From patchwork Thu Feb 8 04:31:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 1646 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id D469F60993 for ; Wed, 7 Feb 2018 18:36:05 +0100 (CET) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 300A14729; Wed, 7 Feb 2018 18:36:05 +0100 (CET) Received: from localhost.localdomain (i59F4F6FF.versanet.de [89.244.246.255]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 967274876; Wed, 7 Feb 2018 18:31:51 +0100 (CET) From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH v2] CRL updater: Update script for OpenVPNs CRL Date: Wed, 7 Feb 2018 18:31:49 +0100 Message-Id: <1518024709-5982-1-git-send-email-erik.kapfer@ipfire.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1517553251-28156-1-git-send-email-erik.kapfer@ipfire.org> References: <1517553251-28156-1-git-send-email-erik.kapfer@ipfire.org> X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 . Script checks the next update field from the CRL and executes an update before it expires. Script is placed under fcron.daily for daily checks. Signed-off-by: Erik Kapfer --- config/ovpn/openvpn-crl-updater | 90 +++++++++++++++++++++++++++++++++++++++++ config/rootfiles/common/openvpn | 1 + lfs/openvpn | 5 +++ 3 files changed, 96 insertions(+) create mode 100644 config/ovpn/openvpn-crl-updater diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater new file mode 100644 index 0000000..5fbe210 --- /dev/null +++ b/config/ovpn/openvpn-crl-updater @@ -0,0 +1,90 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2018 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# # +# Script Location/Name: /etc/fcron.daily/openvpn-crl-updater # +# # +# Description: This script checks the "Next Update:" field of the CRL # +# and renews it if needed, which prevents the expiration of OpenVPNs CRL. # +# With OpenVPN 2.4.x the CRL handling has been refactored, # +# whereby the verification logic has been removed # +# from ssl_verify_.c . # +# # +# Run Information: If OpenVPNs CRL is present, # +# this script provides a cronjob which checks daily if an update # +# of the CRL is needed. If the expiring date reaches the value # +# (defined in the 'UPDATE' variable in days) before the CRL expiration, # +# an openssl command will be executed to renew the CRL. # +# Script execution will be logged into /var/log/messages. # +# # +############################################################################### + +## Paths +OVPN="/var/ipfire/ovpn" +CRL="${OVPN}/crls/cacrl.pem" +CAKEY="${OVPN}/ca/cakey.pem" +CACERT="${OVPN}/ca/cacert.pem" +OPENSSLCONF="${OVPN}/openssl/ovpn.cnf" + +# Check if CRL is presant or if OpenVPN is active +if [ ! -e "${CAKEY}" ]; then + exit 0; +fi + +## Values +# Actual time in epoch format +NOW="$(date +%s)" + +# Investigate CRLs 'Next Update' date +EXPIRES_CRL="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" + +# Convert 'Next Update:' date from epoch to seconds +EXPIRES_AT="$(date -d "${EXPIRES_CRL}" "+%s")" + +# Seconds left until CRL expires +EXPIRINGDATEINSEC="$(( EXPIRES_AT - NOW ))" + +# Day in seconds to calculate +DAYINSEC="86400" + +# Convert seconds to days +NEXTUPDATE="$(( EXPIRINGDATEINSEC / DAYINSEC ))" + +# Update of the CRL in days before CRL expiring date +UPDATE="14" + + +## Mainpart +# Check if OpenVPNs CRL needs to be renewed +if [ ${NEXTUPDATE} -le ${UPDATE} ]; then + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then + logger -t openvpn "CRL has been updated" + else + logger -t openvpn "error: Could not update CRL" + fi +fi + +exit 0 + + +# EOF + diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index 2b63424..131d798 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -1,3 +1,4 @@ +etc/fcron.daily/openvpn-crl-updater #usr/include/openvpn-msg.h #usr/include/openvpn-plugin.h #usr/lib/openvpn diff --git a/lfs/openvpn b/lfs/openvpn index 3913f02..ef25c25 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify + # Add crl updater + mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily + chown root:root /etc/fcron.daily/openvpn-crl-updater + chmod 750 /etc/fcron.daily/openvpn-crl-updater + @rm -rf $(DIR_APP) @$(POSTBUILD)