From patchwork Thu Aug 28 10:29:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9016 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4cCHgx6xtmz3wkk for ; Thu, 28 Aug 2025 10:29:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4cCHgx4HDKz5P5 for ; Thu, 28 Aug 2025 10:29:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cCHgx3Y10z30Js for ; Thu, 28 Aug 2025 10:29:17 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cCHgt4qKxz2xyg for ; Thu, 28 Aug 2025 10:29:14 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cCHgs66qDz5n; Thu, 28 Aug 2025 10:29:13 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1756376954; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=6LHENBnsmxGfdEZTvUdp8I0SwF8SkUw9JNGVWMXJ+IQ=; b=bhPEicacD6Tp01v0b7bhIFZ4LafK4PyFH0ZbqLLwuiWGmlWjIIGDi5Do5fMrAtVP807535 0iL+3/EwaQKlS0Aw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1756376954; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=6LHENBnsmxGfdEZTvUdp8I0SwF8SkUw9JNGVWMXJ+IQ=; b=Ww0Fvy6/kJ+sEbm+5p5GWdoqixNaeFe5/40faxu7fwKkBz9FbuEsB9+7QIHRMRQwWP4R8o Lx/s32zzPNdgGr4cb0i9pcYqhdRKYDDHE3xztiMj2blFjetgikK+iKWYFWMiuhcSX8eot8 VgWmcrTNHrCDRirkwu1VZHMyPkzb6f3Chox8dgxtkvy+cH5b4XJ8MXPYoz5d54kvCW9zGT 73YJsw+3Y33VQr5rSbl1drL5FuQC/k/DKoej72CJp+JbAhU8j146Vy1bPoeOCtztnKkVJX z7dUk0ihvnH7kdyKTENBuNDxrEcZTieqzUihKSl/YrvCus7B1810xYdD23vDXA== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [RFC PATCH] ovpnmain.cgi: Replace the ncp-disable with data-ciphers server entry Date: Thu, 28 Aug 2025 12:29:08 +0200 Message-ID: <20250828102908.2602-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - If a backup from before openvpn-2.6 is restored then the server.conf file has ncp-disable still in it. Also data-ciphers in server.conf and DATACIPHERS in settings will not be present. - The existing code checks if DATACIPHERS is empty and if it is then it puts ncp-disable into server.conf which we no longer need to have. - This patch changes this code section so that if DATACIPHERS is empty then it has the default ciphers added into server.conf and then also updates the DATACIPHERS entry in the settings file. - I have made this an RFC patch as the patch does work but it might not be the correct or best way to go about this. - If it is accepted then the previous patches I did for backup.pl and update.sh can be reverted. - The change was tested out with the reverted backup.pl and all old backup versions were successfully restored correctly and worked as expected. Also tested out the change with a backup from CU197 and that restore also worked correctly. Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/ovpnmain.cgi | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dfe7f8ad5..8c908d725 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -291,8 +291,14 @@ sub writeserverconf { print CONF "status $RW_STATUS 30\n"; # Cryptography + + # Previous ncp-disable server conf will have an empty DATACIPHERS entry + # This will occur with restores from prior to OpenVPN-2.6 + # Replace the empty DATACIPHERS entry with the default value if ($vpnsettings{'DATACIPHERS'} eq '') { - print CONF "ncp-disable\n"; + print CONF "data-ciphers " . "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305" . "\n"; + $vpnsettings{'DATACIPHERS'} = "AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305"; + &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); } else { print CONF "data-ciphers " . $vpnsettings{'DATACIPHERS'} =~ s/\|/:/gr . "\n"; }