From patchwork Mon Aug 6 17:25:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 1873 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id A27AB61DE0 for ; Mon, 6 Aug 2018 09:26:05 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 68D2010AD37D; Mon, 6 Aug 2018 08:26:04 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1533540365; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:list-id:list-unsubscribe:list-subscribe:list-post; bh=hT+YCTPMtifa7xcITkcT47/IeLWSp7+cAGEQEXJK1cs=; b=XYy54exIbadO8/AVd3+vxEsG4MyDC0HQB+2b/xHjehBMFoCC4qJ5obOr3cF3IBoExVVraY R7ezoPtvuTeN9bXO8cn0CFqQqhwQhILqrht9skjopXki6h3YNhPzlDivFAIU4C5eoXC1LL jy2M15lXZGREDzrxBuCUyQynIV2MOBUhAX7WZbmTLJVtRqLjr7W5ivy9R+KPQzXgPmp/RK tmGcw3x/9UMfb7fazIrrL6nIriHwzFgGtcYtXaBgOdvwAyBqUwXbK3eqkB7G+ZFgQhpVJL dE9JwakjJV2lrTmz5zWOoUZfNjSMRBWcLM2kpA42Kuk2EZ1nhPm3JntwRwGRSw== Received: from localhost.localdomain (i59F5FCFD.versanet.de [89.245.252.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id E04D2108E7D8; Mon, 6 Aug 2018 08:25:57 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1533540358; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=hT+YCTPMtifa7xcITkcT47/IeLWSp7+cAGEQEXJK1cs=; b=hTbR5m+6wE2W1401HGUrYDJ6zHbf61krp1qyctQyeihOXgOQ4XnI8pcdTFWC3NekxLl4Hx STXq6gGqnILhLWTAUVXVHMrmkEckyrrZwq5af/qtovkz68i5RlEkUUoO8DCvoKFI8hrHJt dmCkpCxX5y4ZI5dmfhGZOau1sncIUbyW8umszL13KYD7I7hTOEnk1Wb6tGaK6Q2HUvul8T GbRqfcpm/6awZte3iXlg5uIIfvcljWlLij9YPlxq+H9tmB/9+7XX23PLF13NcSuC0Q5fK5 FQcAII33b4b0ScrxxDXBamu+qoImre78QLtiC/E7e54i2/beItfgMQKl9NEkTA== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH] OpenVPN: Introduce Negotiable Crypto Parameters for roadwarriors Date: Mon, 6 Aug 2018 09:25:54 +0200 Message-Id: <1533540354-4387-1-git-send-email-erik.kapfer@ipfire.org> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ummeegge smtp.mailfrom=erik.kapfer@ipfire.org X-Spamd-Result: default: False [-4.90 / 11.00]; TO_DN_SOME(0.00)[]; NEURAL_HAM(-2.80)[-0.932,0]; RCVD_COUNT_ZERO(0.00)[0]; RCPT_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; MID_CONTAINS_FROM(1.00)[]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%]; ASN(0.00)[asn:8881, ipnet:89.245.240.0/20, country:DE]; DKIM_SIGNED(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[] X-Spam-Status: No, score=-4.90 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" The ncp-ciphers differs to the OpenVPN default value and has been adapted from Fedora. Please see explanations in https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN . --- html/cgi-bin/ovpnmain.cgi | 38 +++++++++++++++++++++++++++----------- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 29 insertions(+), 11 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 976300f..dc22ba5 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -321,8 +321,13 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; + # Enable Negotiable Crypto Parameters + if ($sovpnsettings{'NCP'} eq 'on') { + print CONF "ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC\n"; + } else { + print CONF "ncp-disable\n"; + } if ($sovpnsettings{'DAUTH'} eq '') { print CONF ""; } else { @@ -789,6 +794,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; + $vpnsettings{'NCP'} = $cgiparams{'NCP'}; my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { @@ -2685,6 +2691,9 @@ ADV_ERROR: $checked{'TLSAUTH'}{'off'} = ''; $checked{'TLSAUTH'}{'on'} = ''; $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; + $checked{'NCP'}{'off'} = ''; + $checked{'NCP'}{'on'} = ''; + $checked{'NCP'}{$cgiparams{'NCP'}} = 'CHECKED'; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); @@ -2818,6 +2827,22 @@ print < $Lang::tr{'ovpn crypt options'} + + + + + + + + + + + + + + + + @@ -2833,17 +2858,8 @@ print <$Lang::tr{'openvpn default'}: SHA1 (160 $Lang::tr{'bit'})
$Lang::tr{'ovpn ncp'}
HMAC tls-auth
+
- - - - - - - - - -
HMAC tls-auth
END if ( -e "/var/run/openvpn.pid"){ diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 6e3dba4..9f0de6b 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1833,6 +1833,7 @@ 'ovpn mtu-disc off' => 'Deaktiviert', 'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery kann nicht gemeinsam mit mssfix oder fragment verwendet werden.', 'ovpn mtu-disc yes' => 'Forciert', +'ovpn ncp' => 'Verschlüsselung aushandeln', 'ovpn no connections' => 'Keine aktiven OpenVPN Verbindungen', 'ovpn on blue' => 'OpenVPN auf BLAU:', 'ovpn on orange' => 'OpenVPN auf ORANGE:', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 3ec5af5..5cd47b1 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1866,6 +1866,7 @@ 'ovpn mtu-disc off' => 'Disabled', 'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery cannot be used with mssfix or fragment.', 'ovpn mtu-disc yes' => 'Forced', +'ovpn ncp' => 'Negotiate encryption', 'ovpn no connections' => 'No active OpenVPN connections', 'ovpn on blue' => 'OpenVPN on BLUE:', 'ovpn on orange' => 'OpenVPN on ORANGE:',