From patchwork Fri Nov 11 12:15:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 6131 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4N7yN42K3Bz3wgd for ; Fri, 11 Nov 2022 12:15:48 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4N7yN34cqcz1Rs; Fri, 11 Nov 2022 12:15:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4N7yN33zhcz2y1V; Fri, 11 Nov 2022 12:15:47 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4N7yN231Mxz2xPS for ; Fri, 11 Nov 2022 12:15:46 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4N7yMz4KC9zQS for ; Fri, 11 Nov 2022 12:15:42 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1668168946; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nNgTmzDuxOQU/LZkJbU5MMYwkwx6W2Gv28TPJzlPKkY=; b=TQ3DYU69jbcZLb9+paVRTDXOLdQACJI5BW6gr6JdJ3WFbRSh735F4SebXNuZqmZVMjew1p P5oYSLEskwzChUBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1668168946; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nNgTmzDuxOQU/LZkJbU5MMYwkwx6W2Gv28TPJzlPKkY=; b=Ldu6zk4ZwhhjHwi0lf9doGO+uo8Ntn5q2on5ldRZtO1t64tjjj9yg9K3ZVIKJMo1Cmjx8Z nBb1xCgm+Bsu2SXL978A5yLycQvgUFPdjBn5D9YrbDIQEzEk0plPgV41MTxffAoE0xgBV/ bpvXbyQJkVOfCAu43zZvp97b+PYEMvAy+lVoLrZe7loQEJFzMvkJDAWsC7CtgpWN2041nE 52rwsjywN4lnJ11oPIB9G9Px3ID0VBNCTC95NvLcbpjl1jqpLJADU7+PMtp7pCsfwU/0kM 2bmpp1smEnf34N6p6vRQK0GevkBvzZgA4SmSfZr6mXn4FPXyBJOpl8A5H4Qzyw== Message-ID: <24486420-e970-17cd-7b86-5f75e91d9a59@ipfire.org> Date: Fri, 11 Nov 2022 12:15:37 +0000 MIME-Version: 1.0 Subject: [PATCH 3/3] Core Update 172: Ship and apply OpenVPN Diffie-Hellman changes Content-Language: en-US To: development@lists.ipfire.org References: From: =?utf-8?q?Peter_M=C3=BCller?= In-Reply-To: X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Inspired by https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=2ccc799f8bd6a12c3edab5f1a89fab4d2cd05ea8. Cc: Erik Kapfer Signed-off-by: Peter Müller --- config/rootfiles/core/172/filelists/files | 1 + config/rootfiles/core/172/update.sh | 18 +++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/172/filelists/files b/config/rootfiles/core/172/filelists/files index d73430dae..8b820d594 100644 --- a/config/rootfiles/core/172/filelists/files +++ b/config/rootfiles/core/172/filelists/files @@ -1,3 +1,4 @@ +etc/ssl/ffdhe4096.pem usr/lib/firewall/rules.pl usr/local/bin/addonctrl usr/local/bin/openvpnctrl diff --git a/config/rootfiles/core/172/update.sh b/config/rootfiles/core/172/update.sh index f3c77fbfb..eebe37456 100644 --- a/config/rootfiles/core/172/update.sh +++ b/config/rootfiles/core/172/update.sh @@ -33,6 +33,8 @@ done # Stop services /etc/rc.d/init.d/ipsec stop +/usr/local/bin/openvpnctrl -k +/usr/local/bin/openvpnctrl -kn2n /etc/rc.d/init.d/sshd stop /etc/rc.d/init.d/unbound stop @@ -70,7 +72,8 @@ rm -rvf \ /usr/lib/python3.10/site-packages/setuptools/_vendor/pyparsing.py \ /usr/lib/python3.10/site-packages/setuptools/config.py \ /usr/lib/python3.10/site-packages/setuptools_rust/utils.py \ - /usr/libexec/ipsec/scepclient + /usr/libexec/ipsec/scepclient \ + /var/ipfire/ca/dh1024.pem # Remove powertop add-on, if installed if [ -e "/opt/pakfire/db/installed/meta-powertop" ]; then @@ -98,11 +101,24 @@ ldconfig # Apply local configuration to sshd_config /usr/local/bin/sshctrl +# Replace existing OpenVPN Diffie-Hellman parameter by ffdhe4096, as specified in RFC 7919 +if [ -f /var/ipfire/ovpn/server.conf ]; then + sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/server.conf +fi + +if [ -f "/var/ipfire/ovpn/n2nconf/*/*.conf" ]; then + sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/n2nconf/*/*.conf +fi + # Start services /etc/init.d/unbound start if grep -q "ENABLE_SSH=on" /var/ipfire/remote/settings; then /etc/init.d/sshd start fi +if grep -q "ENABLED=on" /var/ipfire/ovpn/settings; then + /usr/local/bin/openvpnctrl -s + /usr/local/bin/openvpnctrl -sn2n +fi if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then /etc/init.d/ipsec start fi