From patchwork Thu Dec 10 16:59:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 3714 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CsKs53KDqz3wg0 for ; Thu, 10 Dec 2020 16:59:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4CsKs33bTpz1V4; Thu, 10 Dec 2020 16:59:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4CsKs32HLyz2xkB; Thu, 10 Dec 2020 16:59:35 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4CsKs23Gksz2xXN for ; Thu, 10 Dec 2020 16:59:34 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4CsKs21lDvz1V4; Thu, 10 Dec 2020 16:59:34 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1607619574; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=e/c9UF+rJafkHdPa3Hg+xS3cysIE3U85iBXy6g/qck0=; b=iRfkwIyC9bOKwFJ/ZKuF5EOWgqwKmGlfiiTLlE0wfnFyKmr69chjf0RASnzZHyy/nm63fu baLiczri/EFyyQDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1607619574; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=e/c9UF+rJafkHdPa3Hg+xS3cysIE3U85iBXy6g/qck0=; b=Y86BEdbW8ikD8Y258so4cLRI3m9RMiWKK+N8Vi+VURyClpjdhkKa2Ip35VsGUyhO8kKen4 jLempR02Pj9SEOGkhN93ffBgCxWld5l4x+0orZzy4CeatnmEkHKsnnchJTFY7nbWL4L4N6 UrnIQ1g4xWfivDJUGDJXe0Qndt9zOdP7BXWI8jI3gjxjBoT0WVc0+chGZmU9FBB/fNlsx1 1sDnB2s/uiEFQqn6M1BP993EzjGRFmefEjZiPPfSO4mSvHxDuxuI5+3gwKSdS7UEcO/u7Z okvd8D/2lpPYP6OX3cHgC40e+CMpefbJdr7v6K6iLRgSNgQma2Xmwg9Stktn3w== From: ummeegge To: development@lists.ipfire.org Subject: [PATCH v2 3/7] OpenVPN: Warning for broken algorithms Date: Thu, 10 Dec 2020 16:59:21 +0000 Message-Id: <20201210165925.25037-3-erik.kapfer@ipfire.org> In-Reply-To: <20201210165925.25037-1-erik.kapfer@ipfire.org> References: <20201203120807.20694-1-erik.kapfer@ipfire.org> <20201210165925.25037-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" The user will be warned in the WUI if he uses BF, CAST, DES* or SHA1 since those algorithms will "soon be removed". Signed-off-by: ummeegge --- html/cgi-bin/ovpnmain.cgi | 17 +++++++++++++++++ langs/de/cgi-bin/de.pl | 2 ++ langs/en/cgi-bin/en.pl | 2 ++ langs/es/cgi-bin/es.pl | 4 ++++ langs/fr/cgi-bin/fr.pl | 2 ++ langs/it/cgi-bin/it.pl | 4 ++++ langs/nl/cgi-bin/nl.pl | 5 +++++ langs/pl/cgi-bin/pl.pl | 4 ++++ langs/ru/cgi-bin/ru.pl | 4 ++++ langs/tr/cgi-bin/tr.pl | 4 ++++ 10 files changed, 48 insertions(+) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dbf8a8d2e..7a2f8a5a3 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -250,6 +250,20 @@ sub pkiconfigcheck } } + # Warning if deprecated 64-bit-block ciphers or weak HMAC is in usage + if (-f "${General::swroot}/ovpn/server.conf") { + my $oldciphers = "${General::swroot}/ovpn/server.conf"; + open(FH, $oldciphers); + while(my $cipherstring = ) { + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) { + my @tempcipherstring = split(" ", $cipherstring); + $cryptowarning = "
$Lang::tr{'ovpn warning algorithm'}: $tempcipherstring[1]
$Lang::tr{'ovpn warning 64 bit block cipher'}"; + goto CRYPTO_WARNING; + } + } + close(FH); + } + CRYPTO_WARNING: } @@ -5242,6 +5256,9 @@ END my @status = `/bin/cat /var/run/ovpnserver.log`; + # Perform crypto and configration test to display warnings or errors + &pkiconfigcheck; + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { my $ipaddr = ; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 08827b08a..ae05d5e55 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1948,6 +1948,8 @@ 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', 'ovpn tls auth' => 'TLS-Kanalabsicherung:', +'ovpn warning 64 bit block cipher' => 'Diser Algorithmus ist unsicher und wird bald entfernt.
Bitte ändern Sie dies so schnell wie möglich!
', +'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert', 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform.
Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.

Es müssen dann alle OpenVPN clients erneuert werden!
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 880cae5f7..321503d67 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1980,6 +1980,8 @@ 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', 'ovpn tls auth' => 'TLS Channel Protection:', +'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed.
Please change this as soon as possible!
', +'ovpn warning algorithm' => 'You configured the algorithm', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

All OpenVPN clients needs then to be renewed!
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index c86580e81..752093552 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -552,6 +552,8 @@ 'credits' => 'Creditos', 'crl' => 'Lista de revocación de certificados', 'cron server' => 'Servidor CRON', +'crypto error' => 'Error de criptografía', +'crypto warning' => 'Advertencias sobre la criptografía', 'current' => 'Actual', 'current aliases' => 'Alias actuales', 'current class' => 'Clase actual', @@ -1345,6 +1347,8 @@ 'ovpn subnet' => 'Subred de OpenVPN (ej. 10.0.10.0/255.255.255.0', 'ovpn subnet is invalid' => 'Subred de OpenVPN no es válida.', 'ovpn subnet overlap' => 'La subred de OpenVPN se traslapa con:', +'ovpn warning 64 bit block cipher' => 'Este algoritmo de cifrado del está roto y pronto se eliminará.
¡Por favor, cambie esto lo antes posible!
', +'ovpn warning algorithm' => 'Se configuró el siguiente algoritmo', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Tamaño de Fragmento', 'ovpn_mssfix' => 'Tamaño MSSFIX', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index 1a1f37cbe..f931bc70e 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1981,6 +1981,8 @@ 'ovpn subnet is invalid' => 'Sous-réseau OpenVPN non valide.', 'ovpn subnet overlap' => 'Le sous-réseau OpenVPN se chevauche avec : ', 'ovpn tls auth' => 'Protection du canal TLS :', +'ovpn warning 64 bit block cipher' => 'Ce L\'algorithme de chiffage du n\'est plus sûr et sera bientôt supprimé.
Veuillez changer cela dès que possible!
', +'ovpn warning algorithm' => 'L\'algorithme suivant a été configuré', 'ovpn warning rfc3280' => 'Votre certificat d\'hôte n\'est pas conforme avec la RFC3280.
Veuillez mettre à jour la dernière version d\'IPFire et générer dès que possible un nouveau certificat racine et hôte.

Tous les clients OpenVPN doivent ensuite être renouvelés !
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Taille du fragment', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 2c1dc9559..3779de3f6 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -622,6 +622,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'CRON Server', +'crypto error' => 'Errore di crittografia', +'crypto warning' => 'Avvertenze di crittografia', 'current' => 'Current', 'current aliases' => 'Current aliases', 'current class' => 'Current class', @@ -1733,6 +1735,8 @@ 'ovpn subnet' => 'OpenVPN subnet (e.g. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', +'ovpn warning 64 bit block cipher' => 'L\'algoritmo di crittografia è insicuro e verrà presto disinstallato.
Si prega di cambiare il più presto possibile!
', +'ovpn warning algorithm' => 'È stato configurato il seguente algoritmo', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', 'ovpn_mtudisc' => 'MTU-Discovery', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index 635cbd3b8..dc9ea350f 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -616,6 +616,8 @@ 'credits' => 'Credits', 'crl' => 'Certificaatintrekkingslijst', 'cron server' => 'CRON Server', +'crypto error' => 'Cryptografische fout', +'crypto warning' => 'Cryptografie waarschuwingen', 'current' => 'Huidig', 'current aliases' => 'Huidige aliassen:', 'current class' => 'Huidige klasse', @@ -1686,6 +1688,9 @@ 'ovpn subnet' => 'OpenVPN subnet (bijv. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'OpenVPN subnet is ongeldig.', 'ovpn subnet overlap' => 'OpenVPN subnet overlapt met : ', +'ovpn warning 64 bit block cipher' => 'Dit encryptie algoritme is verbroken en zal binnenkort worden verwijderd.
Verander dit zo snel mogelijk!
', +'ovpn warning algorithm' => 'U hebt het algoritme geconfigureerd', +'ovpn warning rfc3280' => 'Uw gastheercertificaat is niet RFC3280-conform.
Please-update naar de nieuwste IPFire-versie en genereer zo snel mogelijk een nieuw root- en host-certificaat.

Alle OpenVPN-clients moeten dan vernieuwd worden!
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrootte', 'ovpn_mssfix' => 'MSSFIX-grootte', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index 4ceaeef8a..96e9a95ae 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -553,6 +553,8 @@ 'credits' => 'Credits', 'crl' => 'Lista odwołań certyfikatów', 'cron server' => 'Serwer CRON', +'crypto error' => 'Błąd kryptograficzny', +'crypto warning' => 'Ostrzeżenia kryptograficzne', 'current' => 'Aktualne', 'current aliases' => 'Aktualne alias:', 'current class' => 'Aktualna klasa', @@ -1357,6 +1359,8 @@ 'ovpn subnet' => 'Podsieć OpenVPN (np. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'Podsieć OpenVPN jest niepoprawna.', 'ovpn subnet overlap' => 'Podsieć OpenVPN zachodzi na : ', +'ovpn warning 64 bit block cipher' => 'Szyfr danych wymaga co najmniej jednego szyfru.
Proszę to zmienić jak najszybciej!
', +'ovpn warning algorithm' => 'Skonfigurowałeś algorytm', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Rozmiar fragmentu', 'ovpn_mssfix' => 'MSSFIX Size', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 1d81eb62c..5ba44ce29 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -551,6 +551,8 @@ 'credits' => 'О Проекте', 'crl' => 'Список отозванных сертификатов', 'cron server' => 'CRON Сервер', +'crypto error' => 'Ошибка криптографии', +'crypto warning' => 'крипто-предупреждение', 'current' => 'Current', 'current aliases' => 'Действующие псевдонимы:', 'current class' => 'Текущий класс', @@ -1352,6 +1354,8 @@ 'ovpn subnet' => 'Подсеть OpenVPN (e.g. 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'Подсеть OpenVPN задана неверно.', 'ovpn subnet overlap' => 'Подсеть OpenVPN пересекается с: ', +'ovpn warning 64 bit block cipher' => 'Этот алгоритм шифрования сломан и вскоре будет удален.
Пожалуйста, измените это как можно скорее!
', +'ovpn warning algorithm' => 'Вы настроили алгоритм', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentsize', 'ovpn_mssfix' => 'MSSFIX Size', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 5fbd9f3d3..b459401c9 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -682,6 +682,8 @@ 'credits' => 'Yazarlar', 'crl' => 'Sertifika İptal Listesi', 'cron server' => 'CRON Sunucusu', +'crypto error' => 'Kriptografi hatası', +'crypto warning' => 'Kriptografi uyarıları', 'current' => 'Geçerli', 'current aliases' => 'Geçerli takma adlar:', 'current class' => 'Geçerli sınıflar', @@ -1878,6 +1880,8 @@ 'ovpn subnet' => 'OpenVPN alt ağı (örneğin 10.0.10.0/255.255.255.0)', 'ovpn subnet is invalid' => 'Geçersiz OpenVPN alt ağı.', 'ovpn subnet overlap' => 'OpenVPN alt ağı ile örtüşenler: ', +'ovpn warning 64 bit block cipher' => 'Bu şifreleme algoritması bozuldu ve yakında kaldırılacak.
Lütfen bunu mümkün olan en kısa sürede değiştirin!
', +'ovpn warning algorithm' => 'Algoritmayı sen yapılandırdın', 'ovpn_fastio' => 'Hızlı-IO', 'ovpn_mssfix' => 'MSSFIX Boyutu', 'ovpn_mtudisc' => 'MTU-Keşfi',