Message ID | 20221121102221.13486-1-erik.kapfer@ipfire.org |
---|---|
State | New |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4NG3Nn1cfbz3wc7 for <patchwork@web04.haj.ipfire.org>; Mon, 21 Nov 2022 10:22:33 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4NG3Nl36Fvz17j; Mon, 21 Nov 2022 10:22:31 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4NG3Nl1FgKz2y1X; Mon, 21 Nov 2022 10:22:31 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4NG3Nj2ZjKz2xMq for <development@lists.ipfire.org>; Mon, 21 Nov 2022 10:22:29 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4NG3Nh5pDlzdn; Mon, 21 Nov 2022 10:22:28 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1669026148; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ROO8WRnOgH18lbKxYw7V110sdc91fxKup1ff7bdK96g=; b=K7bjtXY4VKjAJ/ejtIjm4IA2LNVxke9zAU4nZjp6QP/yhIUR4fq6f1tOgwHAQ7QJ8PPL70 QRVW8zepiz0x6KBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1669026148; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ROO8WRnOgH18lbKxYw7V110sdc91fxKup1ff7bdK96g=; b=Fx6Amh2GktkTVGvX5UJcvYUz2NsQUwGqK4rxseQw9z0Cs8yqxXznORt7KF3y/1KkblYxVb 10yGmG6iGauEnHEYrkX2hpoA24PjD2T4wZdvSpLd6o4Qr8yKy72DpX1IIXqLij/pIereyW YQimY8g43ycZ//I1oUk2dNplzEhRLJDTA0UINUsiq0bBquDc3syuaKjqNqrSXlafCISXcn LpXcfgNpMIuHX/QVqWcliwjKiWlZuwaOWfnipbikG5X0LegEP61Lv50kF6ybO3ADctQDHr o5WLDqDWOqi+ZPBg4NuN95CHd+FLhliiE3w2qxYZEz21QTLjurEAiOGIVNScvw== From: Erik Kapfer <erik.kapfer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] openvpn: Warning for broken algorithms . Date: Mon, 21 Nov 2022 11:22:21 +0100 Message-Id: <20221121102221.13486-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
openvpn: Warning for broken algorithms .
|
|
Commit Message
Erik Kapfer
Nov. 21, 2022, 10:22 a.m. UTC
Since OpenSSL-3.x will remove all 64 bit block-cipher but also OpenVPNs changelog
for version 2.5.8 gives hints to get rid of BF-CBC for default configuations,
a warning will be displayed in the WUI if the user is running
BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to change
as soon as possible to another more secure algorithm.
The call of the pkiconfigcheck function is now located in the status page section.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 38 ++++++++++++++++++++++++++++++++++++--
langs/de/cgi-bin/de.pl | 3 +++
langs/en/cgi-bin/en.pl | 3 +++
3 files changed, 42 insertions(+), 2 deletions(-)
Comments
Hello Erik, Nice to see you on this list again :) > On 21 Nov 2022, at 10:22, Erik Kapfer <erik.kapfer@ipfire.org> wrote: > > Since OpenSSL-3.x will remove all 64 bit block-cipher but also OpenVPNs changelog > for version 2.5.8 gives hints to get rid of BF-CBC for default configuations, > a warning will be displayed in the WUI if the user is running > BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to change > as soon as possible to another more secure algorithm. Well, this does not sound like good news. It is yet another change that would break *lots* of existing OpenVPN setups. Although the patch looks fine, I am not sure if this is the best way to go, because if we tell people that their setup won’t be supported much longer, what alternatives are there? Resetting to the default options, throwing away their CA and start from scratch is not an option. Even 20 connections are too many to manually update. If they would actually do this, we will be back to square one really soon, because we still don’t have cipher negotiation. We are also just accumulating warning messages at the top of the page which cannot be fixed. For years, we are showing some certificate warning and I am not sure why that actually is and what people can do about it?! So, I fear that we will have to keep supporting those really outdated (and yes, potentially dangerously insecure) setups for the lifetime of IPFire 2. If it isn’t an option to move forward to the latest version of OpenVPN we would be in *very* big trouble. Best, -Michael > > The call of the pkiconfigcheck function is now located in the status page section. > > Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> > --- > html/cgi-bin/ovpnmain.cgi | 38 ++++++++++++++++++++++++++++++++++++-- > langs/de/cgi-bin/de.pl | 3 +++ > langs/en/cgi-bin/en.pl | 3 +++ > 3 files changed, 42 insertions(+), 2 deletions(-) > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index dc429d90c..5c34a5f4d 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = ''; > $cgiparams{'DAUTH'} = ''; > $cgiparams{'TLSAUTH'} = ''; > $routes_push_file = "${General::swroot}/ovpn/routes_push"; > -# Perform crypto and configration test > -&pkiconfigcheck; > > # Add CCD files if not already presant > unless (-e $routes_push_file) { > @@ -240,6 +238,39 @@ sub pkiconfigcheck > } > } > > + # Warning for Roadwarrior if deprecated 64-bit-block ciphers or weak HMAC is in usage > + if (-f "${General::swroot}/ovpn/server.conf") { > + my $oldciphers = "${General::swroot}/ovpn/server.conf"; > + open(FH, $oldciphers); > + while(my $cipherstring = <FH>) { > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) { > + my @tempcipherstring = split(" ", $cipherstring); > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block cipher'}"; > + goto CRYPTO_WARNING; > + } > + } > + close(FH); > + } > + > + # Warning for Net-to-Net connections if deprecated 64-bit-block ciphers or HMAC is in usage > + if (-f "${General::swroot}/ovpn/ovpnconfig") { > + my $oldciphers = "${General::swroot}/ovpn/ovpnconfig"; > + open(FH, $oldciphers); > + while(my $cipherstring = <FH>) { > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC/) { > + my @tempcipherstring = split(",", $cipherstring); > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>"; > + goto CRYPTO_WARNING; > + } > + if ($cipherstring =~ /SHA1/) { > + my @tempcipherstring = split(",", $cipherstring); > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>"; > + goto CRYPTO_WARNING; > + } > + } > + } > + > + > CRYPTO_WARNING: > } > > @@ -5056,6 +5087,9 @@ END > my @status = <FILE>; > close(FILE); > > + # Perform crypto and configration test > + &pkiconfigcheck; > + > if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { > if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { > my $ipaddr = <IPADDR>; > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > index abfba5d5e..bb675ec34 100644 > --- a/langs/de/cgi-bin/de.pl > +++ b/langs/de/cgi-bin/de.pl > @@ -1982,6 +1982,9 @@ > 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', > 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', > 'ovpn tls auth' => 'TLS-Kanalabsicherung:', > +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte Ändern Sie dies auf beiden Seiten (Server und Client) so schnell wie möglich!</br>', > +'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert', > +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung', > 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', > 'ovpn_fastio' => 'Fast-IO', > 'ovpn_fragment' => 'Fragmentgrösse', > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > index bf18b22a2..9aaf3e765 100644 > --- a/langs/en/cgi-bin/en.pl > +++ b/langs/en/cgi-bin/en.pl > @@ -2035,6 +2035,9 @@ > 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', > 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', > 'ovpn tls auth' => 'TLS Channel Protection:', > +'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this on both sides (server and client) as soon as possible!</br>', > +'ovpn warning algorithm' => 'The following algorithm was configured', > +'ovpn warning algorithm n2n' => 'For the Net-to-Net connection', > 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', > 'ovpn_fastio' => 'Fast-IO', > 'ovpn_mssfix' => 'MSSFIX Size', > -- > 2.35.1 >
Hi Michael, Am Montag, dem 21.11.2022 um 11:27 +0000 schrieb Michael Tremer: > Hello Erik, > > Nice to see you on this list again :) Good to see some answers again from you :-) > > > On 21 Nov 2022, at 10:22, Erik Kapfer <erik.kapfer@ipfire.org> > > wrote: > > > > Since OpenSSL-3.x will remove all 64 bit block-cipher but also > > OpenVPNs changelog > > for version 2.5.8 gives hints to get rid of BF-CBC for default > > configuations, > > a warning will be displayed in the WUI if the user is running > > BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to > > change > > as soon as possible to another more secure algorithm. > > Well, this does not sound like good news. It is yet another change > that would break *lots* of existing OpenVPN setups. It would need work from user side to change the cipher/HMAC in the WUI and on client.ovpn if not already AES, Camelia or Seed has been chosen. > > Although the patch looks fine, I am not sure if this is the best way > to go, because if we tell people that their setup won’t be supported > much longer, what alternatives are there? I think with the Sweet32 birthday attacks a lot of things has been changed where even OpenSSL started with fundamental changes and i think /hope it will go further in the crypto world which is also not that far away with things like PQC so things are changing here more or less rapidly. > > Resetting to the default options, throwing away their CA and start > from scratch is not an option. Even 20 connections are too many to > manually update. This patch does not focus the CA, changes needs to be done with the cipher/HMAC selection on server.conf and client.ovpn . > > If they would actually do this, we will be back to square one really > soon, because we still don’t have cipher negotiation. Am pretty alone on testing side and resonance in general with this but the negotiation works here for me --> https://github.com/ummeegge/ovpn_dev but do need OpenVPN clients with version >= 2.5.0 . > > We are also just accumulating warning messages at the top of the page > which cannot be fixed. For years, we are showing some certificate > warning and I am not sure why that actually is and what people can do > about it?! Generating a new PKI was the intention with this which should be made in my opinion otherwise all that might be a kind of security by obscurity. We throwed already away the DH warning messages with Peter´s DH Patch, the MD5 message should be showed as you mentioned it, long enough and should be ready to be deleted maybe ? Changes might be hard in that topic but as in life, sometimes important ;-) ? > > So, I fear that we will have to keep supporting those really outdated > (and yes, potentially dangerously insecure) setups for the lifetime > of IPFire 2. If it isn’t an option to move forward to the latest > version of OpenVPN we would be in *very* big trouble. It is mainly OpenSSL not that much OpenVPN... with the legacy mode it might also be a possibility to ride a dead horse. > > Best, > -Michael All the best, Erik > > > > > The call of the pkiconfigcheck function is now located in the > > status page section. > > > > Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> > > --- > > html/cgi-bin/ovpnmain.cgi | 38 > > ++++++++++++++++++++++++++++++++++++-- > > langs/de/cgi-bin/de.pl | 3 +++ > > langs/en/cgi-bin/en.pl | 3 +++ > > 3 files changed, 42 insertions(+), 2 deletions(-) > > > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > > index dc429d90c..5c34a5f4d 100644 > > --- a/html/cgi-bin/ovpnmain.cgi > > +++ b/html/cgi-bin/ovpnmain.cgi > > @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = ''; > > $cgiparams{'DAUTH'} = ''; > > $cgiparams{'TLSAUTH'} = ''; > > $routes_push_file = "${General::swroot}/ovpn/routes_push"; > > -# Perform crypto and configration test > > -&pkiconfigcheck; > > > > # Add CCD files if not already presant > > unless (-e $routes_push_file) { > > @@ -240,6 +238,39 @@ sub pkiconfigcheck > > } > > } > > > > + # Warning for Roadwarrior if deprecated 64-bit-block ciphers or > > weak HMAC is in usage > > + if (-f "${General::swroot}/ovpn/server.conf") { > > + my $oldciphers = "${General::swroot}/ovpn/server.conf"; > > + open(FH, $oldciphers); > > + while(my $cipherstring = <FH>) { > > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES- > > EDE3-CBC|SHA1/) { > > + my @tempcipherstring = split(" ", $cipherstring); > > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font > > color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning > > 64 bit block cipher'}"; > > + goto CRYPTO_WARNING; > > + } > > + } > > + close(FH); > > + } > > + > > + # Warning for Net-to-Net connections if deprecated 64-bit-block > > ciphers or HMAC is in usage > > + if (-f "${General::swroot}/ovpn/ovpnconfig") { > > + my $oldciphers = "${General::swroot}/ovpn/ovpnconfig"; > > + open(FH, $oldciphers); > > + while(my $cipherstring = <FH>) { > > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES- > > EDE3-CBC/) { > > + my @tempcipherstring = split(",", $cipherstring); > > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font > > color='red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn > > warning algorithm n2n'}<font color='red'> > > $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block > > cipher'}</br>"; > > + goto CRYPTO_WARNING; > > + } > > + if ($cipherstring =~ /SHA1/) { > > + my @tempcipherstring = split(",", $cipherstring); > > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font > > color='red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn > > warning algorithm n2n'}<font color='red'> > > $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block > > cipher'}</br>"; > > + goto CRYPTO_WARNING; > > + } > > + } > > + } > > + > > + > > CRYPTO_WARNING: > > } > > > > @@ -5056,6 +5087,9 @@ END > > my @status = <FILE>; > > close(FILE); > > > > + # Perform crypto and configration test > > + &pkiconfigcheck; > > + > > if ($cgiparams{'VPN_IP'} eq '' && -e > > "${General::swroot}/red/active") { > > if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { > > my $ipaddr = <IPADDR>; > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > > index abfba5d5e..bb675ec34 100644 > > --- a/langs/de/cgi-bin/de.pl > > +++ b/langs/de/cgi-bin/de.pl > > @@ -1982,6 +1982,9 @@ > > 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', > > 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', > > 'ovpn tls auth' => 'TLS-Kanalabsicherung:', > > +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist > > unsicher und wird bald entfernt. <br>Bitte Ändern Sie dies auf > > beiden Seiten (Server und Client) so schnell wie möglich!</br>', > > +'ovpn warning algorithm' => 'Folgender Algorithmus wurde > > konfiguriert', > > +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung', > > 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 > > Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und > > generieren sie ein neues Root und Host Zertifikat so bald wie > > möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert > > werden!</br>', > > 'ovpn_fastio' => 'Fast-IO', > > 'ovpn_fragment' => 'Fragmentgrösse', > > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > > index bf18b22a2..9aaf3e765 100644 > > --- a/langs/en/cgi-bin/en.pl > > +++ b/langs/en/cgi-bin/en.pl > > @@ -2035,6 +2035,9 @@ > > 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', > > 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', > > 'ovpn tls auth' => 'TLS Channel Protection:', > > +'ovpn warning 64 bit block cipher' => 'This encryption algorithm > > is broken and will soon be removed. <br>Please change this on both > > sides (server and client) as soon as possible!</br>', > > +'ovpn warning algorithm' => 'The following algorithm was > > configured', > > +'ovpn warning algorithm n2n' => 'For the Net-to-Net connection', > > 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 > > compliant. <br>Please update to the latest IPFire version and > > generate as soon as possible a new root and host > > certificate.</br><br>All OpenVPN clients needs then to be > > renewed!</br>', > > 'ovpn_fastio' => 'Fast-IO', > > 'ovpn_mssfix' => 'MSSFIX Size', > > -- > > 2.35.1 > > >
Hi Michael, Am Montag, dem 21.11.2022 um 11:27 +0000 schrieb Michael Tremer: > Hello Erik, > > Nice to see you on this list again :) Good to see some answers again from you :-) > > > On 21 Nov 2022, at 10:22, Erik Kapfer <erik.kapfer@ipfire.org> > > wrote: > > > > Since OpenSSL-3.x will remove all 64 bit block-cipher but also > > OpenVPNs changelog > > for version 2.5.8 gives hints to get rid of BF-CBC for default > > configuations, > > a warning will be displayed in the WUI if the user is running > > BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to > > change > > as soon as possible to another more secure algorithm. > > Well, this does not sound like good news. It is yet another change > that would break *lots* of existing OpenVPN setups. It would need work from user side to change the cipher/HMAC in the WUI and on client.ovpn if not already AES, Camelia or Seed has been chosen. > > Although the patch looks fine, I am not sure if this is the best way > to go, because if we tell people that their setup won’t be supported > much longer, what alternatives are there? I think with the Sweet32 birthday attacks a lot of things has been changed where even OpenSSL started with fundamental changes and i think /hope it will go further in the crypto world which is also not that far away with things like PQC so things are changing here more or less rapidly. > > Resetting to the default options, throwing away their CA and start > from scratch is not an option. Even 20 connections are too many to > manually update. This patch does not focus the CA, changes needs to be done with the cipher/HMAC selection on server.conf and client.ovpn . > > If they would actually do this, we will be back to square one really > soon, because we still don’t have cipher negotiation. Am pretty alone on testing side and resonance in general with this but the negotiation works here for me --> https://github.com/ummeegge/ovpn_dev but do need OpenVPN clients with version >= 2.5.0 . > > We are also just accumulating warning messages at the top of the page > which cannot be fixed. For years, we are showing some certificate > warning and I am not sure why that actually is and what people can do > about it?! Generating a new PKI was the intention with this which should be made in my opinion otherwise all that might be a kind of security by obscurity. We throwed already away the DH warning messages with Peter´s DH Patch, the MD5 message should be showed as you mentioned it, long enough and should be ready to be deleted maybe ? Changes might be hard in that topic but as in life, sometimes important ;-) ? > > So, I fear that we will have to keep supporting those really outdated > (and yes, potentially dangerously insecure) setups for the lifetime > of IPFire 2. If it isn’t an option to move forward to the latest > version of OpenVPN we would be in *very* big trouble. It is mainly OpenSSL not that much OpenVPN as one can see already with the PKCS#12 decryption problem... with the legacy mode it might also be a possibility to ride a dead horse. > > Best, > -Michael All the best, Erik > > > > > The call of the pkiconfigcheck function is now located in the > > status page section. > > > > Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> > > --- > > html/cgi-bin/ovpnmain.cgi | 38 > > ++++++++++++++++++++++++++++++++++++-- > > langs/de/cgi-bin/de.pl | 3 +++ > > langs/en/cgi-bin/en.pl | 3 +++ > > 3 files changed, 42 insertions(+), 2 deletions(-) > > > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > > index dc429d90c..5c34a5f4d 100644 > > --- a/html/cgi-bin/ovpnmain.cgi > > +++ b/html/cgi-bin/ovpnmain.cgi > > @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = ''; > > $cgiparams{'DAUTH'} = ''; > > $cgiparams{'TLSAUTH'} = ''; > > $routes_push_file = "${General::swroot}/ovpn/routes_push"; > > -# Perform crypto and configration test > > -&pkiconfigcheck; > > > > # Add CCD files if not already presant > > unless (-e $routes_push_file) { > > @@ -240,6 +238,39 @@ sub pkiconfigcheck > > } > > } > > > > + # Warning for Roadwarrior if deprecated 64-bit-block ciphers or > > weak HMAC is in usage > > + if (-f "${General::swroot}/ovpn/server.conf") { > > + my $oldciphers = "${General::swroot}/ovpn/server.conf"; > > + open(FH, $oldciphers); > > + while(my $cipherstring = <FH>) { > > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES- > > EDE3-CBC|SHA1/) { > > + my @tempcipherstring = split(" ", $cipherstring); > > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font > > color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning > > 64 bit block cipher'}"; > > + goto CRYPTO_WARNING; > > + } > > + } > > + close(FH); > > + } > > + > > + # Warning for Net-to-Net connections if deprecated 64-bit-block > > ciphers or HMAC is in usage > > + if (-f "${General::swroot}/ovpn/ovpnconfig") { > > + my $oldciphers = "${General::swroot}/ovpn/ovpnconfig"; > > + open(FH, $oldciphers); > > + while(my $cipherstring = <FH>) { > > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES- > > EDE3-CBC/) { > > + my @tempcipherstring = split(",", $cipherstring); > > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font > > color='red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn > > warning algorithm n2n'}<font color='red'> > > $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block > > cipher'}</br>"; > > + goto CRYPTO_WARNING; > > + } > > + if ($cipherstring =~ /SHA1/) { > > + my @tempcipherstring = split(",", $cipherstring); > > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font > > color='red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn > > warning algorithm n2n'}<font color='red'> > > $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block > > cipher'}</br>"; > > + goto CRYPTO_WARNING; > > + } > > + } > > + } > > + > > + > > CRYPTO_WARNING: > > } > > > > @@ -5056,6 +5087,9 @@ END > > my @status = <FILE>; > > close(FILE); > > > > + # Perform crypto and configration test > > + &pkiconfigcheck; > > + > > if ($cgiparams{'VPN_IP'} eq '' && -e > > "${General::swroot}/red/active") { > > if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { > > my $ipaddr = <IPADDR>; > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > > index abfba5d5e..bb675ec34 100644 > > --- a/langs/de/cgi-bin/de.pl > > +++ b/langs/de/cgi-bin/de.pl > > @@ -1982,6 +1982,9 @@ > > 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', > > 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', > > 'ovpn tls auth' => 'TLS-Kanalabsicherung:', > > +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist > > unsicher und wird bald entfernt. <br>Bitte Ändern Sie dies auf > > beiden Seiten (Server und Client) so schnell wie möglich!</br>', > > +'ovpn warning algorithm' => 'Folgender Algorithmus wurde > > konfiguriert', > > +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung', > > 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 > > Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und > > generieren sie ein neues Root und Host Zertifikat so bald wie > > möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert > > werden!</br>', > > 'ovpn_fastio' => 'Fast-IO', > > 'ovpn_fragment' => 'Fragmentgrösse', > > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > > index bf18b22a2..9aaf3e765 100644 > > --- a/langs/en/cgi-bin/en.pl > > +++ b/langs/en/cgi-bin/en.pl > > @@ -2035,6 +2035,9 @@ > > 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', > > 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', > > 'ovpn tls auth' => 'TLS Channel Protection:', > > +'ovpn warning 64 bit block cipher' => 'This encryption algorithm > > is broken and will soon be removed. <br>Please change this on both > > sides (server and client) as soon as possible!</br>', > > +'ovpn warning algorithm' => 'The following algorithm was > > configured', > > +'ovpn warning algorithm n2n' => 'For the Net-to-Net connection', > > 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 > > compliant. <br>Please update to the latest IPFire version and > > generate as soon as possible a new root and host > > certificate.</br><br>All OpenVPN clients needs then to be > > renewed!</br>', > > 'ovpn_fastio' => 'Fast-IO', > > 'ovpn_mssfix' => 'MSSFIX Size', > > -- > > 2.35.1 > > >
Hey, > On 21 Nov 2022, at 14:09, ummeegge <ummeegge@ipfire.org> wrote: > > Hi Michael, > > Am Montag, dem 21.11.2022 um 11:27 +0000 schrieb Michael Tremer: >> Hello Erik, >> >> Nice to see you on this list again :) > Good to see some answers again from you :-) > >> >>> On 21 Nov 2022, at 10:22, Erik Kapfer <erik.kapfer@ipfire.org> >>> wrote: >>> >>> Since OpenSSL-3.x will remove all 64 bit block-cipher but also >>> OpenVPNs changelog >>> for version 2.5.8 gives hints to get rid of BF-CBC for default >>> configuations, >>> a warning will be displayed in the WUI if the user is running >>> BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to >>> change >>> as soon as possible to another more secure algorithm. >> >> Well, this does not sound like good news. It is yet another change >> that would break *lots* of existing OpenVPN setups. > It would need work from user side to change the cipher/HMAC in the WUI > and on client.ovpn if not already AES, Camelia or Seed has been chosen. Exactly. That would require every single client to be changed, too. >> >> Although the patch looks fine, I am not sure if this is the best way >> to go, because if we tell people that their setup won’t be supported >> much longer, what alternatives are there? > I think with the Sweet32 birthday attacks a lot of things has been > changed where even OpenSSL started with fundamental changes and i think > /hope it will go further in the crypto world which is also not that far > away with things like PQC so things are changing here more or less > rapidly. I am not in favour of not moving forward. People should absolutely *not* be using Blowfish. However, fact is, that plenty of people are using this out there. How many? We don’t know. But we need a migration path no matter what. >> >> Resetting to the default options, throwing away their CA and start >> from scratch is not an option. Even 20 connections are too many to >> manually update. > This patch does not focus the CA, changes needs to be done with the > cipher/HMAC selection on server.conf and client.ovpn . > >> >> If they would actually do this, we will be back to square one really >> soon, because we still don’t have cipher negotiation. > Am pretty alone on testing side and resonance in general with this but > the negotiation works here for me --> > https://github.com/ummeegge/ovpn_dev but do need OpenVPN clients with > version >= 2.5.0 . Hmm, it is not surprising if development happens off list. Coordination, looking for help and so on should happen here, because this is where the people are :) >> >> We are also just accumulating warning messages at the top of the page >> which cannot be fixed. For years, we are showing some certificate >> warning and I am not sure why that actually is and what people can do >> about it?! > Generating a new PKI was the intention with this which should be made > in my opinion otherwise all that might be a kind of security by > obscurity. > We throwed already away the DH warning messages with Peter´s DH Patch, > the MD5 message should be showed as you mentioned it, long enough and > should be ready to be deleted maybe ? Changes might be hard in that > topic but as in life, sometimes important ;-) ? Showing a warning does not change a lot for us: We will still have to support the old ciphers/etc. because they are in use. And we will have to do that because there is no way for users to migrate. >> So, I fear that we will have to keep supporting those really outdated >> (and yes, potentially dangerously insecure) setups for the lifetime >> of IPFire 2. If it isn’t an option to move forward to the latest >> version of OpenVPN we would be in *very* big trouble. > It is mainly OpenSSL not that much OpenVPN as one can see already with > the PKCS#12 decryption problem... with the legacy mode it might also be > a possibility to ride a dead horse. I would *really* like for OpenVPN to be a dead horse, because it is a pain. It is one of the largest CGI files we have; we have plenty of glue-code that is using very interesting hacks for implementing things like 2FA. But the alternatives like Wireguard do not seem to be taking off either. So, OpenVPN is and remains the de-facto standard solution to connect mobile devices to IPFire. And that will probably remain the case for a very long time to come. So, we will need to find a way how we can support OpenVPN well. Right now it really feels like a pile of work whenever there is a new release out there. We still rely on many deprecated features and we will need to make sure to get rid of them if we want to have a chance to maintain this with reasonable effort. Best, -Michael >> >> Best, >> -Michael > > All the best, > > Erik > >> >>> >>> The call of the pkiconfigcheck function is now located in the >>> status page section. >>> >>> Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> >>> --- >>> html/cgi-bin/ovpnmain.cgi | 38 >>> ++++++++++++++++++++++++++++++++++++-- >>> langs/de/cgi-bin/de.pl | 3 +++ >>> langs/en/cgi-bin/en.pl | 3 +++ >>> 3 files changed, 42 insertions(+), 2 deletions(-) >>> >>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>> index dc429d90c..5c34a5f4d 100644 >>> --- a/html/cgi-bin/ovpnmain.cgi >>> +++ b/html/cgi-bin/ovpnmain.cgi >>> @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = ''; >>> $cgiparams{'DAUTH'} = ''; >>> $cgiparams{'TLSAUTH'} = ''; >>> $routes_push_file = "${General::swroot}/ovpn/routes_push"; >>> -# Perform crypto and configration test >>> -&pkiconfigcheck; >>> >>> # Add CCD files if not already presant >>> unless (-e $routes_push_file) { >>> @@ -240,6 +238,39 @@ sub pkiconfigcheck >>> } >>> } >>> >>> + # Warning for Roadwarrior if deprecated 64-bit-block ciphers or >>> weak HMAC is in usage >>> + if (-f "${General::swroot}/ovpn/server.conf") { >>> + my $oldciphers = "${General::swroot}/ovpn/server.conf"; >>> + open(FH, $oldciphers); >>> + while(my $cipherstring = <FH>) { >>> + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES- >>> EDE3-CBC|SHA1/) { >>> + my @tempcipherstring = split(" ", $cipherstring); >>> + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font >>> color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning >>> 64 bit block cipher'}"; >>> + goto CRYPTO_WARNING; >>> + } >>> + } >>> + close(FH); >>> + } >>> + >>> + # Warning for Net-to-Net connections if deprecated 64-bit-block >>> ciphers or HMAC is in usage >>> + if (-f "${General::swroot}/ovpn/ovpnconfig") { >>> + my $oldciphers = "${General::swroot}/ovpn/ovpnconfig"; >>> + open(FH, $oldciphers); >>> + while(my $cipherstring = <FH>) { >>> + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES- >>> EDE3-CBC/) { >>> + my @tempcipherstring = split(",", $cipherstring); >>> + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font >>> color='red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn >>> warning algorithm n2n'}<font color='red'> >>> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block >>> cipher'}</br>"; >>> + goto CRYPTO_WARNING; >>> + } >>> + if ($cipherstring =~ /SHA1/) { >>> + my @tempcipherstring = split(",", $cipherstring); >>> + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font >>> color='red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn >>> warning algorithm n2n'}<font color='red'> >>> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block >>> cipher'}</br>"; >>> + goto CRYPTO_WARNING; >>> + } >>> + } >>> + } >>> + >>> + >>> CRYPTO_WARNING: >>> } >>> >>> @@ -5056,6 +5087,9 @@ END >>> my @status = <FILE>; >>> close(FILE); >>> >>> + # Perform crypto and configration test >>> + &pkiconfigcheck; >>> + >>> if ($cgiparams{'VPN_IP'} eq '' && -e >>> "${General::swroot}/red/active") { >>> if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { >>> my $ipaddr = <IPADDR>; >>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >>> index abfba5d5e..bb675ec34 100644 >>> --- a/langs/de/cgi-bin/de.pl >>> +++ b/langs/de/cgi-bin/de.pl >>> @@ -1982,6 +1982,9 @@ >>> 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', >>> 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', >>> 'ovpn tls auth' => 'TLS-Kanalabsicherung:', >>> +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist >>> unsicher und wird bald entfernt. <br>Bitte Ändern Sie dies auf >>> beiden Seiten (Server und Client) so schnell wie möglich!</br>', >>> +'ovpn warning algorithm' => 'Folgender Algorithmus wurde >>> konfiguriert', >>> +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung', >>> 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 >>> Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und >>> generieren sie ein neues Root und Host Zertifikat so bald wie >>> möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert >>> werden!</br>', >>> 'ovpn_fastio' => 'Fast-IO', >>> 'ovpn_fragment' => 'Fragmentgrösse', >>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >>> index bf18b22a2..9aaf3e765 100644 >>> --- a/langs/en/cgi-bin/en.pl >>> +++ b/langs/en/cgi-bin/en.pl >>> @@ -2035,6 +2035,9 @@ >>> 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', >>> 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', >>> 'ovpn tls auth' => 'TLS Channel Protection:', >>> +'ovpn warning 64 bit block cipher' => 'This encryption algorithm >>> is broken and will soon be removed. <br>Please change this on both >>> sides (server and client) as soon as possible!</br>', >>> +'ovpn warning algorithm' => 'The following algorithm was >>> configured', >>> +'ovpn warning algorithm n2n' => 'For the Net-to-Net connection', >>> 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 >>> compliant. <br>Please update to the latest IPFire version and >>> generate as soon as possible a new root and host >>> certificate.</br><br>All OpenVPN clients needs then to be >>> renewed!</br>', >>> 'ovpn_fastio' => 'Fast-IO', >>> 'ovpn_mssfix' => 'MSSFIX Size', >>> -- >>> 2.35.1
Ooops, my mail client goes wild and fires some more mails of the same content :-| . Am Montag, dem 21.11.2022 um 14:41 +0000 schrieb Michael Tremer: > Hey, > > > On 21 Nov 2022, at 14:09, ummeegge <ummeegge@ipfire.org> wrote: > > > > Hi Michael, > > > > Am Montag, dem 21.11.2022 um 11:27 +0000 schrieb Michael Tremer: > > > Hello Erik, > > > > > > Nice to see you on this list again :) > > Good to see some answers again from you :-) > > > > > > > > > On 21 Nov 2022, at 10:22, Erik Kapfer <erik.kapfer@ipfire.org> > > > > wrote: > > > > > > > > Since OpenSSL-3.x will remove all 64 bit block-cipher but also > > > > OpenVPNs changelog > > > > for version 2.5.8 gives hints to get rid of BF-CBC for default > > > > configuations, > > > > a warning will be displayed in the WUI if the user is running > > > > BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also > > > > SHA1 to > > > > change > > > > as soon as possible to another more secure algorithm. > > > > > > Well, this does not sound like good news. It is yet another > > > change > > > that would break *lots* of existing OpenVPN setups. > > It would need work from user side to change the cipher/HMAC in the > > WUI > > and on client.ovpn if not already AES, Camelia or Seed has been > > chosen. > > Exactly. That would require every single client to be changed, too. No other way to deliver the (un)trust which projects like OpenSSL have in their own development. > > > > > > > Although the patch looks fine, I am not sure if this is the best > > > way > > > to go, because if we tell people that their setup won’t be > > > supported > > > much longer, what alternatives are there? > > I think with the Sweet32 birthday attacks a lot of things has been > > changed where even OpenSSL started with fundamental changes and i > > think > > /hope it will go further in the crypto world which is also not that > > far > > away with things like PQC so things are changing here more or less > > rapidly. > > I am not in favour of not moving forward. People should absolutely > *not* be using Blowfish. Yes, even a cipher renegotiation for 64 bit block-ciphers will be forced with a reneg-bytes 64000000 per default from OpenVPN! > > However, fact is, that plenty of people are using this out there. How > many? We don’t know. > > But we need a migration path no matter what. Have you an idea what should be done or how to proceed further ? > > > > > > > Resetting to the default options, throwing away their CA and > > > start > > > from scratch is not an option. Even 20 connections are too many > > > to > > > manually update. > > This patch does not focus the CA, changes needs to be done with the > > cipher/HMAC selection on server.conf and client.ovpn . > > > > > > > > If they would actually do this, we will be back to square one > > > really > > > soon, because we still don’t have cipher negotiation. > > Am pretty alone on testing side and resonance in general with this > > but > > the negotiation works here for me --> > > https://github.com/ummeegge/ovpn_dev but do need OpenVPN clients > > with > > version >= 2.5.0 . > > Hmm, it is not surprising if development happens off list. > > Coordination, looking for help and so on should happen here, because > this is where the people are :) Lot´s of stuff here as before but may in much smaller portions ? > > > > > > > We are also just accumulating warning messages at the top of the > > > page > > > which cannot be fixed. For years, we are showing some certificate > > > warning and I am not sure why that actually is and what people > > > can do > > > about it?! > > Generating a new PKI was the intention with this which should be > > made > > in my opinion otherwise all that might be a kind of security by > > obscurity. > > We throwed already away the DH warning messages with Peter´s DH > > Patch, > > the MD5 message should be showed as you mentioned it, long enough > > and > > should be ready to be deleted maybe ? Changes might be hard in that > > topic but as in life, sometimes important ;-) ? > > Showing a warning does not change a lot for us: > > We will still have to support the old ciphers/etc. because they are > in use. > > And we will have to do that because there is no way for users to > migrate. Are there plans how to operate with OpenSSL-3.x ? If the wheel is turning in this way there will be a long rat-tail as time goes by... > > > > So, I fear that we will have to keep supporting those really > > > outdated > > > (and yes, potentially dangerously insecure) setups for the > > > lifetime > > > of IPFire 2. If it isn’t an option to move forward to the latest > > > version of OpenVPN we would be in *very* big trouble. > > It is mainly OpenSSL not that much OpenVPN as one can see already > > with > > the PKCS#12 decryption problem... with the legacy mode it might > > also be > > a possibility to ride a dead horse. > > I would *really* like for OpenVPN to be a dead horse, because it is a > pain. It is one of the largest CGI files we have; we have plenty of > glue-code that is using very interesting hacks for implementing > things like 2FA. > > But the alternatives like Wireguard do not seem to be taking off > either. So, OpenVPN is and remains the de-facto standard solution to > connect mobile devices to IPFire. And that will probably remain the > case for a very long time to come. > > So, we will need to find a way how we can support OpenVPN well. Right > now it really feels like a pile of work whenever there is a new > release out there. We still rely on many deprecated features and we > will need to make sure to get rid of them if we want to have a chance > to maintain this with reasonable effort. I feel you as you can imagine :-) but here again, first steps ? There are really lot´s of ideas and of already done work but it makes no sense to went here on as a lone warrior even the work has been far beyond a reasonable effort spoken for myself! > > Best, > -Michael > > > > > > > Best, > > > -Michael > > > > All the best, > > > > Erik > > > > > > > > > > > > > The call of the pkiconfigcheck function is now located in the > > > > status page section. > > > > > > > > Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> > > > > --- > > > > html/cgi-bin/ovpnmain.cgi | 38 > > > > ++++++++++++++++++++++++++++++++++++-- > > > > langs/de/cgi-bin/de.pl | 3 +++ > > > > langs/en/cgi-bin/en.pl | 3 +++ > > > > 3 files changed, 42 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi- > > > > bin/ovpnmain.cgi > > > > index dc429d90c..5c34a5f4d 100644 > > > > --- a/html/cgi-bin/ovpnmain.cgi > > > > +++ b/html/cgi-bin/ovpnmain.cgi > > > > @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = ''; > > > > $cgiparams{'DAUTH'} = ''; > > > > $cgiparams{'TLSAUTH'} = ''; > > > > $routes_push_file = "${General::swroot}/ovpn/routes_push"; > > > > -# Perform crypto and configration test > > > > -&pkiconfigcheck; > > > > > > > > # Add CCD files if not already presant > > > > unless (-e $routes_push_file) { > > > > @@ -240,6 +238,39 @@ sub pkiconfigcheck > > > > } > > > > } > > > > > > > > + # Warning for Roadwarrior if deprecated 64-bit-block ciphers > > > > or > > > > weak HMAC is in usage > > > > + if (-f "${General::swroot}/ovpn/server.conf") { > > > > + my $oldciphers = "${General::swroot}/ovpn/server.conf"; > > > > + open(FH, $oldciphers); > > > > + while(my $cipherstring = <FH>) { > > > > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE- > > > > CBC|DES- > > > > EDE3-CBC|SHA1/) { > > > > + my @tempcipherstring = split(" ", $cipherstring); > > > > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: > > > > <font > > > > color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn > > > > warning > > > > 64 bit block cipher'}"; > > > > + goto CRYPTO_WARNING; > > > > + } > > > > + } > > > > + close(FH); > > > > + } > > > > + > > > > + # Warning for Net-to-Net connections if deprecated 64-bit- > > > > block > > > > ciphers or HMAC is in usage > > > > + if (-f "${General::swroot}/ovpn/ovpnconfig") { > > > > + my $oldciphers = "${General::swroot}/ovpn/ovpnconfig"; > > > > + open(FH, $oldciphers); > > > > + while(my $cipherstring = <FH>) { > > > > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE- > > > > CBC|DES- > > > > EDE3-CBC/) { > > > > + my @tempcipherstring = split(",", $cipherstring); > > > > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: > > > > <font > > > > color='red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn > > > > warning algorithm n2n'}<font color='red'> > > > > $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit > > > > block > > > > cipher'}</br>"; > > > > + goto CRYPTO_WARNING; > > > > + } > > > > + if ($cipherstring =~ /SHA1/) { > > > > + my @tempcipherstring = split(",", $cipherstring); > > > > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: > > > > <font > > > > color='red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn > > > > warning algorithm n2n'}<font color='red'> > > > > $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit > > > > block > > > > cipher'}</br>"; > > > > + goto CRYPTO_WARNING; > > > > + } > > > > + } > > > > + } > > > > + > > > > + > > > > CRYPTO_WARNING: > > > > } > > > > > > > > @@ -5056,6 +5087,9 @@ END > > > > my @status = <FILE>; > > > > close(FILE); > > > > > > > > + # Perform crypto and configration test > > > > + &pkiconfigcheck; > > > > + > > > > if ($cgiparams{'VPN_IP'} eq '' && -e > > > > "${General::swroot}/red/active") { > > > > if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { > > > > my $ipaddr = <IPADDR>; > > > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > > > > index abfba5d5e..bb675ec34 100644 > > > > --- a/langs/de/cgi-bin/de.pl > > > > +++ b/langs/de/cgi-bin/de.pl > > > > @@ -1982,6 +1982,9 @@ > > > > 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist > > > > ungültig.', > > > > 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich > > > > mit ', > > > > 'ovpn tls auth' => 'TLS-Kanalabsicherung:', > > > > +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist > > > > unsicher und wird bald entfernt. <br>Bitte Ändern Sie dies auf > > > > beiden Seiten (Server und Client) so schnell wie > > > > möglich!</br>', > > > > +'ovpn warning algorithm' => 'Folgender Algorithmus wurde > > > > konfiguriert', > > > > +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz > > > > Verbindung', > > > > 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht > > > > RFC3280 > > > > Regelkonform. <br>Bitte IPFire auf die letzte Version updaten > > > > und > > > > generieren sie ein neues Root und Host Zertifikat so bald wie > > > > möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert > > > > werden!</br>', > > > > 'ovpn_fastio' => 'Fast-IO', > > > > 'ovpn_fragment' => 'Fragmentgrösse', > > > > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > > > > index bf18b22a2..9aaf3e765 100644 > > > > --- a/langs/en/cgi-bin/en.pl > > > > +++ b/langs/en/cgi-bin/en.pl > > > > @@ -2035,6 +2035,9 @@ > > > > 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', > > > > 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', > > > > 'ovpn tls auth' => 'TLS Channel Protection:', > > > > +'ovpn warning 64 bit block cipher' => 'This encryption > > > > algorithm > > > > is broken and will soon be removed. <br>Please change this on > > > > both > > > > sides (server and client) as soon as possible!</br>', > > > > +'ovpn warning algorithm' => 'The following algorithm was > > > > configured', > > > > +'ovpn warning algorithm n2n' => 'For the Net-to-Net > > > > connection', > > > > 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 > > > > compliant. <br>Please update to the latest IPFire version and > > > > generate as soon as possible a new root and host > > > > certificate.</br><br>All OpenVPN clients needs then to be > > > > renewed!</br>', > > > > 'ovpn_fastio' => 'Fast-IO', > > > > 'ovpn_mssfix' => 'MSSFIX Size', > > > > -- > > > > 2.35.1 > >
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dc429d90c..5c34a5f4d 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; -# Perform crypto and configration test -&pkiconfigcheck; # Add CCD files if not already presant unless (-e $routes_push_file) { @@ -240,6 +238,39 @@ sub pkiconfigcheck } } + # Warning for Roadwarrior if deprecated 64-bit-block ciphers or weak HMAC is in usage + if (-f "${General::swroot}/ovpn/server.conf") { + my $oldciphers = "${General::swroot}/ovpn/server.conf"; + open(FH, $oldciphers); + while(my $cipherstring = <FH>) { + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) { + my @tempcipherstring = split(" ", $cipherstring); + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block cipher'}"; + goto CRYPTO_WARNING; + } + } + close(FH); + } + + # Warning for Net-to-Net connections if deprecated 64-bit-block ciphers or HMAC is in usage + if (-f "${General::swroot}/ovpn/ovpnconfig") { + my $oldciphers = "${General::swroot}/ovpn/ovpnconfig"; + open(FH, $oldciphers); + while(my $cipherstring = <FH>) { + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC/) { + my @tempcipherstring = split(",", $cipherstring); + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>"; + goto CRYPTO_WARNING; + } + if ($cipherstring =~ /SHA1/) { + my @tempcipherstring = split(",", $cipherstring); + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>"; + goto CRYPTO_WARNING; + } + } + } + + CRYPTO_WARNING: } @@ -5056,6 +5087,9 @@ END my @status = <FILE>; close(FILE); + # Perform crypto and configration test + &pkiconfigcheck; + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { my $ipaddr = <IPADDR>; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index abfba5d5e..bb675ec34 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1982,6 +1982,9 @@ 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', 'ovpn tls auth' => 'TLS-Kanalabsicherung:', +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte Ändern Sie dies auf beiden Seiten (Server und Client) so schnell wie möglich!</br>', +'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert', +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung', 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index bf18b22a2..9aaf3e765 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2035,6 +2035,9 @@ 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', 'ovpn tls auth' => 'TLS Channel Protection:', +'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this on both sides (server and client) as soon as possible!</br>', +'ovpn warning algorithm' => 'The following algorithm was configured', +'ovpn warning algorithm n2n' => 'For the Net-to-Net connection', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size',