > Also the integration of the directives via update.sh for the core
> > > update needs to be made since a server stop|start do not includes
> > > the
> > > changes into server.conf.
> > 
> > And this, too.
> 
> Since there is currently no config/rootfiles/core/config/rootfiles/core
> directory for openssl-11 should i make one for core 119 (or 120 ?) and
> add there the commands in update.sh ?

Please provide that in an extra script. I do not know when this will land in a
Core Update.

> > 
> > > 
> > > So there are two steps left for a roll out of a 2.4 minimum
> > > version.
> > > Should i send this in two patches or better in one ?
> > 
> > Please try this in two patches.
> 
> No problem if i am clear about the quest above.
> 
> > 
> > > 
> > > In which core update should this be delivered ?
> > 
> > I am not sure, yet. 119 would have been good, but we already have a
> > lot in there
> > and I think we should not delay this too much. But 120 at the latest.
> > 
> > It is really important that we get the latest OpenSSL out there as
> > soon as
> > possible.
> 
> Have successfully installed yesterday an IPFire ISO with OpenSSL-1.1.0g 
> i think the last changes from commit
> 59d77d2eae265304887408b1d36074269f6075a4
> did it :D . Great work Michael. Two more commits and from the OpenVPN
> side all should be for the first OK. After that i would step then into
> testing mode...
> 
> Greetings,
> 
> Erik
  

Hello,


Am Mittwoch, den 14.02.2018, 20:27 +0000 schrieb Michael Tremer:
> Hi,
> 
> On Wed, 2018-02-14 at 14:24 +0100, ummeegge wrote:
> > 
> > Hi Michael,
> > 
> > Am Mittwoch, den 14.02.2018, 12:22 +0000 schrieb Michael Tremer:
> > 
> > > 
> > > > 
> > > > > 
> > > > > What other steps are urgently necessary that we can roll out
> > > > > OpenVPN
> > > > > 2.4? Are the CGI changes necessary or new features?
> > > > there is the need to make the changes for '--script-security'
> > > > and
> > > > to
> > > > add '--ncp-disable' in ovpnmain.cgi. 
> > > Okay. I will wait with merging OpenSSL until we have this sorted.
> > Have send the forgotten AES-GCM patch --> https://lists.ipfire.org/
> > pipe
> > rmail/development/2018-February/004063.html would you merge it to
> > openssl-11 if the review is OK, i would pull the chnages then and
> > prepare/send the last ovpnmain.cgi patch ?
> You can work on the other patches independently from this one.

If we leave the AES-GCM patch for the first behind there is not much more to do in ovpnmain.cgi . 
This directives https://lists.ipfire.org/pipermail/development/2018-February/004085.html should bring 
OpenVPN-2.4 to life again.

> 
> > 
> > > 
> > > 
> > > > 
> > > > 
> > > > Also the integration of the directives via update.sh for the
> > > > core
> > > > update needs to be made since a server stop|start do not
> > > > includes
> > > > the
> > > > changes into server.conf.
> > > And this, too.
> > Since there is currently no
> > config/rootfiles/core/config/rootfiles/core
> > directory for openssl-11 should i make one for core 119 (or 120 ?)
> > and
> > add there the commands in update.sh ?
> Please provide that in an extra script. I do not know when this will
> land in a
> Core Update.

OK, where is a good place for this until then ?

Greetings,

Erik
  

On Thu, 2018-02-15 at 07:18 +0100, ummeegge wrote:
> Hello,
> 
> 
> Am Mittwoch, den 14.02.2018, 20:27 +0000 schrieb Michael Tremer:
> > Hi,
> > 
> > On Wed, 2018-02-14 at 14:24 +0100, ummeegge wrote:
> > > 
> > > Hi Michael,
> > > 
> > > Am Mittwoch, den 14.02.2018, 12:22 +0000 schrieb Michael Tremer:
> > > 
> > > > 
> > > > > 
> > > > > > 
> > > > > > What other steps are urgently necessary that we can roll out
> > > > > > OpenVPN
> > > > > > 2.4? Are the CGI changes necessary or new features?
> > > > > 
> > > > > there is the need to make the changes for '--script-security'
> > > > > and
> > > > > to
> > > > > add '--ncp-disable' in ovpnmain.cgi. 
> > > > 
> > > > Okay. I will wait with merging OpenSSL until we have this sorted.
> > > 
> > > Have send the forgotten AES-GCM patch --> https://lists.ipfire.org/
> > > pipe
> > > rmail/development/2018-February/004063.html would you merge it to
> > > openssl-11 if the review is OK, i would pull the chnages then and
> > > prepare/send the last ovpnmain.cgi patch ?
> > 
> > You can work on the other patches independently from this one.
> 
> If we leave the AES-GCM patch for the first behind there is not much more to
> do in ovpnmain.cgi . 
> This directives https://lists.ipfire.org/pipermail/development/2018-February/0
> 04085.html should bring 
> OpenVPN-2.4 to life again.
> 
> > 
> > > 
> > > > 
> > > > 
> > > > > 
> > > > > 
> > > > > Also the integration of the directives via update.sh for the
> > > > > core
> > > > > update needs to be made since a server stop|start do not
> > > > > includes
> > > > > the
> > > > > changes into server.conf.
> > > > 
> > > > And this, too.
> > > 
> > > Since there is currently no
> > > config/rootfiles/core/config/rootfiles/core
> > > directory for openssl-11 should i make one for core 119 (or 120 ?)
> > > and
> > > add there the commands in update.sh ?
> > 
> > Please provide that in an extra script. I do not know when this will
> > land in a
> > Core Update.
> 
> OK, where is a good place for this until then ?

Just by email for now as you did.

This isn't too great for many of these things, but I cannot think of an easier
way for this one time.

-Michael

> 
> Greetings,
> 
> Erik
> 
> 
>