diff mbox series

OpenVPN: Add tls-version-min for TLSv1.2

Message ID 20200815150845.5077-1-ummeegge@ipfire.org
State Accepted
Commit 942446b553235db212d1dfda63bd9ab52eef4c29
Headers
Series OpenVPN: Add tls-version-min for TLSv1.2 |

Commit Message

ummeegge Aug. 15, 2020, 3:08 p.m. UTC 
  ovpnmain.cgi delivers now 'tls-version-min 1.2' for Roadwarrior and N2N.
Since the server needs it only on server side, this patch do not includes it for Roadwarrior clients.
N2N do not uses push options therefor this directive will be included on both sides.

To integrate the new directive into actual working OpenVPN server environment, the following commands
should be executed via update.sh.

Code block start:

if test -f "/var/ipfire/ovpn/server.conf"; then
	# Add tls-version-minimum to OpenVPN server if not already there
	if ! grep -q '^tls-version-min' /var/ipfire/ovpn/server.conf > /dev/null 2>&1; then
		# Stop server before append the line
		/usr/local/bin/openvpnctrl -k
		# Append new directive
		echo >> "tls-version-min 1.2" /var/ipfire/ovpn/server.conf
		# Make sure server.conf have the correct permissions to prevent such
		# --> https://community.ipfire.org/t/unable-to-start-the-openvpn-server/2465/54?u=ummeegge
		# case
		chown nobody:nobody /var/ipfire/ovpn/server.conf
		# Start server again
		/usr/local/bin/openvpnctrl -s
	fi
fi

Code block end

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 8 ++++++++
 1 file changed, 8 insertions(+)
diff mbox series

Patch

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 457ebcf1f..dc80cbf70 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -333,6 +333,8 @@  sub writeserverconf {
     print CONF "ncp-disable\n";
     print CONF "cipher $sovpnsettings{DCIPHER}\n";
 	print CONF "auth $sovpnsettings{'DAUTH'}\n";
+    # Set TLSv2 as minimum
+    print CONF "tls-version-min 1.2\n";
 
     if ($sovpnsettings{'TLSAUTH'} eq 'on') {
 	print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
@@ -996,6 +998,9 @@  unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
     print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
   }
 
+  # Set TLSv1.2 as minimum
+  print SERVERCONF "tls-version-min 1.2\n";
+
   if ($cgiparams{'COMPLZO'} eq 'on') {
    print SERVERCONF "# Enable Compression\n";
    print SERVERCONF "comp-lzo\n";
@@ -1098,6 +1103,9 @@  unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
     print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
   }
 
+  # Set TLSv1.2 as minimum
+  print CLIENTCONF "tls-version-min 1.2\n";
+
   if ($cgiparams{'COMPLZO'} eq 'on') {
    print CLIENTCONF "# Enable Compression\n";
    print CLIENTCONF "comp-lzo\n";