From patchwork Fri Nov 11 12:14:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 6129 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4N7yLy0N6zz3wgd for ; Fri, 11 Nov 2022 12:14:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4N7yLw2vT8z1Rs; Fri, 11 Nov 2022 12:14:48 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4N7yLw1qTZz2yF2; Fri, 11 Nov 2022 12:14:48 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4N7yLv3HfDz2xJQ for ; Fri, 11 Nov 2022 12:14:47 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4N7yLr4W8SzkG for ; Fri, 11 Nov 2022 12:14:43 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1668168886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=m4La3v0tZEIJcyH/6u643ZU6PktnzLJwo7rIvZ3Uiuw=; b=go5JBf/y3gHKaSOMpu8P06cplqcbzfDt5QUpUJ0ki9pDXYMkmLBHjGADLVaHHJs5pY2/n0 9gdlECl5iVGFTdAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1668168886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=m4La3v0tZEIJcyH/6u643ZU6PktnzLJwo7rIvZ3Uiuw=; b=uOeAb0ZoGcHv3YrmsBVvIVpfU2vJLF662T9E98nA+jO+/VPzbYmZ8WH+tcizF2ebLJwb3I SbLXZVdORYxL0SYzjHfxnDUOkJ5dJjuLwtNCr5tRHimcYJSMJy6wUGnxUtYHsPP2lN1FOA pj8+f7zFJcFfIiXbnCFZjDUmeV2DD0iKq60qQwYZuLOm1O9ftDvHk4GRy0JqkA3Q3fE1hm SfQO15VtgtjoliNHvGCX8wTxug60H+2hTQqfV7d1XYMcyyqQhbuC6NAJ9ZcxAey40V5ROV +M82HbxLerILc1bVt1Ji+Y7JB1kZ2hZlyG1RcNZ0OlXgGn6CcJ5Ux/O70047jA== Message-ID: Date: Fri, 11 Nov 2022 12:14:37 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH 1/3] OpenVPN: Replace existing Diffie-Hellman parameter with ffdhe4096 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Initial patch: https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=2ccc799f8bd6a12c3edab5f1a89fab4d2cd05ea8 Minor adjustments to make it apply to the current state of "next", and removal of chown operation in OpenSSL's LFS file, which would have lead to the Diffie-Hellman group file being writable by nobody, for which there is no necessity. Fixes: #12632 From: Erik Kapfer Signed-off-by: Peter Müller --- config/rootfiles/common/openssl | 1 + html/cgi-bin/ovpnmain.cgi | 185 ++------------------------------ langs/de/cgi-bin/de.pl | 16 --- langs/en/cgi-bin/en.pl | 17 --- langs/fr/cgi-bin/fr.pl | 17 --- langs/it/cgi-bin/it.pl | 16 --- langs/tr/cgi-bin/tr.pl | 16 --- lfs/openssl | 3 + 8 files changed, 11 insertions(+), 260 deletions(-) diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index bb7e6f65c..ae9716eea 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -2,6 +2,7 @@ #etc/ssl/certs #etc/ssl/ct_log_list.cnf #etc/ssl/ct_log_list.cnf.dist +etc/ssl/ffdhe4096.pem #etc/ssl/misc #etc/ssl/misc/CA.pl #etc/ssl/misc/tsget diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index f85d610d8..dc429d90c 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -78,6 +78,7 @@ my $name; my $col=""; my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; +my $dhparameter = "/etc/ssl/ffdhe4096.pem"; &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; @@ -89,8 +90,6 @@ $cgiparams{'COMPRESSION'} = 'off'; $cgiparams{'ONLY_PROPOSED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; -$cgiparams{'DH_NAME'} = 'dh1024.pem'; -$cgiparams{'DHLENGHT'} = ''; $cgiparams{'DHCP_DOMAIN'} = ''; $cgiparams{'DHCP_DNS'} = ''; $cgiparams{'DHCP_WINS'} = ''; @@ -221,28 +220,6 @@ sub deletebackupcert sub pkiconfigcheck { - # Warning if DH parameter is 1024 bit - if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); - my $dhbit; - - # Loop through the output and search for the DH bit lenght. - foreach my $line (@dhparameter) { - if ($line =~ (/(\d+)/)) { - # Assign match to dhbit value. - $dhbit = $1; - - last; - } - } - - # Check if the used key lenght is at least 2048 bit. - if ($dhbit < 2048) { - $cryptoerror = "$Lang::tr{'ovpn error dh'}"; - goto CRYPTO_ERROR; - } - } - # Warning if md5 is in usage if (-f "${General::swroot}/ovpn/certs/servercert.pem") { my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); @@ -290,7 +267,7 @@ sub writeserverconf { print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; - print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; + print CONF "dh $dhparameter\n"; my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'}); print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; @@ -1358,102 +1335,6 @@ END exit (0); ### -### Generate DH key step 2 -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') { - # Delete if old key exists - if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; - } - # Create Diffie Hellmann Parameter - # The system call is safe, because all arguments are passed as an array. - system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); - } - -### -### Generate DH key step 1 -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ovpn'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:"); - print < - - - - - $Lang::tr{'ovpn dh'}: - -
- - - - -
- - - - $Lang::tr{'capswarning'}: $Lang::tr{'dh key warn'} - - - - - - - - - -
$Lang::tr{'dh key warn1'}

- -END - ; - &Header::closebox(); - print ""; - &Header::closebigbox(); - &Header::closepage(); - exit (0); - -### -### Upload DH key -### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) { - unless (ref ($cgiparams{'FH'})) { - $errormessage = $Lang::tr{'there was no file upload'}; - goto UPLOADCA_ERROR; - } - # Move uploaded dh key to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto UPLOADCA_ERROR; - } - my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename"); - if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) { - $errormessage = $Lang::tr{'not a valid dh key'}; - unlink ($filename); - goto UPLOADCA_ERROR; - } else { - # Delete if old key exists - if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; - } - - unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}")) { - $errormessage = "$Lang::tr{'dh key move failed'}: $!"; - unlink ($filename); - goto UPLOADCA_ERROR; - } - } -### ### Upload CA Certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) { @@ -2028,21 +1909,6 @@ END &cleanssldatabase(); goto ROOTCERT_ERROR; } - # Create Diffie Hellmann Parameter - # The system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); - unlink ("${General::swroot}/ovpn/certs/servercert.pem"); - unlink ("${General::swroot}/ovpn/ca/cacert.pem"); - unlink ("${General::swroot}/ovpn/crls/cacrl.pem"); - unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); - &cleanssldatabase(); - goto ROOTCERT_ERROR; -# } else { -# &cleanssldatabase(); - } goto ROOTCERT_SUCCESS; } ROOTCERT_ERROR: @@ -2092,14 +1958,6 @@ END } print < - $Lang::tr{'ovpn dh'}: - - -   @@ -2107,16 +1965,6 @@ END * $Lang::tr{'required field'}
- - - $Lang::tr{'capswarning'}: $Lang::tr{'ovpn generating the root and host certificates'} - - - - - - -
$Lang::tr{'dh key warn'}
$Lang::tr{'dh key warn1'}

@@ -2681,14 +2529,14 @@ END ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) { - if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") { + if (! -e "$dhparameter") { $errormessage = $Lang::tr{'not present'}; } else { &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:"); - my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); + my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter"); my $output = &Header::cleanhtml(join("", @output) ,"y"); print "
$output
\n"; &Header::closebox(); @@ -5447,7 +5295,7 @@ END print ""; print ""; if (( -e "${General::swroot}/ovpn/ca/cacert.pem" && - -e "${General::swroot}/ovpn/ca/dh1024.pem" && + -e "$dhparameter" && -e "${General::swroot}/ovpn/certs/servercert.pem" && -e "${General::swroot}/ovpn/certs/serverkey.pem") && (( $cgiparams{'ENABLED'} eq 'on') || @@ -5838,8 +5686,8 @@ END } # Adding DH parameter to chart - if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { - my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); + if (-f "$dhparameter") { + my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter"); my $dhsubject; foreach my $line (@dhsubject) { @@ -5996,25 +5844,6 @@ END
- -
- - - - - - - - - - - - - - - -
$Lang::tr{'ovpn dh parameters'}
$Lang::tr{'ovpn dh upload'}: -
$Lang::tr{'ovpn dh new key'}:


diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index db7d117b0..f64fbb6fa 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -760,11 +760,6 @@ 'details' => 'Mehr', 'device' => 'Gerät', 'devices on blue' => 'Geräte auf BLAU', -'dh' => 'Diffie-Hellman-Parameter', -'dh key move failed' => 'Verschieben der Diffie-Hellman-Parameter fehlgeschlagen.', -'dh key warn' => 'Das Erzeugen eines Diffie-Hellman-Parameters mit 2048 Bit dauert üblicherweise einige Minuten. Parameter von 3072 oder 4096 Bit Länge beanspruchen gegebenenfalls mehrere Stunden. Bitte haben Sie etwas Geduld.', -'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen, lange Diffie-Hellman-Parameter über die Upload-Funktion hochzuladen.', -'dh parameter' => 'Diffie-Hellman-Parameter', 'dhcp advopt add' => 'DHCP Option hinzufügen', 'dhcp advopt added' => 'DHCP Option hinzugefügt', 'dhcp advopt blank value' => 'Wert für DHCP Option darf nicht leer sein', @@ -898,7 +893,6 @@ 'download' => 'herunterladen', 'download ca certificate' => 'CA-Zertifikat herunterladen', 'download certificate' => 'Datei herunterladen', -'download dh parameter' => 'Diffie-Hellman-Parameter herunterladen', 'download host certificate' => 'Host-Zertifikat herunterladen', 'download new ruleset' => 'Neuen Regelsatz herunterladen', 'download pkcs12 file' => 'PKCS12-Datei herunterladen', @@ -1313,11 +1307,9 @@ 'fwhost wo subnet' => '(Ohne Subnetz)', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', -'gen dh' => 'Neuen Diffie-Hellman-Parameter erzeugen', 'gen static key' => 'Statischen Schlüssel erzeugen', 'generate' => 'Root/Host-Zertifikate generieren', 'generate a certificate' => 'Erzeuge ein Zertifikat:', -'generate dh key' => 'Diffie-Hellman Key generieren', 'generate iso' => 'ISO erstellen', 'generate ptr' => 'PTR erzeugen', 'generate root/host certificates' => 'Erzeuge Root/Host-Zertifikate', @@ -1860,7 +1852,6 @@ 'nonetworkname' => 'Kein Netzwerkname wurde eingegeben', 'noservicename' => 'Kein Dienstname wurde eingegeben', 'not a valid ca certificate' => 'Kein gültiges CA Zertifikat.', -'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.', 'not affected' => 'Nicht betroffen', 'not enough disk space' => 'Nicht genügend Plattenplatz vorhanden', 'not present' => 'Nicht vorhanden', @@ -1961,15 +1952,10 @@ 'ovpn connection name' => 'Verbindungs-Name', 'ovpn crypt options' => 'Kryptografieoptionen', 'ovpn device' => 'OpenVPN-Gerät', -'ovpn dh' => 'Diffie-Hellman-Parameter-Länge', -'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen', -'ovpn dh parameters' => 'Diffie-Hellman-Parameter Optionen', -'ovpn dh upload' => 'Neuen Diffie-Hellman-Parameter hochladen', 'ovpn dl' => 'OVPN-Konfiguration downloaden', 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', -'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein!
Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.
', 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird.
Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.

Es müssen dann alle OpenVPN clients erneuert werden!
', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', 'ovpn ha' => 'Hash-Algorithmus', @@ -2270,7 +2256,6 @@ 'show ca certificate' => 'CA Zertifikat anzeigen', 'show certificate' => 'Datei anzeigen', 'show crl' => 'Certificate Revocation List anzeigen', -'show dh' => 'Diffie-Hellman-Parameter anzeigen', 'show host certificate' => 'Host-Zertifikat anzeigen', 'show last x lines' => 'die letzten x Zeilen anzeigen', 'show otp qrcode' => 'Zeige OTP QRCode', @@ -2645,7 +2630,6 @@ 'upload a certificate' => 'Ein Zertifikat hochladen:', 'upload a certificate request' => 'Eine Zertifikatsanfrage hochladen:', 'upload ca certificate' => 'CA-Zertifikat hochladen', -'upload dh key' => 'Diffie-Hellman-Parameter hochladen', 'upload file' => 'Datei zum Hochladen', 'upload new ruleset' => 'Neuen Regelsatz hochladen', 'upload p12 file' => 'PKCS12-Datei hochladen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 60dca5be4..deafcf660 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -794,12 +794,6 @@ 'details' => 'Details', 'device' => 'Device', 'devices on blue' => 'Devices on BLUE', -'dh' => 'Diffie-Hellman parameters', -'dh key move failed' => 'Diffie-Hellman parameters move failed.', -'dh key warn' => 'Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.', -'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.', -'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".', -'dh parameter' => 'Diffie-Hellman parameters', 'dhcp advopt add' => 'Add a DHCP option', 'dhcp advopt added' => 'DHCP option added', 'dhcp advopt blank value' => 'DHCP Option value cannot be empty.', @@ -939,7 +933,6 @@ 'download apple profile' => 'Download Apple Configuration Profile', 'download ca certificate' => 'Download CA certificate', 'download certificate' => 'Download file', -'download dh parameter' => 'Download Diffie-Hellman parameters', 'download host certificate' => 'Download host certificate', 'download new ruleset' => 'Download new ruleset', 'download pkcs12 file' => 'Download PKCS12 file', @@ -1358,11 +1351,9 @@ 'g.lite' => 'TO BE REMOVED', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway IP', -'gen dh' => 'Generate new Diffie-Hellman parameters', 'gen static key' => 'Generate a static key', 'generate' => 'Generate root/host zertifikate', 'generate a certificate' => 'Generate a certificate:', -'generate dh key' => 'Generate Diffie-Hellman parameters', 'generate iso' => 'Generate ISO', 'generate ptr' => 'Generate PTR', 'generate root/host certificates' => 'Generate root/host certificates', @@ -1911,7 +1902,6 @@ 'nonetworkname' => 'No Network Name entered', 'noservicename' => 'No Service Name entered', 'not a valid ca certificate' => 'Not a valid CA certificate.', -'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.', 'not affected' => 'Not Affected', 'not enough disk space' => 'Not enough disk space', 'not present' => 'Not present', @@ -2015,15 +2005,10 @@ 'ovpn connection name' => 'Connection Name', 'ovpn crypt options' => 'Cryptographic options', 'ovpn device' => 'OpenVPN device:', -'ovpn dh' => 'Diffie-Hellman parameters length', -'ovpn dh new key' => 'Generate new Diffie-Hellman parameters', -'ovpn dh parameters' => 'Diffie-Hellman parameters options', -'ovpn dh upload' => 'Upload new Diffie-Hellman parameters', 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', -'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit!
Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".
', 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore.
Please update to the latest IPFire version and generate a new root and host certificate.

All OpenVPN clients needs then to be renewed!
', 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.', 'ovpn ha' => 'Hash algorithm', @@ -2327,7 +2312,6 @@ 'show ca certificate' => 'Show CA certificate', 'show certificate' => 'Show file', 'show crl' => 'Show certificate revocation list', -'show dh' => 'Show Diffie-Hellman parameters', 'show host certificate' => 'Show host certificate', 'show last x lines' => 'Show last x lines', 'show lines' => 'Show lines', @@ -2710,7 +2694,6 @@ 'upload a certificate' => 'Upload a certificate:', 'upload a certificate request' => 'Upload a certificate request:', 'upload ca certificate' => 'Upload CA certificate', -'upload dh key' => 'Upload Diffie-Hellman parameters', 'upload fcdsl.o' => 'TO BE REMOVED', 'upload file' => 'Upload file', 'upload new ruleset' => 'Upload new ruleset', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index a1643557e..ee5c40025 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -799,12 +799,6 @@ 'details' => 'Détails', 'device' => 'Périphérique', 'devices on blue' => 'Périphériques sur BLEU', -'dh' => 'Paramètres Diffie-Hellman', -'dh key move failed' => 'Le déplacement des paramètres Diffie-Hellman a échoué.', -'dh key warn' => 'La création de paramètres DH avec des longueurs de 1024 ou 2048 bits prend plusieurs minutes. Des longueurs de 3072 ou 4096 bits peuvent nécessiter plusieurs heures. Soyez patient.', -'dh key warn1' => 'Pour des systèmes faibles ou avec peu d\'entropie, il est recommandé de télécharger les paramètres Diffie-Hellman longs en utilisant la fonction de téléchargement.', -'dh name is invalid' => 'Le nom est invalide, veuillez utiliser "dh1024.pem".', -'dh parameter' => 'Paramètres Diffie-Hellman', 'dhcp advopt add' => 'Ajouter une option DHCP', 'dhcp advopt added' => 'Option DHCP ajoutée', 'dhcp advopt blank value' => 'La valeur de l\'option DHCP ne peut pas être vide.', @@ -944,7 +938,6 @@ 'download apple profile' => 'Télécharger le profil de configuration Apple', 'download ca certificate' => 'Télécharger le certificat CA', 'download certificate' => 'Télécharger le certificat', -'download dh parameter' => 'Télécharger paramètres Diffie-Hellman', 'download host certificate' => 'Télécharger le certificat de l\'hôte', 'download new ruleset' => 'Télécharger de nouvelles règles', 'download pkcs12 file' => 'Télécharger le fichier PKCS12', @@ -1360,11 +1353,9 @@ 'fwhost wo subnet' => '(sans sous-réseau)', 'gateway' => 'Passerelle ', 'gateway ip' => 'IP passerelle', -'gen dh' => 'Générer nouveaux paramètres Diffie-Hellman ', 'gen static key' => 'Générer une clef statique', 'generate' => 'Générer un certificat racine / hôte', 'generate a certificate' => 'Générer un certificat :', -'generate dh key' => 'Générer paramètres Diffie-Hellman', 'generate iso' => 'Générer ISO', 'generate ptr' => 'Générer PTR ', 'generate root/host certificates' => 'Générer des certificats root / hôte', @@ -1917,7 +1908,6 @@ 'nonetworkname' => 'Aucun nom de réseau saisi', 'noservicename' => 'Aucun nom de service saisi', 'not a valid ca certificate' => 'Le certificat CA n\'est pas valide.', -'not a valid dh key' => 'Ce n\'est pas un fichier de paramètres Diffie-Hellman valide. Veuillez choisir une longueur de 1024, 2048, 3072 ou 4096 bits et le format PKCS#3.', 'not affected' => 'Non affecté', 'not enough disk space' => 'Pas assez d\'espace sur le disque', 'not present' => 'Absent', @@ -2021,15 +2011,10 @@ 'ovpn connection name' => 'Nom de la connexion ', 'ovpn crypt options' => 'Options cryptographiques', 'ovpn device' => 'Périphérique OpenVPN :', -'ovpn dh' => 'Longueur de paramètres Diffie-Hellman ', -'ovpn dh new key' => 'Générer de nouveaux paramètres Diffie-Hellman ', -'ovpn dh parameters' => 'Options de paramètres Diffie-Hellman', -'ovpn dh upload' => 'Mettre à jour nouveaux paramètres Diffie-Hellman ', 'ovpn dl' => 'Télécharger Config OVPN', 'ovpn engines' => 'Moteur Crypto', 'ovpn errmsg green already pushed' => 'La route pour le réseau VERT est toujours activée', 'ovpn errmsg invalid ip or mask' => 'Adresse ou masque de sous-réseau invalide', -'ovpn error dh' => 'Le paramètre Diffie-Hellman doit être au minimum à 2048 bits !
Veuillez générer ou télécharger un nouveau paramètre Diffie-Hellman, cela peut être fait ci-dessous dans la section "Options de paramètres Diffie-Hellman".
', 'ovpn error md5' => 'Votre certificat hôte utilise MD5 pour la signature qui n\'est plus acceptée.
Veuillez mettre à jour la dernière version d\'IPFire et générez un nouveau certificat racine et hôte..

Tous les clients OpenVPN doivent ensuite être renouvelés!
', 'ovpn generating the root and host certificates' => 'La génération du certificat racine et hôte peut prendre du temps.', 'ovpn ha' => 'Algorithme de hashage', @@ -2335,7 +2320,6 @@ 'show ca certificate' => 'Afficher le certificat CA', 'show certificate' => 'Afficher le certificat', 'show crl' => 'Montrer la liste de révocation des certificats', -'show dh' => 'Afficher les paramètres Diffie-Hellman', 'show host certificate' => 'Afficher le certificat hôte', 'show last x lines' => 'Montrer les dernières x lignes', 'show lines' => 'Montrer les lignes', @@ -2718,7 +2702,6 @@ 'upload a certificate' => 'Envoyer un certificat :', 'upload a certificate request' => 'Envoyer une demande de certificat :', 'upload ca certificate' => 'Envoyer un certificat CA', -'upload dh key' => 'Télécharger paramètres Diffie-Hellman', 'upload file' => 'Envoyer un fichier', 'upload new ruleset' => 'Télécharger un nouveau réglement', 'upload p12 file' => 'Envoyer fichier PKCS12', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index cf58bea90..87a86946f 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -681,12 +681,6 @@ 'details' => 'Dettagli', 'device' => 'Device', 'devices on blue' => 'Devices on Blu', -'dh' => 'Diffie-Hellman parameters', -'dh key move failed' => 'Diffie-Hellman parameters move failed.', -'dh key warn' => 'Creating DH-parameters with lengths of 1024 or 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.', -'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.', -'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".', -'dh parameter' => 'Diffie-Hellman parameters', 'dhcp advopt add' => 'Aggiungere un opzione DHCP', 'dhcp advopt added' => 'Opzione DHCP aggiunto', 'dhcp advopt blank value' => 'DHCP opzione non può essere vuoto.', @@ -796,7 +790,6 @@ 'download' => 'download', 'download ca certificate' => 'Download CA certificate', 'download certificate' => 'Download certificate', -'download dh parameter' => 'Download Diffie-Hellman parameters', 'download host certificate' => 'Download host certificate', 'download new ruleset' => 'Scarica il nuovo set di regole', 'download pkcs12 file' => 'Download PKCS12 file', @@ -1158,11 +1151,9 @@ 'g.lite' => 'TO BE REMOVED', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway IP', -'gen dh' => 'Generate new Diffie-Hellman parameters', 'gen static key' => 'Generate a static key', 'generate' => 'Generate root/host zertifikate', 'generate a certificate' => 'Generate a certificate:', -'generate dh key' => 'Generate Diffie-Hellman parameters', 'generate iso' => 'Genera file ISO', 'generate root/host certificates' => 'Generate root/host certificates', 'generate tripwire keys and init' => 'generate tripwire keys and init', @@ -1594,7 +1585,6 @@ 'nonetworkname' => 'No Network Name entered', 'noservicename' => 'No Service Name entered', 'not a valid ca certificate' => 'Not a valid CA certificate.', -'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 1024, 2048, 3072 or 4096 bits and the PKCS#3 format.', 'not enough disk space' => 'Spazio su disco insufficiente', 'not present' => 'Non presente', 'not running' => 'not running', @@ -1684,10 +1674,6 @@ 'ovpn config' => 'OVPN-Config', 'ovpn crypt options' => 'Cryptographic options', 'ovpn device' => 'OpenVPN device:', -'ovpn dh' => 'Diffie-Hellman parameters length', -'ovpn dh new key' => 'Generate new Diffie-Hellman parameters', -'ovpn dh parameters' => 'Diffie-Hellman parameters options', -'ovpn dh upload' => 'Upload new Diffie-Hellman parameters', 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for Verde network is always set', @@ -1958,7 +1944,6 @@ 'show ca certificate' => 'Show CA certificate', 'show certificate' => 'Show file', 'show crl' => 'Show certificate revocation list', -'show dh' => 'Show Diffie-Hellman parameters', 'show host certificate' => 'Show host certificate', 'show last x lines' => 'Show last x lines', 'show lines' => 'Show lines', @@ -2298,7 +2283,6 @@ 'upload a certificate' => 'Upload a certificate:', 'upload a certificate request' => 'Upload a certificate request:', 'upload ca certificate' => 'Upload CA certificate', -'upload dh key' => 'Upload Diffie-Hellman parameters', 'upload fcdsl.o' => 'TO BE REMOVED', 'upload file' => 'Upload file', 'upload new ruleset' => 'Upload new ruleset', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index bc2eead9a..ad5567ce1 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -746,12 +746,6 @@ 'details' => 'Detaylar', 'device' => 'Aygıt', 'devices on blue' => 'Mavi üzerindeki aygıtlar', -'dh' => 'Diffie-Hellman parametreleri', -'dh key move failed' => 'Diffie-Hellman parametreleri taşınamadı.', -'dh key warn' => '1024 veya 2048 bit uzunluğundaki Diffie-Hellman parametrelerini oluşturma birkaç dakika sürebilir. 3072 veya 4096 bit uzunluğundaki parametreleri oluşturmak ise birkaç saate ihtiyaç olabilir. Lütfen sabırlı olun.', -'dh key warn1' => 'Zayıf veya entropileri küçük olan sistemler için bu yükleme fonksiyonun kullanımı ile uzun Diffie-Hellman parametrelerini yükleme tavsiye edilir.', -'dh name is invalid' => 'Geçersiz ad, lütfen "dh1024.pem" şeklinde kullanın.', -'dh parameter' => 'Diffie-Hellman parametreleri', 'dhcp advopt add' => 'DHCP seçeneği ekle', 'dhcp advopt added' => 'DHCP seçeneği eklendi', 'dhcp advopt blank value' => 'DHCP seçeneği değeri boş olamaz.', @@ -868,7 +862,6 @@ 'download' => 'İndir', 'download ca certificate' => 'CA sertifikası indir', 'download certificate' => 'Sertifika indir', -'download dh parameter' => 'Diffie-Hellman parametrelerini indir', 'download host certificate' => 'Ana bilgisayar belgesi indir', 'download new ruleset' => 'Yeni Kural Kümesi İndir', 'download pkcs12 file' => 'PKCS12 dosyasını indir', @@ -1269,11 +1262,9 @@ 'g.lite' => 'KALDIRILACAK', 'gateway' => 'Ağ geçidi', 'gateway ip' => 'Ağ Geçidi IP Adresi', -'gen dh' => 'Yeni Diffie-Hellman parametrelerini oluşturun', 'gen static key' => 'Statik bir anahtar oluştur', 'generate' => 'Yönetici/Sunucu Sertifikası Oluştur', 'generate a certificate' => 'Sertifika oluştur:', -'generate dh key' => 'Diffie-Hellman parametrelerini oluşturun', 'generate iso' => 'ISO oluştur', 'generate root/host certificates' => 'Yönetici/Sunucu Sertifikası Oluştur', 'generate tripwire keys and init' => 'tripwire anahtarları ve init oluştur', @@ -1731,7 +1722,6 @@ 'nonetworkname' => 'Ağ adı girilmedi', 'noservicename' => 'Hizmet adı girilmedi', 'not a valid ca certificate' => 'Geçerli bir CA sertifikası değil.', -'not a valid dh key' => 'Geçerli bir Diffie-Hellman parametre dosyası yok. 1024, 2048, 3072 veya 4096 bit uzunluğunda ve PKCS#3 biçimini kullanın.', 'not enough disk space' => 'Yeterli disk alanı yok', 'not present' => 'Mevcut değil', 'not running' => 'çalışmıyor', @@ -1828,10 +1818,6 @@ 'ovpn config' => 'OVPN-Yapılandırması', 'ovpn crypt options' => 'Şifreleme seçenekleri', 'ovpn device' => 'OpenVPN aygıtı:', -'ovpn dh' => 'Diffie-Hellman parametre uzunluğu', -'ovpn dh new key' => 'Yeni Diffie-Hellman parametrelerini oluşturun', -'ovpn dh parameters' => 'Diffie-Hellman parametre seçenekleri', -'ovpn dh upload' => 'Yeni Diffie-Hellman parametreleri yükle', 'ovpn dl' => 'OVPN-Yapılandırması İndir', 'ovpn engines' => 'Şifreleme motoru', 'ovpn errmsg green already pushed' => 'Yeşil ağ için her zaman bir yol ayarla', @@ -2111,7 +2097,6 @@ 'show ca certificate' => 'CA sertifikalarını göster', 'show certificate' => 'Sertifika göster', 'show crl' => 'Sertifika İptal Listesini Göster', -'show dh' => 'Diffie-Hellman parametrelerini göster', 'show host certificate' => 'Ana bilgisayar sertifikalarını göster', 'show last x lines' => 'Son x satırlarını göster', 'show lines' => 'Satırları göster', @@ -2462,7 +2447,6 @@ 'upload a certificate' => 'Sertifika yükle:', 'upload a certificate request' => 'Sertifika isteği yükle:', 'upload ca certificate' => 'CA Sertifikası Yükle', -'upload dh key' => 'Diffie-Hellman parametreleri yükle', 'upload fcdsl.o' => 'KALDIRILACAK', 'upload file' => 'Dosya yükle', 'upload new ruleset' => 'Yeni kurallar yükle', diff --git a/lfs/openssl b/lfs/openssl index 28a92a6b3..0431203f0 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -123,5 +123,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make install install -m 0644 $(DIR_SRC)/config/ssl/openssl.cnf /etc/ssl + # Install RFC 7919 defined standard group ffdhe4096 + install -m 0644 $(DIR_SRC)/config/ssl/ffdhe4096.pem /etc/ssl + @rm -rf $(DIR_APP) @$(POSTBUILD) From patchwork Fri Nov 11 12:15:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 6130 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4N7yMk0lNkz3wgd for ; Fri, 11 Nov 2022 12:15:30 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4N7yMN3mlqz1P2; Fri, 11 Nov 2022 12:15:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4N7yMN2zbXz2xbH; Fri, 11 Nov 2022 12:15:12 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4N7yMM2MFFz2xJQ for ; Fri, 11 Nov 2022 12:15:11 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4N7yMJ6WH9zkG for ; Fri, 11 Nov 2022 12:15:08 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1668168911; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Fjo9Bh5Dq2FAqKIPNNi9BTPFDc9yr9H4syHu6VCovfc=; b=7tld5THGW4zd58FvR8pQCY0gvmOcD1YPwBmkoYPArw1vK230RPCF6eS50WNKqK34yJuKJB 3r0+act6nEdUOrAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1668168911; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Fjo9Bh5Dq2FAqKIPNNi9BTPFDc9yr9H4syHu6VCovfc=; b=CZuJxxjc/KUSD/09DTLX0Up3uaJILGzB5Qe3t0peqUs2oh2MxApIafWgydD2UnmjXloyxT sSgnZwOaM07fwxdvWTKW3wT4x0NUedxYYAE9zmvdepf63tLLnwSPU01Mktf2cNjd7qBsYc eM/Fq85/S25/2ry+cxiKQNuvuzDf1GoYiu2+ZzmMKMOu3zjHuGuM0gYI/L67PnVJXNvaxO xSsbBI8ZBRytnTkRbVNE/CR8XyAydP4tAIo/wfIZy+Ob5zASkoHnHIIjh0lUXx8z/9MWMU fmhx9YZgnhnvMiZB7R6AYePSej+p09XYvHufTolFk5IlRWS3uiidCAFb6pRMkg== Message-ID: <0afe2da8-6438-5f25-3b14-e6c59dafb783@ipfire.org> Date: Fri, 11 Nov 2022 12:15:03 +0000 MIME-Version: 1.0 Subject: [PATCH 2/3] OpenSSL: Add ffdhe4096 Diffie-Hellman parameter Content-Language: en-US To: development@lists.ipfire.org References: From: =?utf-8?q?Peter_M=C3=BCller?= In-Reply-To: X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Peter Müller --- config/ssl/ffdhe4096.pem | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 config/ssl/ffdhe4096.pem diff --git a/config/ssl/ffdhe4096.pem b/config/ssl/ffdhe4096.pem new file mode 100644 index 000000000..3cf0fcbc0 --- /dev/null +++ b/config/ssl/ffdhe4096.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- From patchwork Fri Nov 11 12:15:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 6131 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4N7yN42K3Bz3wgd for ; Fri, 11 Nov 2022 12:15:48 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4N7yN34cqcz1Rs; Fri, 11 Nov 2022 12:15:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4N7yN33zhcz2y1V; Fri, 11 Nov 2022 12:15:47 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4N7yN231Mxz2xPS for ; Fri, 11 Nov 2022 12:15:46 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4N7yMz4KC9zQS for ; Fri, 11 Nov 2022 12:15:42 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1668168946; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nNgTmzDuxOQU/LZkJbU5MMYwkwx6W2Gv28TPJzlPKkY=; b=TQ3DYU69jbcZLb9+paVRTDXOLdQACJI5BW6gr6JdJ3WFbRSh735F4SebXNuZqmZVMjew1p P5oYSLEskwzChUBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1668168946; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nNgTmzDuxOQU/LZkJbU5MMYwkwx6W2Gv28TPJzlPKkY=; b=Ldu6zk4ZwhhjHwi0lf9doGO+uo8Ntn5q2on5ldRZtO1t64tjjj9yg9K3ZVIKJMo1Cmjx8Z nBb1xCgm+Bsu2SXL978A5yLycQvgUFPdjBn5D9YrbDIQEzEk0plPgV41MTxffAoE0xgBV/ bpvXbyQJkVOfCAu43zZvp97b+PYEMvAy+lVoLrZe7loQEJFzMvkJDAWsC7CtgpWN2041nE 52rwsjywN4lnJ11oPIB9G9Px3ID0VBNCTC95NvLcbpjl1jqpLJADU7+PMtp7pCsfwU/0kM 2bmpp1smEnf34N6p6vRQK0GevkBvzZgA4SmSfZr6mXn4FPXyBJOpl8A5H4Qzyw== Message-ID: <24486420-e970-17cd-7b86-5f75e91d9a59@ipfire.org> Date: Fri, 11 Nov 2022 12:15:37 +0000 MIME-Version: 1.0 Subject: [PATCH 3/3] Core Update 172: Ship and apply OpenVPN Diffie-Hellman changes Content-Language: en-US To: development@lists.ipfire.org References: From: =?utf-8?q?Peter_M=C3=BCller?= In-Reply-To: X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Inspired by https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=2ccc799f8bd6a12c3edab5f1a89fab4d2cd05ea8. Cc: Erik Kapfer Signed-off-by: Peter Müller --- config/rootfiles/core/172/filelists/files | 1 + config/rootfiles/core/172/update.sh | 18 +++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/172/filelists/files b/config/rootfiles/core/172/filelists/files index d73430dae..8b820d594 100644 --- a/config/rootfiles/core/172/filelists/files +++ b/config/rootfiles/core/172/filelists/files @@ -1,3 +1,4 @@ +etc/ssl/ffdhe4096.pem usr/lib/firewall/rules.pl usr/local/bin/addonctrl usr/local/bin/openvpnctrl diff --git a/config/rootfiles/core/172/update.sh b/config/rootfiles/core/172/update.sh index f3c77fbfb..eebe37456 100644 --- a/config/rootfiles/core/172/update.sh +++ b/config/rootfiles/core/172/update.sh @@ -33,6 +33,8 @@ done # Stop services /etc/rc.d/init.d/ipsec stop +/usr/local/bin/openvpnctrl -k +/usr/local/bin/openvpnctrl -kn2n /etc/rc.d/init.d/sshd stop /etc/rc.d/init.d/unbound stop @@ -70,7 +72,8 @@ rm -rvf \ /usr/lib/python3.10/site-packages/setuptools/_vendor/pyparsing.py \ /usr/lib/python3.10/site-packages/setuptools/config.py \ /usr/lib/python3.10/site-packages/setuptools_rust/utils.py \ - /usr/libexec/ipsec/scepclient + /usr/libexec/ipsec/scepclient \ + /var/ipfire/ca/dh1024.pem # Remove powertop add-on, if installed if [ -e "/opt/pakfire/db/installed/meta-powertop" ]; then @@ -98,11 +101,24 @@ ldconfig # Apply local configuration to sshd_config /usr/local/bin/sshctrl +# Replace existing OpenVPN Diffie-Hellman parameter by ffdhe4096, as specified in RFC 7919 +if [ -f /var/ipfire/ovpn/server.conf ]; then + sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/server.conf +fi + +if [ -f "/var/ipfire/ovpn/n2nconf/*/*.conf" ]; then + sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/n2nconf/*/*.conf +fi + # Start services /etc/init.d/unbound start if grep -q "ENABLE_SSH=on" /var/ipfire/remote/settings; then /etc/init.d/sshd start fi +if grep -q "ENABLED=on" /var/ipfire/ovpn/settings; then + /usr/local/bin/openvpnctrl -s + /usr/local/bin/openvpnctrl -sn2n +fi if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then /etc/init.d/ipsec start fi