From patchwork Tue Jan 30 17:45:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 7514 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TPXdd2cLdz3xPk for ; Tue, 30 Jan 2024 17:45:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4TPXdZ1DBmz2T1; Tue, 30 Jan 2024 17:45:54 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TPXdY5My4z32jB; Tue, 30 Jan 2024 17:45:53 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TPXdW2gKJz30F7 for ; Tue, 30 Jan 2024 17:45:51 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4TPXdV3BqKz1FC; Tue, 30 Jan 2024 17:45:50 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4TPXdR6r63zThHT; Tue, 30 Jan 2024 17:45:47 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/3] vpnmain.cgi: Do not use a bad source for randomness Date: Tue, 30 Jan 2024 17:45:42 +0000 Message-Id: <20240130174544.3986725-1-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Message-ID-Hash: QR23L5JC3GQE6JBQ2AE56FLZLB3NF3FK X-Message-ID-Hash: QR23L5JC3GQE6JBQ2AE56FLZLB3NF3FK X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 53507305f..8b05a0de7 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2141,7 +2141,7 @@ END &General::log("ipsec", "Creating a cert..."); if (open(STDIN, "-|")) { - my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; + my $opt = " req -nodes"; $opt .= " -newkey rsa:4096"; $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; From patchwork Tue Jan 30 17:45:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 7513 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TPXdd2CJcz3xN2 for ; Tue, 30 Jan 2024 17:45:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4TPXdY5NLwzlg; Tue, 30 Jan 2024 17:45:53 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TPXdY3mTLz32j1; Tue, 30 Jan 2024 17:45:53 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TPXdW2dcCz2xcF for ; Tue, 30 Jan 2024 17:45:51 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4TPXdV5b02zLW; Tue, 30 Jan 2024 17:45:50 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4TPXdV35v1zThPd; Tue, 30 Jan 2024 17:45:47 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/3] vpnmain.cgi: Return the entire error message if OpenSSL fails Date: Tue, 30 Jan 2024 17:45:43 +0000 Message-Id: <20240130174544.3986725-2-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240130174544.3986725-1-michael.tremer@ipfire.org> References: <20240130174544.3986725-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: DJPB6VK6UPL2A3ZYKGZRHWFNB4P2NPTI X-Message-ID-Hash: DJPB6VK6UPL2A3ZYKGZRHWFNB4P2NPTI X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: The function did not evaluate the return code which is why it used a hack to figure out if some output is an error or not. This is being fixed in this commit and the entire output is being returned if the return code is non-zero. Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 8b05a0de7..d82e6b5c9 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -229,13 +229,14 @@ sub callssl ($) { my $opt = shift; my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr my $ret = ''; - foreach my $line (split (/\n/, $retssl)) { - &General::log("ipsec", "$line") if (0); # 1 for verbose logging - $ret .= '
'.$line if ( $line =~ /error|unknown/ ); - } - if ($ret) { - $ret= &Header::cleanhtml($ret); + + if ($?) { + foreach my $line (split (/\n/, $retssl)) { + &General::log("ipsec", "$line") if (0); # 1 for verbose logging + $ret .= '
' . &Header::escape($line); + } } + return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ; } ### From patchwork Tue Jan 30 17:45:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 7515 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TPXdf4hbvz3xN2 for ; Tue, 30 Jan 2024 17:45:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4TPXdf0GMcz1c2; Tue, 30 Jan 2024 17:45:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TPXdd6qfjz30sP; Tue, 30 Jan 2024 17:45:57 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TPXdW2hYZz30sJ for ; Tue, 30 Jan 2024 17:45:51 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4TPXdV4qlPz1Fq; Tue, 30 Jan 2024 17:45:50 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4TPXdT4SdYzTgK3; Tue, 30 Jan 2024 17:45:49 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 3/3] vpnmain.cgi: Add option to regenerate the host certificate Date: Tue, 30 Jan 2024 17:45:44 +0000 Message-Id: <20240130174544.3986725-3-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240130174544.3986725-1-michael.tremer@ipfire.org> References: <20240130174544.3986725-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: 56KHIYJ2DY7VLX5XT5N5IPI2SMLQWJDH X-Message-ID-Hash: 56KHIYJ2DY7VLX5XT5N5IPI2SMLQWJDH X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This is necessary since we now have a much shorter lifetime for the host certificate. However, it is complicated to do this is which is why we are copying the previous certificate and generate a new CSR. This is then signed. A caveat of this patch is that we do not rollover the key. Signed-off-by: Michael Tremer --- config/ssl/openssl.cnf | 1 + doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 8 ++++++ html/cgi-bin/vpnmain.cgi | 54 +++++++++++++++++++++++++++++++++++++++- langs/en/cgi-bin/en.pl | 1 + 13 files changed, 72 insertions(+), 1 deletion(-) diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf index 3b980fcd4..00c206ed8 100644 --- a/config/ssl/openssl.cnf +++ b/config/ssl/openssl.cnf @@ -23,6 +23,7 @@ default_md = sha256 preserve = no policy = policy_match email_in_dn = no +copy_extensions = copyall [ policy_match ] countryName = optional diff --git a/doc/language_issues.de b/doc/language_issues.de index 4fd5a0819..fa0705e74 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -933,6 +933,7 @@ WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Dae WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: optional = Optional WARNING: untranslated string: pakfire invalid tree = Invalid repository selected +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: required = Required diff --git a/doc/language_issues.en b/doc/language_issues.en index b4327cb78..88e66346b 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1578,6 +1578,7 @@ WARNING: untranslated string: red1 = RED WARNING: untranslated string: references = References WARNING: untranslated string: refresh = Refresh WARNING: untranslated string: refresh index page while connected = Refresh index.cgi page while connected +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.es b/doc/language_issues.es index 45ffdf5d7..ab6b5a1e9 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -995,6 +995,7 @@ WARNING: untranslated string: no data = unknown string WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: route config changed = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index cacfb1ec6..e6781362f 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -948,6 +948,7 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: route config changed = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 68ff12c86..b21f15062 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1215,6 +1215,7 @@ WARNING: untranslated string: rdns = rDNS WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.nl b/doc/language_issues.nl index d1a637215..668df4fc3 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1237,6 +1237,7 @@ WARNING: untranslated string: ptr = PTR WARNING: untranslated string: rdns = rDNS WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: required = Required diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 893f73211..f4a29cb84 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1418,6 +1418,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received WARNING: untranslated string: red1 = RED +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 64c9b5095..4eface69a 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1413,6 +1413,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received WARNING: untranslated string: red1 = RED +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_issues.tr b/doc/language_issues.tr index eadbd33c7..d5f321dd8 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1125,6 +1125,7 @@ WARNING: untranslated string: ptr = PTR WARNING: untranslated string: reboot fsck = Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check WARNING: untranslated string: received = Received +WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release = Release diff --git a/doc/language_missings b/doc/language_missings index 28ae29c2b..2b70ef9f9 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -73,6 +73,7 @@ < optional < quick control < random number generator daemon +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < required @@ -117,6 +118,7 @@ < invalid ip or hostname < openvpn cert expires soon < openvpn cert has expired +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < service boot setting unavailable @@ -138,6 +140,7 @@ < extrahd not mounted < g.dtm < g.lite +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < spec rstack overflow @@ -523,6 +526,7 @@ < reboot fsck < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -1063,6 +1067,7 @@ < rdns < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < required @@ -1943,6 +1948,7 @@ < rebooting ipfire fsck < received < red1 +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -2934,6 +2940,7 @@ < rebooting ipfire fsck < received < red1 +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -3405,6 +3412,7 @@ < reboot fsck < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index d82e6b5c9..9173a85d8 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -866,6 +866,12 @@ END exit(0); } ### +### Regenerate the host certificate +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'regenerate host certificate'}) { + $errormessage = ®enerate_host_certificate(); + +### ### Form for generating/importing the caroot+host certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} || @@ -3612,7 +3618,12 @@ END -   + +
+ + +
+ END ; } else { @@ -3782,3 +3793,44 @@ sub make_subnets($$) { return join(",", @cidr_nets); } + +sub regenerate_host_certificate() { + my $errormessage = ""; + + &General::log("ipsec", "Regenerating host certificate..."); + + # Create a CSR based on the existing certificate + my $opt = " x509 -x509toreq -copy_extensions copyall"; + $opt .= " -signkey ${General::swroot}/certs/hostkey.pem"; + $opt .= " -in ${General::swroot}/certs/hostcert.pem"; + $opt .= " -out ${General::swroot}/certs/hostreq.pem"; + $errormessage = &callssl($opt); + + # Revoke the old certificate + if (!$errormessage) { + &General::log("ipsec", "Revoking the old host cert..."); + + my $opt = " ca -revoke ${General::swroot}/certs/hostcert.pem"; + $errormessage = &callssl($opt); + } + + # Sign the host certificate request + if (!$errormessage) { + &General::log("ipsec", "Self signing host cert..."); + + my $opt = " ca -md sha256 -days 825"; + $opt .= " -batch -notext"; + $opt .= " -in ${General::swroot}/certs/hostreq.pem"; + $opt .= " -out ${General::swroot}/certs/hostcert.pem"; + $errormessage = &callssl ($opt); + + unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed + } + + # Reload the new certificate + if (!$errormessage) { + &General::system('/usr/local/bin/ipsecctrl', 'R'); + } + + return $errormessage; +} diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 16a3061b4..5ac651e2f 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2208,6 +2208,7 @@ 'refresh' => 'Refresh', 'refresh index page while connected' => 'Refresh index.cgi page while connected', 'refresh update list' => 'Refresh update list', +'regenerate host certificate' => 'Renew Host Certificate', 'registered user rules' => 'Talos VRT rules for registered users', 'reiserfs warning1' => 'Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.', 'reiserfs warning2' => 'Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.',