From patchwork Thu Dec 10 16:59:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 3716 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CsKs766X8z3wg0 for ; Thu, 10 Dec 2020 16:59:39 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4CsKs54Q01z2q9; Thu, 10 Dec 2020 16:59:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4CsKs53yNbz2y3V; Thu, 10 Dec 2020 16:59:37 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4CsKs41tMvz2xbg for ; Thu, 10 Dec 2020 16:59:36 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4CsKs405shz2nL; Thu, 10 Dec 2020 16:59:36 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1607619576; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZnfuDW5Da4A626SnJ+2VmEApy9D7oznlOPZQ79K2XSU=; b=qYleniRFHDTp+R7X8JimK5seRdO4IW80avd5666G1rp//vz4NTSXbj6EYmhtHsqgpGe39v eMugG1yO/DbyuVDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1607619576; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZnfuDW5Da4A626SnJ+2VmEApy9D7oznlOPZQ79K2XSU=; b=ezHtcmazMV95PmhsyEGof3Cfc+6ZJRXw4HIe6sjI9Eu1sm94Asx/2MsCboKwmkE8H+iO7f 5QsWikvlu10rik6hlKRdAZlhGYwf+YbL2XBuUfJVBBbUSLt3huU8q9R0mh4CuGT8rwXhrJ UE05ygtsIAF3eG4xSpBPXeUoz4fFEMzWMyPC9U/h8yuq7+0g6FhAy+BoD9DC3tfsYe5zri AGtrBv6WZPmXhGXikabzdwvvgtOeT5Go4adrf/JQY4/LI6bhVyJl9qJCZgmiNThYxW9Uae eBBdc1r/WLN4bamupbxl/PqMW288gn8R7agbafxvMjbBErl4+pptkdQB9EyjXg== From: ummeegge To: development@lists.ipfire.org Subject: [PATCH v2 5/7] OpenVPN: Control-Channel encryption settings Date: Thu, 10 Dec 2020 16:59:23 +0000 Message-Id: <20201210165925.25037-5-erik.kapfer@ipfire.org> In-Reply-To: <20201210165925.25037-1-erik.kapfer@ipfire.org> References: <20201203120807.20694-1-erik.kapfer@ipfire.org> <20201210165925.25037-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - The --tls-ciphers for the control channel TLSv2 crypto can now be combined for negotiation. - The --tls-ciphersuite crypto does the same but with TLSv3 and can also be combined for negotiation. There are no defaults for both and this feature is inactive unless the user decides to use them. - The --tls-ciphersuite directive will only be printed into client.ovpn if the client is >=2.5.0 ready. Signed-off-by: ummeegge --- html/cgi-bin/ovpnmain.cgi | 106 ++++++++++++++++++++++++++++++++++++++ langs/de/cgi-bin/de.pl | 3 ++ langs/en/cgi-bin/en.pl | 3 ++ langs/es/cgi-bin/es.pl | 3 ++ langs/fr/cgi-bin/fr.pl | 3 ++ langs/it/cgi-bin/it.pl | 3 ++ langs/nl/cgi-bin/nl.pl | 3 ++ langs/pl/cgi-bin/pl.pl | 3 ++ langs/ru/cgi-bin/ru.pl | 3 ++ langs/tr/cgi-bin/tr.pl | 3 ++ 10 files changed, 133 insertions(+) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 71cba6d88..e248b3cbb 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -100,6 +100,8 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $cgiparams{'DATACIPHERS'} = ''; +$cgiparams{'CHANNELCIPHERS'} = ''; +$cgiparams{'NCHANNELCIPHERS'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -351,6 +353,20 @@ sub writeserverconf { print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; } + # Control channel encryption TLSv2 needs own line cause directive name differs + if ($sovpnsettings{'CHANNELCIPHERS'} ne '') { + # Set seperator for TLSv2 channel ciphers + @advcipherchar = ($sovpnsettings{'CHANNELCIPHERS'} =~ s/\|/:/g); + print CONF "tls-cipher $sovpnsettings{'CHANNELCIPHERS'}\n"; + } + + # Control channel encryption >= TLSv3 + if ($sovpnsettings{'NCHANNELCIPHERS'} ne '') { + # Set seperator for TLSv3 channel ciphers + @advcipherchar = ($sovpnsettings{'NCHANNELCIPHERS'} =~ s/\|/:/g); + print CONF "tls-ciphersuites $sovpnsettings{'NCHANNELCIPHERS'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -951,6 +967,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { goto ADV_ENC_ERROR; } + # If no value for --tls-cipher has been set, delete setting + if ($cgiparams{'CHANNELCIPHERS'} eq '') { + delete $vpnsettings{'CHANNELCIPHERS'}; + } else { + $vpnsettings{'CHANNELCIPHERS'} = $cgiparams{'CHANNELCIPHERS'}; + } + + # If no value for --tls-ciphersuites has been set, delete setting + if ($cgiparams{'NCHANNELCIPHERS'} eq '') { + delete $vpnsettings{'NCHANNELCIPHERS'}; + } else { + $vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'}; + } + &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf(); } @@ -2402,6 +2432,23 @@ else print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; } + # Set --tls-cipher TLSv2 in client.ovpn if configured + if ($vpnsettings{'CHANNELCIPHERS'} ne '') { + # Set seperator for TLSv2 channel ciphers + @advcipherchar = ($vpnsettings{'CHANNELCIPHERS'} =~ s/\|/:/g); + print CLIENTCONF "tls-cipher $vpnsettings{'CHANNELCIPHERS'}\r\n"; + } + + # Print new tls-ciphersuites TLSv3 in client.ovpn only if client is >=2.5.0 + if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') { + # Set --tls-ciphersuites TLSv3 if configured + if ($vpnsettings{'NCHANNELCIPHERS'} ne '') { + # Set seperator for TLSv3 channel ciphers + @advcipherchar = ($vpnsettings{'NCHANNELCIPHERS'} =~ s/\|/:/g); + print CLIENTCONF "tls-ciphersuites $vpnsettings{'NCHANNELCIPHERS'}\r\n"; + } + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2934,6 +2981,8 @@ END } $confighash{$key}[40] = $cgiparams{'DCIPHER'}; $confighash{$key}[42] = $cgiparams{'DATACIPHERS'}; + $confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'}; + $confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'}; ADV_ENC_ERROR: @@ -2967,13 +3016,37 @@ ADV_ENC_ERROR: @temp = split('\|', $cgiparams{'DATACIPHERS'}); foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + # No default settings for --tls-cipher so OpenVPN makes his own choice + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = ''; + $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'} = ''; + @temp = split('\|', $cgiparams{'CHANNELCIPHERS'}); + foreach my $key (@temp) {$checked{'CHANNELCIPHERS'}{$key} = "selected='selected'"; } + + # No default settings for --tls-ciphersuites so OpenVPN makes his own choice + $checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'} = ''; + $checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'} = ''; + $checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'} = ''; + @temp = split('\|', $cgiparams{'NCHANNELCIPHERS'}); + foreach my $key (@temp) {$checked{'NCHANNELCIPHERS'}{$key} = "selected='selected'"; } + # Save settings and display default if not configured if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) { $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'}; $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'}; + $confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'}; + $confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'}; } else { $cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'}; $cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'}; + $cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'}; + $cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'}; } ADV_ENC_ERROR: @@ -3040,8 +3113,41 @@ ADV_ENC_ERROR: + + + $Lang::tr{'ovpn control channel v3'} + $Lang::tr{'ovpn control channel v2'} + + + + $Lang::tr{'ovpn channel encryption'} + + + + + + + + + +

+
END ; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index ae05d5e55..cadf4b141 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1908,6 +1908,9 @@ 'ovpn config' => 'OVPN-Konfiguration', 'ovpn connection name' => 'Verbindungs-Name', 'ovpn crypt options' => 'Kryptografieoptionen', +'ovpn channel encryption' => 'Kontroll-Kanal Verschlüsselung', +'ovpn control channel v2' => 'Kontroll-Kanal TLSv2', +'ovpn control channel v3' => 'Kontroll-Kanal TLSv3', 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', 'ovpn data channel' => 'Daten-Kanal', 'ovpn data channel fallback' => 'Daten-Kanal Fallback', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 321503d67..4b667f881 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1940,6 +1940,9 @@ 'ovpn config' => 'OVPN-Config', 'ovpn connection name' => 'Connection Name', 'ovpn crypt options' => 'Cryptographic options', +'ovpn channel encryption' => 'Control-Channel encryption', +'ovpn control channel v2' => 'Control-Channel TLSv2', +'ovpn control channel v3' => 'Control-Channel TLSv3', 'ovpn data encryption' => 'Data-Channel encryption', 'ovpn data channel' => 'Data-Channel', 'ovpn data channel fallback' => 'Data-Channel fallback', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index 752093552..65505706c 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -1333,6 +1333,9 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'Estadisticas de conexión OpenVPN', 'ovpn config' => 'Configruación de OVPN', +'ovpn channel encryption' => 'Encriptación Canal-Control', +'ovpn control channel v2' => 'Canal-Control TLSv2', +'ovpn control channel v3' => 'Canal-Control TLSv3', 'ovpn data encryption' => 'Encriptación Data-Channel', 'ovpn data channel' => 'Canal-Datos', 'ovpn data channel fallback' => 'Retroceso Canal-Datos', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index f931bc70e..cda133e5d 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1941,6 +1941,9 @@ 'ovpn config' => 'Config OVPN', 'ovpn connection name' => 'Nom de la connexion ', 'ovpn crypt options' => 'Options cryptographiques', +'ovpn channel encryption' => 'Chiffrage du canal de contrôle', +'ovpn control channel v2' => 'Canal de contrôle TLSv2', +'ovpn control channel v3' => 'Canal de contrôle TLSv3', 'ovpn data encryption' => 'Chiffrage du canal de données', 'ovpn data channel' => 'Canal de données', 'ovpn data channel fallback' => 'Canal de données de repli', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 3779de3f6..22ce7cd4d 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -1701,6 +1701,9 @@ 'ovpn con stat' => 'OpenVPN Connection Statistics', 'ovpn config' => 'OVPN-Config', 'ovpn crypt options' => 'Cryptographic options', +'ovpn channel encryption' => 'Crittografia del canale di controllo', +'ovpn control channel v2' => 'Canale di controllo TLSv2', +'ovpn control channel v3' => 'Canale di controllo TLSv3', 'ovpn device' => 'OpenVPN device:', 'ovpn dh' => 'Diffie-Hellman parameters length', 'ovpn dh new key' => 'Generate new Diffie-Hellman parameters', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index dc9ea350f..15482b7c7 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -1660,6 +1660,9 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'OpenVPN connectiestatistieken', 'ovpn config' => 'OVPN-Configuratie', +'ovpn channel encryption' => 'Control-kanaal versleuteling', +'ovpn control channel v2' => 'Controle-Kanaal TLSv2', +'ovpn control channel v3' => 'Controle-Kanaal TLSv3', 'ovpn data encryption' => 'Datakanaalversleuteling', 'ovpn data channel' => 'Data-kanaal', 'ovpn data channel fallback' => 'Data-Kanaal terugval', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index 96e9a95ae..a5bde2044 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -1345,6 +1345,9 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'Statystyki połączeń OpenVPN', 'ovpn config' => 'OVPN-Konfig', +'ovpn channel encryption' => 'Szyfrowanie Control-Channel', +'ovpn control channel v2' => 'Kanał-Kontrolny TLSv2', +'ovpn control channel v3' => 'Kanał-Kontrolny TLSv3', 'ovpn data encryption' => 'Szyfrowanie Kanału-Danych', 'ovpn data channel' => 'Kanał-Danych', 'ovpn data channel fallback' => 'Awaria Kanału-Danych', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 5ba44ce29..17666de80 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -1336,6 +1336,9 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'Статистика подключений OpenVPN', 'ovpn config' => 'Настройки OVPN', +'ovpn channel encryption' => 'Шифрование каналов управления', +'ovpn control channel v2' => 'Канал-управления TLSv2', +'ovpn control channel v3' => 'Канал-управления TLSv3', 'ovpn data encryption' => 'шифрование-каналов данных', 'ovpn data channel' => 'Информационный-канал', 'ovpn data channel fallback' => 'Информационный-канал отступление', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index b459401c9..7df486bc8 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -1843,6 +1843,9 @@ 'ovpn con stat' => 'OpenVPN Bağlantı İstatistiği', 'ovpn config' => 'OVPN-Yapılandırması', 'ovpn crypt options' => 'Şifreleme seçenekleri', +'ovpn channel encryption' => 'Kontrol-Kanalı şifreleme', +'ovpn control channel v2' => 'Kontrol-Kanalı TLSv2', +'ovpn control channel v3' => 'Kontrol-Kanalı TLSv3', 'ovpn data channel' => 'Veri-Kanalı', 'ovpn data channel fallback' => 'Veri-Kanalı geri dönüşü', 'ovpn data encryption' => 'Veri-Kanalı şifreleme',