From patchwork Thu Dec 3 12:08:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 3699 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CmvkD36TPz3wrV for ; Thu, 3 Dec 2020 12:08:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Cmvk92t7Mz1vQ; Thu, 3 Dec 2020 12:08:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Cmvk92Pt4z2xZt; Thu, 3 Dec 2020 12:08:17 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Cmvk734hnz2xZJ for ; Thu, 3 Dec 2020 12:08:15 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Cmvk71t35z5s; Thu, 3 Dec 2020 12:08:15 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1606997295; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NWtSspWTdZu1YqmKPehXJyyYe349vVXk8MvrtMC/72E=; b=R0dqH8FfOgSVHooATj78qxOMcyV3y7Da2XAt6FcppcDBrbNpGYwYNehridXpDypTSipH2i IZTJFVnQK199JSBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1606997295; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NWtSspWTdZu1YqmKPehXJyyYe349vVXk8MvrtMC/72E=; b=nsyBQ3trBSEGgHDooRpsljD7CBpbEt8QFiN/TWFiVSNzH9i/R20YZgeDH0IKL3I0rV+xud dI5lNpPZ37cbqxStKdl+hozRUOkU7+PIuJOMCwmF08vDBHzCb1HkjTiclqlx4Fe+NjWYne c9bZKmhl6snMwISpkJr4Tm0cb1R13cDJb+4cV8f/5F/mSiDGzSGffGyDX3mmIC1CzXjqnV dUFGRCkQA+DhUNm5BEYDeCBFM4vfGU0vuKD9xSPbFk+KCn21Y0Z9HgwBwwK2Mz5aKzUtgT beo667bA2dL1CbtHXLfkfCRWrUO2IOFg+OfsAEkftoYpuK4mwA+vJbop/X1YxA== From: ummeegge To: development@lists.ipfire.org Subject: [PATCH 2/3] OpenVPN: Control-Channel encryption settings Date: Thu, 3 Dec 2020 12:08:06 +0000 Message-Id: <20201203120807.20694-2-erik.kapfer@ipfire.org> In-Reply-To: <20201203120807.20694-1-erik.kapfer@ipfire.org> References: <20201203120807.20694-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - The --tls-ciphers for the control channel TLSv2 crypto can now be combined for negotiation. - The --tls-ciphersuite crypto does the same but with TLSv3 and can also be combined for negotiation. There are no defaults for both, so this features are deactivated unless the user decides to use them. - The --tls-ciphersuite directive will only be printed into client.ovpn if the client is >=2.5.0 ready. Signed-off-by: ummeegge --- html/cgi-bin/ovpnmain.cgi | 109 ++++++++++++++++++++++++++++++++++++++ langs/de/cgi-bin/de.pl | 3 ++ langs/en/cgi-bin/en.pl | 3 ++ 3 files changed, 115 insertions(+) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index fc4c6193a..f2b8b79da 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -100,6 +100,8 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $cgiparams{'DATACIPHERS'} = ''; +$cgiparams{'CHANNELCIPHERS'} = ''; +$cgiparams{'NCHANNELCIPHERS'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -337,6 +339,20 @@ sub writeserverconf { print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; } + # Control channel encryption TLSv2 needs own line cause directive differs + if ($sovpnsettings{'CHANNELCIPHERS'} ne '') { + # Set seperator for TLSv2 channel ciphers + @advcipherchar = ($sovpnsettings{'CHANNELCIPHERS'} =~ s/\|/:/g); + print CONF "tls-cipher $sovpnsettings{'CHANNELCIPHERS'}\n"; + } + + # Controll channel encryption >= TLSv3 + if ($sovpnsettings{'NCHANNELCIPHERS'} ne '') { + # Set seperator for TLSv3 channel ciphers + @advcipherchar = ($sovpnsettings{'NCHANNELCIPHERS'} =~ s/\|/:/g); + print CONF "tls-ciphersuites $sovpnsettings{'NCHANNELCIPHERS'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -937,6 +953,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { goto ADV_ENC_ERROR; } + # If no value for --tls-cipher has been set, delete setting + if ($cgiparams{'CHANNELCIPHERS'} eq '') { + delete $vpnsettings{'CHANNELCIPHERS'}; + } else { + $vpnsettings{'CHANNELCIPHERS'} = $cgiparams{'CHANNELCIPHERS'}; + } + + # If no value for --tls-ciphersuites has been set, delete setting + if ($cgiparams{'NCHANNELCIPHERS'} eq '') { + delete $vpnsettings{'NCHANNELCIPHERS'}; + } else { + $vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'}; + } + &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf(); } @@ -2380,12 +2410,30 @@ else # Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0 if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') { + # Set seperator for --data-ciphers algorithms @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g); print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n"; } else { print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; } + # Set --tls-cipher TLSv2 if configured + if ($vpnsettings{'CHANNELCIPHERS'} ne '') { + # Set seperator for TLSv2 channel ciphers + @advcipherchar = ($vpnsettings{'CHANNELCIPHERS'} =~ s/\|/:/g); + print CLIENTCONF "tls-cipher $vpnsettings{'CHANNELCIPHERS'}\r\n"; + } + + # Print new tls-ciphersuites TLSv3 only if client is >=2.5.0 + if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') { + # Set --tls-ciphersuites TLSv3 if configured + if ($vpnsettings{'NCHANNELCIPHERS'} ne '') { + # Set seperator for TLSv3 channel ciphers + @advcipherchar = ($vpnsettings{'NCHANNELCIPHERS'} =~ s/\|/:/g); + print CLIENTCONF "tls-ciphersuites $vpnsettings{'NCHANNELCIPHERS'}\r\n"; + } + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2918,6 +2966,8 @@ END } $confighash{$key}[40] = $cgiparams{'DCIPHER'}; $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; + $confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'}; + $confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'}; ADV_ENC_ERROR: @@ -2951,13 +3001,37 @@ ADV_ENC_ERROR: @temp = split('\|', $cgiparams{'DATACIPHERS'}); foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + # No default settings for --tls-cipher so OpenVPN makes his own choice + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'} = ''; + @temp = split('\|', $cgiparams{'CHANNELCIPHERS'}); + foreach my $key (@temp) {$checked{'CHANNELCIPHERS'}{$key} = "selected='selected'"; } + + # No default settings for --tls-ciphersuites so OpenVPN makes his own choice + $checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'} = ''; + $checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'} = ''; + $checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'} = ''; + @temp = split('\|', $cgiparams{'NCHANNELCIPHERS'}); + foreach my $key (@temp) {$checked{'NCHANNELCIPHERS'}{$key} = "selected='selected'"; } + # Save settings and display default if not configured if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'}; $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; + $confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'}; + $confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'}; } else { $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'}; $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; + $cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'}; + $cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'}; } ADV_ENC_ERROR: @@ -3021,8 +3095,43 @@ ADV_ENC_ERROR: + + + + $Lang::tr{'ovpn control channel v3'} + $Lang::tr{'ovpn control channel v2'} + + + + + $Lang::tr{'ovpn channel encryption'} + + + + + + + + + +

+
END ; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 614f8a16c..cc7755018 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1908,6 +1908,9 @@ 'ovpn config' => 'OVPN-Konfiguration', 'ovpn connection name' => 'Verbindungs-Name', 'ovpn crypt options' => 'Kryptografieoptionen', +'ovpn channel encryption' => 'Kontroll-Kanal Verschlüsselung', +'ovpn control channel v2' => 'Kontroll-Kanal TLSv2', +'ovpn control channel v3' => 'Kontroll-Kanal TLSv3', 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', 'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation', 'ovpn data channel' => 'Daten-Kanal', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 714d7c81e..3dcb8d46e 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1940,6 +1940,9 @@ 'ovpn config' => 'OVPN-Config', 'ovpn connection name' => 'Connection Name', 'ovpn crypt options' => 'Cryptographic options', +'ovpn channel encryption' => 'Control-Channel encryption', +'ovpn control channel v2' => 'Control-Channel TLSv2', +'ovpn control channel v3' => 'Control-Channel TLSv3', 'ovpn data encryption' => 'Data-Channel encryption', 'ovpn data channel authentication' => 'Data and channel authentication', 'ovpn data channel' => 'Data-Channel',