ovpnmain.cgi: Bug 12574 - OpenVPN Internal server error when returning after generating root/host certificates

Message ID 20211114204252.3464019-1-adolf.belka@ipfire.org
State Accepted
Commit acbd6ff4dbbfa248b00d3922f666da7e6fabcc6c
Headers show
Series ovpnmain.cgi: Bug 12574 - OpenVPN Internal server error when returning after generating root/host certificates | expand

Commit Message

Adolf Belka Nov. 14, 2021, 8:42 p.m. UTC
- Option "--secret" was deprecated in OpenVPN 2.4 and removed in OpenVPN 2.5
   It was replaced by "secret". If "--secret" is used with genkey then a user warning is
   printed and this is what gives the Internal server error.
- Patch was defined by Erik Kapfer but currently he does not have a build environment
   so I have submitted the patch on his behalf.
- Patch tested on a vm testbed running Core Update 160. Confirmed that without patch the
   error still occurs and with patch everything runs smoothly.

Fixes: Bug #12574
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by : Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Peter Müller Nov. 17, 2021, 7:57 p.m. UTC | #1
Hello Adolf,
hello Erik,

thank you very much for working on this.

Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

Thanks, and best regards,
Peter Müller


> - Option "--secret" was deprecated in OpenVPN 2.4 and removed in OpenVPN 2.5
>     It was replaced by "secret". If "--secret" is used with genkey then a user warning is
>     printed and this is what gives the Internal server error.
> - Patch was defined by Erik Kapfer but currently he does not have a build environment
>     so I have submitted the patch on his behalf.
> - Patch tested on a vm testbed running Core Update 160. Confirmed that without patch the
>     error still occurs and with patch everything runs smoothly.
> 
> Fixes: Bug #12574
> Tested-by: Adolf Belka <adolf.belka@ipfire.org>
> Signed-off-by : Erik Kapfer <ummeegge@ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   html/cgi-bin/ovpnmain.cgi | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index f99bfdef7..7e274b36a 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -1209,7 +1209,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
>   	if ($cgiparams{'TLSAUTH'} eq 'on') {
>   		if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
>   			# This system call is safe, because all arguements are passed as an array.
> -			system("/usr/sbin/openvpn", "--genkey", "--secret", "${General::swroot}/ovpn/certs/ta.key");
> +			system("/usr/sbin/openvpn", "--genkey", "secret", "${General::swroot}/ovpn/certs/ta.key");
>   			if ($?) {
>   				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
>   				goto SETTINGS_ERROR;
> @@ -2012,7 +2012,7 @@ END
>   	}
>   	# Create ta.key for tls-auth
>   	# This system call is safe, because all arguments are passed as an array.
> -	system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
> +	system('/usr/sbin/openvpn', '--genkey', 'secret', "${General::swroot}/ovpn/certs/ta.key");
>   	if ($?) {
>   	    $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
>   	    &cleanssldatabase();
>

Patch

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index f99bfdef7..7e274b36a 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1209,7 +1209,7 @@  if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
 	if ($cgiparams{'TLSAUTH'} eq 'on') {
 		if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
 			# This system call is safe, because all arguements are passed as an array.
-			system("/usr/sbin/openvpn", "--genkey", "--secret", "${General::swroot}/ovpn/certs/ta.key");
+			system("/usr/sbin/openvpn", "--genkey", "secret", "${General::swroot}/ovpn/certs/ta.key");
 			if ($?) {
 				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
 				goto SETTINGS_ERROR;
@@ -2012,7 +2012,7 @@  END
 	}
 	# Create ta.key for tls-auth
 	# This system call is safe, because all arguments are passed as an array.
-	system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+	system('/usr/sbin/openvpn', '--genkey', 'secret', "${General::swroot}/ovpn/certs/ta.key");
 	if ($?) {
 	    $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
 	    &cleanssldatabase();