From patchwork Sat Aug 15 15:08:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ummeegge X-Patchwork-Id: 3303 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4BTNxQ3fC1z3x0m for ; Sat, 15 Aug 2020 15:08:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4BTNxN3cGtzqL; Sat, 15 Aug 2020 15:08:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4BTNxN11bhz2xy5; Sat, 15 Aug 2020 15:08:56 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4BTNxL6f5Wz2xWn for ; Sat, 15 Aug 2020 15:08:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 4BTNxL11YDzD0; Sat, 15 Aug 2020 15:08:54 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1597504134; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=Oz56WdlF9sztYn3jKJWvIhIo5HW1cFD3ipiqHpSVyAA=; b=yuWZMwgcBIR98Nv0WEveAK9n7jIRiuxot1LalpKsG9kudqEi3alhFx8ToMtSB/HXoO0EPM aQ8gR/tc6XwoSKDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1597504134; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=Oz56WdlF9sztYn3jKJWvIhIo5HW1cFD3ipiqHpSVyAA=; b=czDofBNWoNnDfDI4mq65VXcxoPmKMfMmwb0XbayNnIw8YXHlxQCU/TsESg2oCcBsH2GBcE w+D/+1mhZjL263aDGYvEB2Vkyy4MoojsvfKdmQ5kR/bpYdp0OOdb+EXBEd7MmbmbtrGIzG Tp1dUpQPV4HN9yized0BOEAdBw6hkiKvOl7LMkYlrrTPB1DBh+xtLFd846MblLsR6+QKPi UWZ0VZEANnUdSTL4JgMjsnDCc5V4xTW/Kv3VAHh5SssOkiKVQ3BZznNrqZ0QBv7QHn7snt x1e0X7+t4bNTRq/MJCEW9N9rz1gTs6FKd6xeZUB+gHrC2jR7t/JL590+7o4eGw== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH] OpenVPN: Add tls-version-min for TLSv1.2 Date: Sat, 15 Aug 2020 17:08:45 +0200 Message-Id: <20200815150845.5077-1-ummeegge@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.mailfrom=ummeegge@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" ovpnmain.cgi delivers now 'tls-version-min 1.2' for Roadwarrior and N2N. Since the server needs it only on server side, this patch do not includes it for Roadwarrior clients. N2N do not uses push options therefor this directive will be included on both sides. To integrate the new directive into actual working OpenVPN server environment, the following commands should be executed via update.sh. Code block start: if test -f "/var/ipfire/ovpn/server.conf"; then # Add tls-version-minimum to OpenVPN server if not already there if ! grep -q '^tls-version-min' /var/ipfire/ovpn/server.conf > /dev/null 2>&1; then # Stop server before append the line /usr/local/bin/openvpnctrl -k # Append new directive echo >> "tls-version-min 1.2" /var/ipfire/ovpn/server.conf # Make sure server.conf have the correct permissions to prevent such # --> https://community.ipfire.org/t/unable-to-start-the-openvpn-server/2465/54?u=ummeegge # case chown nobody:nobody /var/ipfire/ovpn/server.conf # Start server again /usr/local/bin/openvpnctrl -s fi fi Code block end Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 457ebcf1f..dc80cbf70 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -333,6 +333,8 @@ sub writeserverconf { print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; print CONF "auth $sovpnsettings{'DAUTH'}\n"; + # Set TLSv2 as minimum + print CONF "tls-version-min 1.2\n"; if ($sovpnsettings{'TLSAUTH'} eq 'on') { print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; @@ -996,6 +998,9 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; } + # Set TLSv1.2 as minimum + print SERVERCONF "tls-version-min 1.2\n"; + if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\n"; @@ -1098,6 +1103,9 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; } + # Set TLSv1.2 as minimum + print CLIENTCONF "tls-version-min 1.2\n"; + if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\n";