From patchwork Wed Jun 27 17:34:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 1842 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id EAFCF6095C for ; Wed, 27 Jun 2018 09:34:29 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [127.0.0.1]) by mail01.ipfire.org (Postfix) with ESMTP id 2CE2410910C5; Wed, 27 Jun 2018 08:34:28 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1530084869; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id: list-unsubscribe:list-subscribe:list-post; bh=AKQOUxElCsS86yr5CjISU8Ai9A41XgWn8nI7P7s3rYw=; b=Vrzxk5WrKnZXrFQJyyaVz1SVFFvX03LoUfGXkt5TQPPrA1Ya+pgCZASpP7itmX8Z594e83 N1rtfDJ/X4PnUKXgF3OShrWQAooiHThHd7fykjc8nOG8Pjiz/uZIJJWqFiGcx8oXbJlXUw 8WE2FRyILaryuQLshjoFEdEKZM2moVRuID9x5XOeu69D78R1EYi+es6jJ0LTgj8eYV3g2p R/lQY53rwj6SJLGlA+aVTvUCmRDmnBHq3VAMKXHLV8vCiR8mh6hoOLK2tytfFwy6Kin9JZ BnRwaik9DPw4pZ5Ffk668sAIEL/xKPQUKS3EPNe0mcTJI3p35yvXY5h5ruiVkw== Received: from localhost.localdomain (i59F4DD3B.versanet.de [89.244.221.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 7AEDB1093706; Wed, 27 Jun 2018 08:34:25 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1530084865; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AKQOUxElCsS86yr5CjISU8Ai9A41XgWn8nI7P7s3rYw=; b=O/NqCRnZYIq01ojpLlNMgECiw6d6tS4hoEikcWHvM7q99XGxq+8jm3E07aH8jIT8tVEzSe IhS6w1iQovrX0R7b6VmGLhhHcPg/G8Vs4PQQ5SAYmwNaQZUFmIFvfvAA4Xx3JrYcO+lckS DPg6l0AT0e3Vm+3adtOoM+E+O/qxq0DNXb5T5nBzCk852C/p3xyp2Szam+MsG0jMarNwyT ACMCUQEVz+9++hxUC4eiPczWUBXvxoOTyWc7jtzsEN/amdE0rdG28xCk8OukPvxH/o+I6s rKOG8zUiGmT77Y8wH5cl49vcKYxT3tb1JwSflbpAQ3sgkmQ8w/yo5/zqnI9oug== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH v2] OpenVPN: x509 and DH-parameter check with Warnings and error messages in WUI Date: Wed, 27 Jun 2018 09:34:21 +0200 Message-Id: <1530084861-21062-1-git-send-email-erik.kapfer@ipfire.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1529574397-30471-1-git-send-email-erik.kapfer@ipfire.org> References: <1529574397-30471-1-git-send-email-erik.kapfer@ipfire.org> MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ummeegge smtp.mailfrom=erik.kapfer@ipfire.org X-Spamd-Result: default: False [-2.10 / 11.00]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_SOME(0.00)[]; BAYES_HAM(-3.00)[100.00%]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MIME_GOOD(-0.10)[text/plain]; DKIM_SIGNED(0.00)[]; MID_CONTAINS_FROM(1.00)[]; RCVD_COUNT_ZERO(0.00)[0]; ASN(0.00)[asn:8881, ipnet:89.244.208.0/20, country:DE]; FROM_HAS_DN(0.00)[] X-Spam-Status: No, score=-2.10 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Changes includes: Own crypto warning and error message in WUI (can be extended to configuration too). Check if DH-parameter is < 2048 bit with an error message and howto fix it. Check if md5 is still in use with an error message and suggestion how to proceed further to fix it. Check for soon needed RFC3280 TLS rules compliants and suggestion how to proceed further to fix it. Disabled 1024 bit DH-parameter upload. Changed de and en language files for DH-parameter upload (deleted 1024 bit). Added explanations to de and en language files for the above changes. Fixed Typo in en language file. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 61 +++++++++++++++++++++++++++++++++++++++++++++-- langs/de/cgi-bin/de.pl | 9 +++++-- langs/en/cgi-bin/en.pl | 11 ++++++--- 3 files changed, 74 insertions(+), 7 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 4bc3473..d16c753 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -64,6 +64,8 @@ my %cahash=(); my %selected=(); my $warnmessage = ''; my $errormessage = ''; +my $cryptoerror = ''; +my $cryptowarning = ''; my %settings=(); my $routes_push_file = ''; my $confighost="${General::swroot}/fwhosts/customhosts"; @@ -97,6 +99,8 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; +# Perform crypto and configration test +&pkiconfigcheck; # Add CCD files if not already presant unless (-e $routes_push_file) { @@ -199,6 +203,45 @@ sub deletebackupcert } } +### +### Check for PKI and configure problems +### + +sub pkiconfigcheck +{ + # Warning if DH parameter is 1024 bit + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`; + my @dhbit = ($dhparameter =~ /(\d+)/); + if ($1 < 2048) { + $cryptoerror = "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } + } + + # Warning if md5 is in usage + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($signature =~ /md5WithRSAEncryption/) { + $cryptoerror = "$Lang::tr{'ovpn error md5'}"; + goto CRYPTO_ERROR; + } + } + + CRYPTO_ERROR: + + # Warning if certificate is not compliant to RFC3280 TLS rules + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($extendkeyusage !~ /TLS Web Server Authentication/) { + $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}"; + goto CRYPTO_WARNING; + } + } + + CRYPTO_WARNING: +} + sub writeserverconf { my %sovpnsettings = (); my @temp = (); @@ -1069,7 +1112,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General close(CLIENTCONF); } - + ### ### Save main settings ### @@ -1336,7 +1379,7 @@ END goto UPLOADCA_ERROR; } my $temp = `/usr/bin/openssl dhparam -text -in $filename`; - if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) { + if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) { $errormessage = $Lang::tr{'not a valid dh key'}; unlink ($filename); goto UPLOADCA_ERROR; @@ -5135,6 +5178,20 @@ END &Header::closebox(); } + if ($cryptoerror) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'}); + print "$cryptoerror"; + print " "; + &Header::closebox(); + } + + if ($cryptowarning) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'}); + print "$cryptowarning"; + print " "; + &Header::closebox(); + } + if ($warnmessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); print "$warnmessage
"; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 630d9b2..1fee282 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -661,6 +661,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'Cron-Server', +'crypto error' => 'Kryptografiefehler', +'crypto warning' => 'Kryptografiewarnungen', 'current' => 'Aktuell', 'current aliases' => 'Aktuelle Alias-Adresse', 'current class' => 'Aktuelle Klasse', @@ -730,7 +732,7 @@ 'devices on blue' => 'Geräte auf BLAU', 'dh' => 'Diffie-Hellman-Parameter', 'dh key move failed' => 'Verschieben der Diffie-Hellman-Parameter fehlgeschlagen.', -'dh key warn' => 'Das Generieren der DH-Parameter mit 1024 oder 2048 Bit dauert üblicherweise mehrere Minuten. Schlüssellängen von 3072 oder 4096 Bit beanspruchen mehrere Stunden. Bitte haben Sie etwas Geduld.', +'dh key warn' => 'Das Generieren eines DH-Parameter mit 2048 Bit dauert üblicherweise mehrere Minuten. Schlüssellängen von 3072 oder 4096 Bit beanspruchen mehrere Stunden. Bitte haben Sie etwas Geduld.', 'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen lange Diffie-Hellman-Parameter über die Upload-Funktion hochzuladen.', 'dh parameter' => 'Diffie-Hellman-Parameter', 'dhcp advopt add' => 'DHCP Option hinzufügen', @@ -1708,7 +1710,7 @@ 'nonetworkname' => 'Kein Netzwerkname wurde eingegeben', 'noservicename' => 'Kein Dienstname wurde eingegeben', 'not a valid ca certificate' => 'Kein gültiges CA Zertifikat.', -'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 1024, 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.', +'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.', 'not enough disk space' => 'Nicht genügend Plattenplatz vorhanden', 'not present' => 'Nicht vorhanden', 'not running' => 'nicht gestartet', @@ -1817,6 +1819,8 @@ 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', +'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein!
Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.
', +'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird.
Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.

Es müssen dann alle OpenVPN clients erneuert werden!
', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', 'ovpn ha' => 'Hash-Algorithmus', 'ovpn hmac' => 'HMAC-Optionen', @@ -1840,6 +1844,7 @@ 'ovpn server status' => 'OpenVPN-Server-Status', 'ovpn subnet' => 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', +'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform.
Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.

Es müssen dann alle OpenVPN clients erneuert werden!
', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 8ec5bf4..3ec5af5 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -682,6 +682,8 @@ 'credits' => 'Credits', 'crl' => 'Certificate Revocation List', 'cron server' => 'CRON Server', +'crypto error' => 'Cryptographic error', +'crypto warning' => 'Cryptographic warning', 'current' => 'Current', 'current aliases' => 'Current aliases', 'current class' => 'Current class', @@ -752,7 +754,7 @@ 'devices on blue' => 'Devices on BLUE', 'dh' => 'Diffie-Hellman parameters', 'dh key move failed' => 'Diffie-Hellman parameters move failed.', -'dh key warn' => 'Creating DH-parameters with lengths of 1024 or 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.', +'dh key warn' => 'Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.', 'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.', 'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".', 'dh parameter' => 'Diffie-Hellman parameters', @@ -1740,7 +1742,7 @@ 'nonetworkname' => 'No Network Name entered', 'noservicename' => 'No Service Name entered', 'not a valid ca certificate' => 'Not a valid CA certificate.', -'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 1024, 2048, 3072 or 4096 bits and the PKCS#3 format.', +'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.', 'not enough disk space' => 'Not enough disk space', 'not present' => 'Not present', 'not running' => 'not running', @@ -1850,7 +1852,9 @@ 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', -'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.', +'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit!
Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".
', +'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore.
Please update to the latest IPFire version and generate a new root and host certificate.

All OpenVPN clients needs then to be renewed!
', +'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.', 'ovpn ha' => 'Hash algorithm', 'ovpn hmac' => 'HMAC options', 'ovpn log' => 'OVPN-Log', @@ -1874,6 +1878,7 @@ 'ovpn subnet' => 'OpenVPN subnet:', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', +'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

All OpenVPN clients needs then to be renewed!
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', 'ovpn_mtudisc' => 'MTU-Discovery',