From patchwork Sun Nov 14 20:42:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 4841 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HskmM3Ptmz3wcw for ; Sun, 14 Nov 2021 20:42:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HskmL1XgczDt; Sun, 14 Nov 2021 20:42:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HskmK4rN2z2yTX; Sun, 14 Nov 2021 20:42:57 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HskmJ0Zndz2xGX for ; Sun, 14 Nov 2021 20:42:56 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HskmH2FXPzDt; Sun, 14 Nov 2021 20:42:55 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1636922575; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Yze5rg2J7zHd/b95UtcsaELsm/WkFGqTlCrhXiwUXIw=; b=emyUHsUYA8/C20IqlrUsgemn7M9St+LpPd/WD2ytT86KF5Wn7fS/CXWLzhbiKqPiXWvK7M NWTMgc8K1LIH8HDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1636922575; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Yze5rg2J7zHd/b95UtcsaELsm/WkFGqTlCrhXiwUXIw=; b=jKR8cybxCHN8wZq48I8mg7V6IwAaRP7sVIPuVNy09VhiCuIc8nTew+W5o6Jt6v1qZ8brKi gPHe9ObxOCddCioPyEFGoaYEG8Ft4gIray9Ut00KMwld5z5Lc+7c+jnjYdTQZGhiP7iTFE B2BsjDQmAg54/eXkuXZ8PS/xj558XFBM90w6dRwX5Anu/OBSVqI5ddr9vB0osz/TzP5hPF oWMaibnH6GRzgHgpNEoPAM2Q1lpTq8i8VV/RMsLrW4ht2Exn8DEgnCXMGbIJabYKW247Kv wt26zJj0M2xllrkJcIA7Hy0+mEnRGcnk+5zXtjEWP5hPtE0xk8pcTdmCDF1ARQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] ovpnmain.cgi: Bug 12574 - OpenVPN Internal server error when returning after generating root/host certificates Date: Sun, 14 Nov 2021 21:42:52 +0100 Message-Id: <20211114204252.3464019-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Option "--secret" was deprecated in OpenVPN 2.4 and removed in OpenVPN 2.5 It was replaced by "secret". If "--secret" is used with genkey then a user warning is printed and this is what gives the Internal server error. - Patch was defined by Erik Kapfer but currently he does not have a build environment so I have submitted the patch on his behalf. - Patch tested on a vm testbed running Core Update 160. Confirmed that without patch the error still occurs and with patch everything runs smoothly. Fixes: Bug #12574 Tested-by: Adolf Belka Signed-off-by : Erik Kapfer Signed-off-by: Adolf Belka Reviewed-by: Peter Müller --- html/cgi-bin/ovpnmain.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index f99bfdef7..7e274b36a 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1209,7 +1209,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg if ($cgiparams{'TLSAUTH'} eq 'on') { if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { # This system call is safe, because all arguements are passed as an array. - system("/usr/sbin/openvpn", "--genkey", "--secret", "${General::swroot}/ovpn/certs/ta.key"); + system("/usr/sbin/openvpn", "--genkey", "secret", "${General::swroot}/ovpn/certs/ta.key"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; goto SETTINGS_ERROR; @@ -2012,7 +2012,7 @@ END } # Create ta.key for tls-auth # This system call is safe, because all arguments are passed as an array. - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + system('/usr/sbin/openvpn', '--genkey', 'secret', "${General::swroot}/ovpn/certs/ta.key"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; &cleanssldatabase();