From patchwork Thu Jun 21 19:46:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 1835 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id AE9D96095C for ; Thu, 21 Jun 2018 11:46:42 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [127.0.0.1]) by mail01.ipfire.org (Postfix) with ESMTP id 4896D113FB02; Thu, 21 Jun 2018 10:46:42 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1529574402; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:list-id:list-unsubscribe:list-subscribe:list-post; bh=FI5XB4NTwJrFIseTfbXmzLIF3naldi3BZ1jfffw0XN0=; b=snMWe4Yd+tQd6yLZCHEWoNlo1+1kmy0GFQDiHPXMebZPG/DYXdSsWnSwSLX4s1iRCkR2eD 5rWOg/U/sFgXdplOW22p4EjS6w7AXA03NVmabi4IwFXdzI38s1b9iDqptig22oqf5dkthI kTkoYqPSmk5dmxB/7MYwBcQRxCSnDO8IAUGN3Ok7L5wLKy9Yi5eeoH2y8gYsfEA6eJ0qbg WEjbeMicy0p4/Ji2ggdk37T0mHfb4+8jRpRYRlfbvJVQPg5tcEu1KTtMaorePo8gk1Y7+l PQFdbnfTiQKLU4WTcDwMZMQ3IDsaBS1Get2i0Dhqu4o7rPJM5UAPw8+IRtt3hA== Received: from localhost.localdomain (i59F4D897.versanet.de [89.244.216.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 593DD113FAFF; Thu, 21 Jun 2018 10:46:39 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1529574399; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=FI5XB4NTwJrFIseTfbXmzLIF3naldi3BZ1jfffw0XN0=; b=js8zL9JzmF/RcDOSSUlLdloEAC2bZLRBvxG+zq90ahIqrpJQ0H9ISORD7dlEbOBssVmUDI Y0mqUisHMowH5uljfoQyTN4eKN12OhzANQGg9/uIzKIuBSa8XizJ9sMdH1XWOWi35wlM5J iP+QyAr2dez2wXnBfyqCqG+E3+8mZHtGSAGMb4fLZXWCuKHONxR4LNqt9qkRQyRdvOMOMy jZCQsKdWs3cFbWb21Lj6m1D3sKIzls4jFdGvJk6QaQUVjrRLdLkrk+8hOxk6e1M/DfX1Du wk/Qto1joIjRibw+cCMxJ31B1v7dkd2fvVZJu7lQ9qJney61xGhnqCURvR1nyg== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH] OpenVPN: Clarify fundamental crypto errors but also warnings in WUI Date: Thu, 21 Jun 2018 11:46:36 +0200 Message-Id: <1529574397-30471-1-git-send-email-erik.kapfer@ipfire.org> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ummeegge smtp.mailfrom=erik.kapfer@ipfire.org X-Spamd-Result: default: False [-2.10 / 11.00]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_SOME(0.00)[]; BAYES_HAM(-3.00)[100.00%]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MIME_GOOD(-0.10)[text/plain]; DKIM_SIGNED(0.00)[]; MID_CONTAINS_FROM(1.00)[]; RCVD_COUNT_ZERO(0.00)[0]; ASN(0.00)[asn:8881, ipnet:89.244.208.0/20, country:DE]; FROM_HAS_DN(0.00)[] X-Spam-Status: No, score=-2.10 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Since OpenVPN-2.4.x, a lot of changes has been introduced. This patch should help the users for better understanding of errors in the cryptography. It includes also potential warnings for upcoming changes and needed adjustments in the system. This can also be extended in the future for upcoming configuration changes. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 53 ++++++++++++++++++++++++++++++++++++++++++++++- langs/de/cgi-bin/de.pl | 5 +++++ langs/en/cgi-bin/en.pl | 5 +++++ 3 files changed, 62 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 4bc3473..c9d36d7 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -64,6 +64,8 @@ my %cahash=(); my %selected=(); my $warnmessage = ''; my $errormessage = ''; +my $cryptoerror = ''; +my $cryptowarning = ''; my %settings=(); my $routes_push_file = ''; my $confighost="${General::swroot}/fwhosts/customhosts"; @@ -1069,7 +1071,42 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General close(CLIENTCONF); } - + +### +### Check for cryptography problems +### + +# Warning if DH parameter is 1024 bit +if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { + my $dhlenght = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; + if ($dhlenght =~ /1024 bit/) { + $cryptoerror = "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } +} + +# Warning if md5 is in usage +if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($signature =~ /md5WithRSAEncryption/) { + $cryptoerror = "$Lang::tr{'ovpn error md5'}"; + goto CRYPTO_ERROR; + } +} + +CRYPTO_ERROR: + +# Warning if certificate is not compliant to RFC3280 TLS rules +if (-f "${General::swroot}/ovpn/openssl/ovpn.cnf") { + my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($extendkeyusage =~ /TLS Web Server Authentication/) { + $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}"; + goto CRYPTO_WARNING; + } +} + +CRYPTO_WARNING: + ### ### Save main settings ### @@ -5135,6 +5172,20 @@ END &Header::closebox(); } + if ($cryptoerror) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'}); + print "$cryptoerror"; + print " "; + &Header::closebox(); + } + + if ($cryptowarning) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'}); + print "$cryptowarning"; + print " "; + &Header::closebox(); + } + if ($warnmessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); print "$warnmessage
"; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 630d9b2..e1e9c97 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -661,6 +661,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'Cron-Server', +'crypto error' => 'Kryptografiefehler', +'crypto warning' => 'Kryptografiewarnungen', 'current' => 'Aktuell', 'current aliases' => 'Aktuelle Alias-Adresse', 'current class' => 'Aktuelle Klasse', @@ -1817,6 +1819,8 @@ 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', +'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein!
Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.
', +'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird.
Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.

Es müssen dann alle OpenVPN clients erneuert werden!
', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', 'ovpn ha' => 'Hash-Algorithmus', 'ovpn hmac' => 'HMAC-Optionen', @@ -1841,6 +1845,7 @@ 'ovpn subnet' => 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', +'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform.
Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.

Es müssen dann alle OpenVPN clients erneuert werden!
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', 'ovpn_mssfix' => 'MSSFIX-Grösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 8ec5bf4..d3847c9 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -682,6 +682,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'CRON Server', +'crypto error' => 'Cryptographic error', +'crypto warning' => 'Cryptographic warning', 'current' => 'Current', 'current aliases' => 'Current aliases', 'current class' => 'Current class', @@ -1850,6 +1852,8 @@ 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', +'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit!
Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".
', +'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore.
Please update to the latest IPFire version and generate a new root and host certificate.

All OpenVPN clients needs then to be renewed!
', 'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.', 'ovpn ha' => 'Hash algorithm', 'ovpn hmac' => 'HMAC options', @@ -1874,6 +1878,7 @@ 'ovpn subnet' => 'OpenVPN subnet:', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', +'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

All OpenVPN clients needs then to be renewed!
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', 'ovpn_mtudisc' => 'MTU-Discovery',