From patchwork Mon Nov 21 10:22:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 6154 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4NG3Nn1cfbz3wc7 for ; Mon, 21 Nov 2022 10:22:33 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4NG3Nl36Fvz17j; Mon, 21 Nov 2022 10:22:31 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4NG3Nl1FgKz2y1X; Mon, 21 Nov 2022 10:22:31 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4NG3Nj2ZjKz2xMq for ; Mon, 21 Nov 2022 10:22:29 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4NG3Nh5pDlzdn; Mon, 21 Nov 2022 10:22:28 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1669026148; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ROO8WRnOgH18lbKxYw7V110sdc91fxKup1ff7bdK96g=; b=K7bjtXY4VKjAJ/ejtIjm4IA2LNVxke9zAU4nZjp6QP/yhIUR4fq6f1tOgwHAQ7QJ8PPL70 QRVW8zepiz0x6KBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1669026148; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ROO8WRnOgH18lbKxYw7V110sdc91fxKup1ff7bdK96g=; b=Fx6Amh2GktkTVGvX5UJcvYUz2NsQUwGqK4rxseQw9z0Cs8yqxXznORt7KF3y/1KkblYxVb 10yGmG6iGauEnHEYrkX2hpoA24PjD2T4wZdvSpLd6o4Qr8yKy72DpX1IIXqLij/pIereyW YQimY8g43ycZ//I1oUk2dNplzEhRLJDTA0UINUsiq0bBquDc3syuaKjqNqrSXlafCISXcn LpXcfgNpMIuHX/QVqWcliwjKiWlZuwaOWfnipbikG5X0LegEP61Lv50kF6ybO3ADctQDHr o5WLDqDWOqi+ZPBg4NuN95CHd+FLhliiE3w2qxYZEz21QTLjurEAiOGIVNScvw== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH] openvpn: Warning for broken algorithms . Date: Mon, 21 Nov 2022 11:22:21 +0100 Message-Id: <20221121102221.13486-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Since OpenSSL-3.x will remove all 64 bit block-cipher but also OpenVPNs changelog for version 2.5.8 gives hints to get rid of BF-CBC for default configuations, a warning will be displayed in the WUI if the user is running BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to change as soon as possible to another more secure algorithm. The call of the pkiconfigcheck function is now located in the status page section. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 38 ++++++++++++++++++++++++++++++++++++-- langs/de/cgi-bin/de.pl | 3 +++ langs/en/cgi-bin/en.pl | 3 +++ 3 files changed, 42 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dc429d90c..5c34a5f4d 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; -# Perform crypto and configration test -&pkiconfigcheck; # Add CCD files if not already presant unless (-e $routes_push_file) { @@ -240,6 +238,39 @@ sub pkiconfigcheck } } + # Warning for Roadwarrior if deprecated 64-bit-block ciphers or weak HMAC is in usage + if (-f "${General::swroot}/ovpn/server.conf") { + my $oldciphers = "${General::swroot}/ovpn/server.conf"; + open(FH, $oldciphers); + while(my $cipherstring = ) { + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) { + my @tempcipherstring = split(" ", $cipherstring); + $cryptowarning = "
$Lang::tr{'ovpn warning algorithm'}: $tempcipherstring[1]
$Lang::tr{'ovpn warning 64 bit block cipher'}"; + goto CRYPTO_WARNING; + } + } + close(FH); + } + + # Warning for Net-to-Net connections if deprecated 64-bit-block ciphers or HMAC is in usage + if (-f "${General::swroot}/ovpn/ovpnconfig") { + my $oldciphers = "${General::swroot}/ovpn/ovpnconfig"; + open(FH, $oldciphers); + while(my $cipherstring = ) { + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC/) { + my @tempcipherstring = split(",", $cipherstring); + $cryptowarning = "
$Lang::tr{'ovpn warning algorithm'}: $tempcipherstring[41]
$Lang::tr{'ovpn warning algorithm n2n'} $tempcipherstring[2]
$Lang::tr{'ovpn warning 64 bit block cipher'}
"; + goto CRYPTO_WARNING; + } + if ($cipherstring =~ /SHA1/) { + my @tempcipherstring = split(",", $cipherstring); + $cryptowarning = "
$Lang::tr{'ovpn warning algorithm'}: $tempcipherstring[40]
$Lang::tr{'ovpn warning algorithm n2n'} $tempcipherstring[2]
$Lang::tr{'ovpn warning 64 bit block cipher'}
"; + goto CRYPTO_WARNING; + } + } + } + + CRYPTO_WARNING: } @@ -5056,6 +5087,9 @@ END my @status = ; close(FILE); + # Perform crypto and configration test + &pkiconfigcheck; + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { my $ipaddr = ; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index abfba5d5e..bb675ec34 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1982,6 +1982,9 @@ 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', 'ovpn tls auth' => 'TLS-Kanalabsicherung:', +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist unsicher und wird bald entfernt.
Bitte Ändern Sie dies auf beiden Seiten (Server und Client) so schnell wie möglich!
', +'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert', +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung', 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform.
Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.

Es müssen dann alle OpenVPN clients erneuert werden!
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index bf18b22a2..9aaf3e765 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2035,6 +2035,9 @@ 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', 'ovpn tls auth' => 'TLS Channel Protection:', +'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed.
Please change this on both sides (server and client) as soon as possible!
', +'ovpn warning algorithm' => 'The following algorithm was configured', +'ovpn warning algorithm n2n' => 'For the Net-to-Net connection', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

All OpenVPN clients needs then to be renewed!
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size',