From patchwork Sun Jun 4 18:57:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 6925 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4QZ5Zq5hsbz3wk9 for ; Sun, 4 Jun 2023 18:57:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4QZ5Zn3M8wzhC; Sun, 4 Jun 2023 18:57:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4QZ5Zn0VYGz2yfc; Sun, 4 Jun 2023 18:57:21 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4QZ5Zl5w1mz2xSP for ; Sun, 4 Jun 2023 18:57:19 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4QZ5Zg5LRbzhC; Sun, 4 Jun 2023 18:57:15 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1685905038; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=dAJmret+SIkj3yMnkQqeGXKKVeancLRo4ySKbseedxc=; b=tvp1ii9Z3rUfCR9Ryqo54kWD+DeLQBBybzF+8rCj5fhYekWBBoUXZ/37/+SnEDxkkWASGD gJ5/QUvTB80qL7DQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1685905038; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=dAJmret+SIkj3yMnkQqeGXKKVeancLRo4ySKbseedxc=; b=YzPmhq6NJqgoPfO6EukCB2sL7JJRuPPT35k982NYTDsq/6hRKM2YfWirqAWnPlXx+lyg7l DeIQNK78vZujDAknhkuxJ+QqEAPMOLfi+JgiGK6649iXiwAq9qn2cdJaW4dS6OFSUQk2Cr V0IiC2HwgaJEONgB0xX4N/bATj5+JpMxO3ceLDAOnz3M0X1OkmQvCxzxxuGTWBtKyQpRQ+ RdwvdRghGDj3Hfd9GgM7Y5Q2jyX/qJOfN/hVbHRFqmuasjnUB8lNSe9hL+VtRbz4BOwlUc kuCyy1nzxAq4DJwBn6As79C9mz1HDh3Vj4y23beFC0KADQ+1TgQbHRlRyFl9ZQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/2] ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x Date: Sun, 4 Jun 2023 20:57:08 +0200 Message-Id: <20230604185709.8088-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - With a n2n connection .p12 certificate created wityh openssl-1.1.1x the line providers legacy default is required in the n2nconf file to enable it to start. - Any openssl-3.x attempt to open a .p12 file created with openssl-1.1.1x will result in a failure and an error message. All the openssl commands dealing with pkcs12 (.p12) files need to have the -legacy option added to them. Fixes: Bug#13137 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer --- html/cgi-bin/ovpnmain.cgi | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5c4fad0a5..88106251e 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1115,6 +1115,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Activate Management Interface and Port\n"; if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"} else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"}; + print CLIENTCONF "providers legacy default\n"; close(CLIENTCONF); } @@ -1648,7 +1649,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-cacerts', '-nokeys', '-in', $filename, '-out', "$tempdir/cacert.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; @@ -1671,7 +1672,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-clcerts', '-nokeys', '-in', $filename, '-out', "$tempdir/hostcert.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; @@ -1694,7 +1695,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-nocerts', '-nodes', '-in', $filename, '-out', "$tempdir/serverkey.pem")) { @@ -2156,6 +2157,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"} else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"}; print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n"; + print CLIENTCONF "providers legacy default\n"; close(CLIENTCONF); @@ -3296,6 +3298,7 @@ END print FILE "# Logfile\n"; print FILE "status-version 1\n"; print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n"; + print FILE "providers legacy default\n"; close FILE; unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) { @@ -4242,7 +4245,7 @@ if ($cgiparams{'TYPE'} eq 'net') { # Create the pkcs12 file # The system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-export', + system('/usr/bin/openssl', 'pkcs12', '-legacy', '-export', '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", '-name', $cgiparams{'NAME'}, From patchwork Sun Jun 4 18:57:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 6926 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4QZ5Zr3k21z3wmM for ; Sun, 4 Jun 2023 18:57:24 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4QZ5Zn6R4wz1TK; Sun, 4 Jun 2023 18:57:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4QZ5Zn1L5qz30JP; Sun, 4 Jun 2023 18:57:21 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4QZ5Zl5yd6z2xn3 for ; Sun, 4 Jun 2023 18:57:19 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4QZ5Zl2h9Jz18B; Sun, 4 Jun 2023 18:57:19 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1685905039; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nHekpVOx5pagWZ73vV+GIhxwFB//8lsZVILS+IWkQqo=; b=Z9hDRodN0epsGW9EGzKFMkmEaHmLEhQIxzRsC4YE608NOlG0rj19fwFoCRBGqo1E97O1st zZu5EXKRzHzVtGCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1685905039; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nHekpVOx5pagWZ73vV+GIhxwFB//8lsZVILS+IWkQqo=; b=JjRIS+E4E0VyB2Lmbrt3smtf5t99AN1oygs1Py9JAhg2KG1PCL+RDp9z9w6iINiyHmfj+Z X+BfPMDjA5FRhWqncKCuEl6TpomwgJv4pWz44jl+jqXsXvsBpttmc3fpP8bm4wVhHrrNwj lMs96TnrHqi66qMa7bIfJizk+vydYBWPqoDXX+8innRukXAxAzhWKD02AUMjKgFbSs6K3r luC+SZfiyNHJFqXX3QXU5G7mu1BQMLanTh73cJ0OW5BlaJBhXGJMWh7WO8fLbD67eG0z/C Np/3DuDLdIJi8ZP2Dw/EfF/v56ETh/D+kM68rHNVJNfbEpTpSWxAyWXtB/A8TQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 2/2] update.sh: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x Date: Sun, 4 Jun 2023 20:57:09 +0200 Message-Id: <20230604185709.8088-2-adolf.belka@ipfire.org> In-Reply-To: <20230604185709.8088-1-adolf.belka@ipfire.org> References: <20230604185709.8088-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - This modification will check if ovpnconfig exists and is not empty. If so then it will check for all n2n connections and if they are Client configs will check if "providers legacy default" is not already present and if so will add it. Fixes: Bug#13137 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer --- config/rootfiles/core/175/update.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh index 5e45c819f..82676bc72 100644 --- a/config/rootfiles/core/175/update.sh +++ b/config/rootfiles/core/175/update.sh @@ -177,6 +177,20 @@ if [ -e /boot/pakfire-kernel-update ]; then /boot/pakfire-kernel-update ${KVER} fi +## Add providers legacy default line to n2n client config files +# Check if ovpnconfig exists and is not empty +if [ -s /var/ipfire/ovpn/ovpnconfig ]; then + # Identify all n2n connections + for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do + # Add the legacy option to all N2N client conf files + if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then + if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then + echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf + fi + fi + done +fi + # This update needs a reboot... touch /var/run/need_reboot