From patchwork Tue Apr 1 18:07:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8591 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZRwwH4bqTz3xTF for ; Tue, 1 Apr 2025 18:08:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZRwwC4zZ9z5Hj for ; Tue, 1 Apr 2025 18:08:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZRwwB4yTSz33C0 for ; Tue, 1 Apr 2025 18:08:10 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZRww75K9dz2xLw for ; Tue, 1 Apr 2025 18:08:07 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZRww64zgpzCD; Tue, 1 Apr 2025 18:08:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1743530886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=IbG3B1zda7+UiG7DYfFSpsmmJThCH5WA07bvWeSPBVY=; b=5b52F2jx8oqbaiUe3C1infpBBlZ2mQJbMAIFKbtZpr3GMkeBdM+22Gyica0coptNKk7FXn 9V4qZZ9H26/84eCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1743530886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=IbG3B1zda7+UiG7DYfFSpsmmJThCH5WA07bvWeSPBVY=; b=V06xtajSjROuxYfBOqrFSGqibPQsrFDID+2TREItjGFN6l4LUMgTKQnX7afWvVLJuUwTv/ pgWv7SUVgp4YQ1lq1w28yUkDaYgB2okhA8SAOL3OUA24KJJvGSVhqAnAam8Nb3ttSeyZs6 jb0V61Gwh9EgwJ1SG0KZWlF89sUnxa2VIyRYu8cwiEFgF4vI8X2ozdF+5abI/dWcjUX7K2 STAyPf6T4gpuRpVkH4vptK8VS07s1aQzJu/2fKq2mFocY194+8zepwETtNZ1UnNV/lZSSV Jcsx24JwKW6mzu7GinpNehO/zaw89kDX2Qu348HyDN52a16G0+ot48eZGxd3Ig== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 1/6] vpnmain.cgi: Fixes bug13737 - remove unneeded &cleanssldatabase calls Date: Tue, 1 Apr 2025 20:07:57 +0200 Message-ID: <20250401180802.19784-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - This first part removes all usages of &cleanssldatabase with the client certificates. This is not needed here. If used then the serial number would be moved back to 01 when an existing client certificate is removged or a new one created, even if no errors occurred. - The usage of &cleanssldatabase has also been removed from the root/host cert creation if it was successful, otherwise the index file is moved back to being empty and the serial file to containing 01. - The only usage now of the &cleanssldatabase is for when the root/host cert set is being created or if an uploaded cert has been checked as good to install. - This now means that each time a new client certificate is created the serial number is incremented. - The removal of the x509 root/host cert also unlinks all .pem files in the certs directory and therefore also all the 01.pem, 02.pem etc files so the &cleanssldatabase routine no longer needs to unlink the 01.pem file - The &newcleanssldatabase script is no longer needed, as the &cleanssldatabase commands used covers the required cleaning, so it has been removed. - This patch together with the others from this set have been tested out on my vm system and I was able to create a new root/host cert set and then new client certs and make an ipsec certificate connection successfully. I could then renew the host cert and the client connection still worked. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 30 +----------------------------- 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index e30506fdf..85119a81d 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -200,27 +200,6 @@ sub cleanssldatabase { unlink ("${General::swroot}/certs/index.txt.old"); unlink ("${General::swroot}/certs/index.txt.attr.old"); unlink ("${General::swroot}/certs/serial.old"); - unlink ("${General::swroot}/certs/01.pem"); -} -sub newcleanssldatabase { - if (! -s "${General::swroot}/certs/serial" ) { - open(FILE, ">${General::swroot}/certs/serial"); - print FILE "01"; - close FILE; - } - if (! -s ">${General::swroot}/certs/index.txt") { - open(FILE, ">${General::swroot}/certs/index.txt"); - close(FILE); - } - if (! -s ">${General::swroot}/certs/index.txt.attr") { - open(FILE, ">${General::swroot}/certs/index.txt.attr"); - print FILE "unique_subject = yes"; - close(FILE); - } - unlink ("${General::swroot}/certs/index.txt.old"); - unlink ("${General::swroot}/certs/index.txt.attr.old"); - unlink ("${General::swroot}/certs/serial.old"); -# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete } ### @@ -889,8 +868,6 @@ END } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} || $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { - &newcleanssldatabase(); - if (-f "${General::swroot}/ca/cacert.pem") { $errormessage = $Lang::tr{'valid root certificate already exists'}; goto ROOTCERT_SKIP; @@ -1004,7 +981,6 @@ END # IPFire can only import certificates &General::log("charon", "p12 import completed!"); - &cleanssldatabase(); goto ROOTCERT_SUCCESS; } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { @@ -1170,7 +1146,6 @@ END # Successfully build CA / CERT! if (!$errormessage) { - &cleanssldatabase(); goto ROOTCERT_SUCCESS; } @@ -1933,11 +1908,9 @@ END if ( $errormessage = &callssl ($opt) ) { unlink ($filename); unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - &cleanssldatabase(); goto VPNCONF_ERROR; } else { unlink ($filename); - &cleanssldatabase(); } $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); @@ -2220,7 +2193,6 @@ END } else { unlink ($v3extname); unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); - &cleanssldatabase(); } # Create the pkcs12 file From patchwork Tue Apr 1 18:07:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8589 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZRwwH43gFz3xD7 for ; Tue, 1 Apr 2025 18:08:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZRwwC5yCyz4XK for ; Tue, 1 Apr 2025 18:08:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZRwwB5JQMz3372 for ; Tue, 1 Apr 2025 18:08:10 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZRww75mpxz3348 for ; Tue, 1 Apr 2025 18:08:07 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZRww73kp9zGJ; Tue, 1 Apr 2025 18:08:07 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1743530887; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j/LYoYkx9d0tKvEeZB0FSyU7R5lgU1x6lRMW6M3Qz6c=; b=9NKEkYZoQ8oatGFmXGbFwtq3I6J4AQVVsK7Wu7Yo6/+1qez3B4EwkvPj9j6fWVqrG4HJY8 3ia30QoRKeXRKvDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1743530887; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j/LYoYkx9d0tKvEeZB0FSyU7R5lgU1x6lRMW6M3Qz6c=; b=cut6UyzIOZftkYc5SEcFHxRDyAh5Kpn0E9yGNVDA9JiJJeDn2RSLqY+/NpOfrRdP6/nRfl 0YApdpHnwpMJgjD8bjBud3Il/K5Za57OQ0x8pTAxw0LzSqIJs2m92yekvrZWSzCzkJ6LbJ 6QnvI3WMAf2cECDlWXxA2gZJCk3qQ3OFJeoQNdm8FgFI89MWIVEqyfbl3LDCQfyZHolIQJ MyCv33xOHaDJOnoTZjfPQwmjX7fdwhC8bIiBcwlKs9bgGuT2l1sUq6d8v9/wfd53bl1yBb /bEsAQF257EXjsizTYoiW4ieSDglC/l++/rrHz/CM0BUD9QPLJ7V4mpehauwyw== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 2/6] vpnmain.cgi: Fixes bug13737 - revoke any deleted client certificate Date: Tue, 1 Apr 2025 20:07:58 +0200 Message-ID: <20250401180802.19784-2-adolf.belka@ipfire.org> In-Reply-To: <20250401180802.19784-1-adolf.belka@ipfire.org> References: <20250401180802.19784-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - As the serial number is incremented now for each new cert that is created, then when a client cert is deleted from the ipsec list in the wui then that cert must be revoked otherwise it will still be listed in the .index file as a valid certificate and then the certificate name and DN could never be used again. - Running the revoke command when deleting a client cert leaves the details in the .index file but the same name can then be re-used and will get a new serial number etc. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 85119a81d..1c9f9243b 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1595,17 +1595,25 @@ END &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - if ($confighash{$cgiparams{'KEY'}}) { - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/vpn/config", \%confighash); - &writeipsecfiles(); - &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } - &General::firewall_reload(); + if ($confighash{$cgiparams{'KEY'}}) { + # Revoke the removed certificate + if (!$errormessage) { + &General::log("charon", "Revoking the removed client cert..."); + my $opt = " ca -revoke ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"; + $errormessage = &callssl($opt); + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + delete $confighash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/vpn/config", \%confighash); + &writeipsecfiles(); + &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); + } else { + goto VPNCONF_ERROR; + } + } else { + $errormessage = $Lang::tr{'invalid key'}; + } + &General::firewall_reload(); ### ### Choose between adding a host-net or net-net connection ### From patchwork Tue Apr 1 18:07:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8590 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZRwwH4SHBz3xNC for ; Tue, 1 Apr 2025 18:08:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZRwwC63CDz5KH for ; Tue, 1 Apr 2025 18:08:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZRwwB6LB6z3375 for ; Tue, 1 Apr 2025 18:08:10 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZRww76bqJz335r for ; Tue, 1 Apr 2025 18:08:07 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZRww758XWz1Df; Tue, 1 Apr 2025 18:08:07 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1743530887; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Jz84I3BoCV8oDZdRsHFbNGR6GftGTRVCDRIIDign5QY=; b=5vzpemeat28up7BDdTRi8GkjE7//QW2AZTzHBY6WeGocb8DJ92fTR1vIkynb4p1sE9V+0s xmHk5ebf5SVVU4CQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1743530887; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Jz84I3BoCV8oDZdRsHFbNGR6GftGTRVCDRIIDign5QY=; b=QQ1NRnOy1PLBzd6m7CMDDXXcn+qgTtutQsBHZl7uGYbn2vQisXFCsADLZtJB4JF+rCqe3A Hn4AGnIwc8qbxqcMFMox8ZXRzrra484L6rgTC5SidLkqzUApvCkhgAjUSku0fe2Y5wZcde PBTcPkdEWyOlATHzLWYJhC/sAuNUApFFAkLoc18cX+2fPdeh8gDfPsB9PropzC8o9tWuFf GBRW8XhKoUo7QGd2Kg94Qa4VklhhYd9rLZpd+Ahjernh611yBUNm/Qa80QYZ/CTBLs2d8j bErdX6HC9Dxu0rKeooujhy0d2D8fWJgcKiKhxTW8tGp3lVYuyCiD+t7S+pcMlA== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 3/6] include: Add the contents of the ipsec certs directory to the backup Date: Tue, 1 Apr 2025 20:07:59 +0200 Message-ID: <20250401180802.19784-3-adolf.belka@ipfire.org> In-Reply-To: <20250401180802.19784-1-adolf.belka@ipfire.org> References: <20250401180802.19784-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Previously only the .pem files were bacdked up from the /var/ipfire/certs/ directory. That was okay in the past as the serial and index files never changed after the root/host cert set waqs created. - With the renew process then the serial and index files get updated and these are needed to match with the cert status that was backed up. Otherwise you could end up with one set of values in the serial and index files that did not match with the restored certs. - This patch adds all the contents of the certs directory to the backup. - Tested out on my vm testbed and successfully restored a backup and was able to connect with the same client settings. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/backup/include | 1 + 1 file changed, 1 insertion(+) diff --git a/config/backup/include b/config/backup/include index 0bf9440d3..7e1e9a76a 100644 --- a/config/backup/include +++ b/config/backup/include @@ -28,6 +28,7 @@ var/ipfire/backup/addons/backup var/ipfire/backup/exclude.user var/ipfire/backup/include.user var/ipfire/captive/* +var/ipfire/certs var/ipfire/*/*.conf var/ipfire/*/config var/ipfire/dhcp/* From patchwork Tue Apr 1 18:08:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8592 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZRwwH4qV8z3xVv for ; Tue, 1 Apr 2025 18:08:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZRwwD0Pkfz5Lp for ; Tue, 1 Apr 2025 18:08:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZRwwC0c1Hz335n for ; Tue, 1 Apr 2025 18:08:11 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZRww80yg9z336t for ; Tue, 1 Apr 2025 18:08:08 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZRww76bCzzCD; Tue, 1 Apr 2025 18:08:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1743530888; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hZLH0o3gmJLniD9moHpCUluSTG+aMDT/sTN8xoyfpB4=; b=Nb0BhrUR2j6WkoujjbLKL3dj7auD4qCzhSeEfUmQ1G875nKjeKjT9JR25xr2SfdPra+cCa uFuRj7p+SY2klFe83rqvA2DBY7m63bEt8XxIzDU48xVoLEYUilBhr5JyDuQEc2wq5yjvrz XA/ydYMlpIBNzgDnw+Iz27/rqBdd6yXA89GK7WGkWqDwfTtExqw3eAyMZVFCDTt+eHaG0Z K9xxme5faL0D5n8RJNp+89xV5FErR0c9cMQ1pJO+0PBCZVd/04KEPdlIbU5BvMGzUxU1Vn 2vfQiHWbRgwCjywsXnVZSpiQmU5h+wi0Swlhfe2HyXhK3oiv2qHk1I2gQnZ66w== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1743530888; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hZLH0o3gmJLniD9moHpCUluSTG+aMDT/sTN8xoyfpB4=; b=ssWK/twzamfl/ttkm9kM+2PrZPZ45t7G7XeFJ3eVp0JD3yyLv6vqj0J2qChUVN4po8Nh9j GvHsYf8Xe4KoR0Cw== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 4/6] backup.pl: Fixes bug13737 - restarts ipsec to use the restored certs etc Date: Tue, 1 Apr 2025 20:08:00 +0200 Message-ID: <20250401180802.19784-4-adolf.belka@ipfire.org> In-Reply-To: <20250401180802.19784-1-adolf.belka@ipfire.org> References: <20250401180802.19784-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - This adds a check if the ipsec server is enabled. If it is then ipsecctrl is run to restart ipsec and ensure that the restored certs are all being used. - Tested this out on my vm testbed and confirmed that with this I could restore a backup and make the client connection as previously set up. - Without this I had to press the Save button on the ipsec WUI page to get the certs etc being used. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/backup/backup.pl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 1c8c87d0a..a6d1467fd 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -307,6 +307,9 @@ restore_backup() { # start collectd after restore /etc/rc.d/init.d/collectd start + # Reload ipsec certificates and secrets after doing a restore + &General::system('/usr/local/bin/ipsecctrl', 'R'); + return 0 } From patchwork Tue Apr 1 18:08:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8593 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZRwwH71xsz3xm9 for ; Tue, 1 Apr 2025 18:08:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZRwwD3T4Hz5Mm for ; Tue, 1 Apr 2025 18:08:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZRwwC3qXcz33B6 for ; Tue, 1 Apr 2025 18:08:11 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZRww83st0z336L for ; Tue, 1 Apr 2025 18:08:08 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZRww80wKMz1Df; Tue, 1 Apr 2025 18:08:08 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1743530888; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=k1XFUcM9i2/9Ysd0Y23pBjhyvH1cwL4/1jjUsWkzCmM=; b=bYvCcTcu0fHBtOONOtbcqVnysv1wFvI9Me/Vk2Wl3vPragA17YxRHg14e79iyjqXc6f0/w qYtIrk7oaLr/xfCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1743530888; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=k1XFUcM9i2/9Ysd0Y23pBjhyvH1cwL4/1jjUsWkzCmM=; b=mcywiFcafaQRPsqrTBCdaTtHUBmy9PlWwgdQ5meml2eeMhdr2bJXPIS+ZvLi7d3hQ+Tz7s xUC2UM0j2WH9ZKXC5HeVizemXHqWjs9F6BbbORiJ8LuocbjSOM4GjtpnyHiJ/uKQpVTuKq ojf8L7FNPLrS+XjWmJoCgQ1o3NceuIHgYUeyKL2w/dRCA4TeEudsTeKo6ozCiqSEF3oXs0 iIQOnSlEqdzurR2s77TtszjEED8xZ9gGKmpDYL6FxEb7MXW0bTF7u+QeMZsD1EY8E++C+y WDybjDwwFuItvrjcFDntD/MBSi64i3uZ5i/7Z5ELW6HA3IW52g2OnwOHCkBBRw== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 5/6] core194: Ship the vpnmain.cgi changes Date: Tue, 1 Apr 2025 20:08:01 +0200 Message-ID: <20250401180802.19784-5-adolf.belka@ipfire.org> In-Reply-To: <20250401180802.19784-1-adolf.belka@ipfire.org> References: <20250401180802.19784-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Signed-off-by: Adolf Belka --- config/rootfiles/core/194/filelists/files | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/core/194/filelists/files b/config/rootfiles/core/194/filelists/files index e615ef92e..96ac20573 100644 --- a/config/rootfiles/core/194/filelists/files +++ b/config/rootfiles/core/194/filelists/files @@ -2,3 +2,4 @@ etc/rc.d/init.d/firewall etc/rc.d/init.d/functions srv/web/ipfire/cgi-bin/aliases.cgi srv/web/ipfire/cgi-bin/pakfire.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi From patchwork Tue Apr 1 18:08:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8594 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZRwwM6vz9z3xD7 for ; Tue, 1 Apr 2025 18:08:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZRwwJ1h9Vz5Gk for ; Tue, 1 Apr 2025 18:08:16 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZRwwJ0zWZz331X for ; Tue, 1 Apr 2025 18:08:16 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZRww86mcwz337K for ; Tue, 1 Apr 2025 18:08:08 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZRww82hNLz4Yw; Tue, 1 Apr 2025 18:08:08 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1743530888; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wGsSZz5329JiZ2qrp7/W2XY8g0WznaZ+zfdAMZMO36I=; b=MTEph/TNjL2YHi1reFeo9kpY52r2jB49l9XmbfWHenl2liCluLjogv0ScpF2DfAHTK7BXb S7foPjgFfEToYQAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1743530888; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wGsSZz5329JiZ2qrp7/W2XY8g0WznaZ+zfdAMZMO36I=; b=bYkHuW/jblEJwCVbeEtPyldVmwXBFKJYOisAQgi3NVLE9hhuj10rkqjBsq+hZvQwNjfeFM peNfZJtWr14rOaHvHIlFZgsM/lZvHg7WmsT288eWMpVSKNCZknQ4BFTsfJ0UJVm9797cuQ vEdsvT4WTlvcLR73HuCQam5CCQ1SgsVHyRAmLKfIfbiVQ7P+jqHrHb18L0MEnDeaWBK1O0 oFQx1224H4Cip/KDQe4c1ITW8EnuCd9Z9Oa1K+DaOkuf+WC/Tk2F/5BB12Zl/4BDlzK9DJ BJLk7qsdVOuiml1gM8v0ymMp1VrA0oWvEhZmeyzI1RQs02OoGiKAVU+WWxM58w== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 6/6] core194: Ship the backup file changes Date: Tue, 1 Apr 2025 20:08:02 +0200 Message-ID: <20250401180802.19784-6-adolf.belka@ipfire.org> In-Reply-To: <20250401180802.19784-1-adolf.belka@ipfire.org> References: <20250401180802.19784-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Signed-off-by: Adolf Belka --- config/rootfiles/core/194/filelists/files | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/rootfiles/core/194/filelists/files b/config/rootfiles/core/194/filelists/files index 96ac20573..9f709db26 100644 --- a/config/rootfiles/core/194/filelists/files +++ b/config/rootfiles/core/194/filelists/files @@ -3,3 +3,5 @@ etc/rc.d/init.d/functions srv/web/ipfire/cgi-bin/aliases.cgi srv/web/ipfire/cgi-bin/pakfire.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi +var/ipfire/backup/include +var/ipfire/backup/bin/backup.pl