From patchwork Wed Sep 18 05:03:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: ummeegge X-Patchwork-Id: 2409 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 46Y7Dn2JTGz42SB for ; Wed, 18 Sep 2019 05:04:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 46Y7Dh2nY7z2Md; Wed, 18 Sep 2019 05:04:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1568783044; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=J1kXNVS5rKChQTgZk2teSSpcXjjGV4S6wAEV5jFJ3iA=; b=RTd94JiDPbRXHQa0faHQzcqcyRZMUV48ri+rlOWIaUDt+KHrT1uG0UKeQeihm5E6IcY8Vg sNdVo6TfbFjA5LtK8K1H4GlEd68qzg367Q4oVI8wI0gvybuTxJjqc+IptxmgMVe0ssOG8b ZLmbVX+o+oEHxwcsgTkUd/iRu9Sds1lh2rNGDm3FKQG6OsunFCvMprgoMPSKUZf1Bxwh2V cmPPCY3yOdwWGnrTeM/WtjsgFa3F/zr+ZNajSuRQXK5u3LjfWrsUMJrZQpqgtAmFKVKhFO jEhwgmWJX4hcDxwCjr3CBpQuTPFqZm45iRjdIbh5Asl5mNHQ26jxXeppDY0Cyg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1568783044; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=J1kXNVS5rKChQTgZk2teSSpcXjjGV4S6wAEV5jFJ3iA=; b=pd1v7KdBMOf6MKmuUwOH+JlSrcv7Rl/qhSUCr7BYu/gx+oWmptpjCDz/3cbswPUTfpm+4c PStqg//um6qyu1BQ== Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 46Y7Dh0q9zz2yK0; Wed, 18 Sep 2019 05:04:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 46Y7Df6Gtrz2yK0 for ; Wed, 18 Sep 2019 05:04:02 +0000 (UTC) Received: from ipfire-server.local (i59F72E17.versanet.de [89.247.46.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 46Y7DZ4TH6z2Kb; Wed, 18 Sep 2019 05:03:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1568783038; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=J1kXNVS5rKChQTgZk2teSSpcXjjGV4S6wAEV5jFJ3iA=; b=ZT0wz4QFBm0UPeAZDU4tJN2CRQy24v4yXW2wCrpfFFfXp+0iYQmOUpfYR0YopGMxO7r4X8 VZJv29092/jowtLDv9wykYACDEyrEkCYvXeqZvUuQJGU1STb+w4FUWLBgEhmonTc2N2/Jz LDGadjZNUvVatLuA4DZRE3a7ttW7oypqzHon+yPNN4BOUGtYfmY0d77EjWu27zaJLzQVNT Q1rIeS51EKBBVogO7SBFj2hWjHvdXPEUq8oLC/Hgzlh/HdjRX78uIXJUI5EZi5hkl5VTkz JBJpRtG7viUpz3dSQEz5f/vmgbSortqxH4RGq83VvKHuHTUhIJc+MOUZAf/FDw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1568783038; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=J1kXNVS5rKChQTgZk2teSSpcXjjGV4S6wAEV5jFJ3iA=; b=KuOWpmsunhhMIWU34oLEyA1YyP2JyYvg2xrYOcKo5pBUA6OUN+mUHLgs0c65tLxUeELVY+ Ps43f4h3j1u2TaBQ== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH 1/2] ovpn: Generate ta.key before dh-parameter Date: Wed, 18 Sep 2019 07:03:33 +0200 Message-Id: <20190918050334.10792-1-ummeegge@ipfire.org> MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ummeegge smtp.mailfrom=ummeegge@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Fixes: #11964 and #12157 If slow boards or/and boards with low entropy needs too long to generate the DH-parameter, ovpnmain.cgi can get into a "Script timed out before returning headers" and no further OpenSSl commands will be executed after dhparam is finished. Since the ta.key are created after the DH-parameter, it won´t be produced in that case. To prevent this, the DH-parameter will now be generated at the end. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 439390228..5de80b269 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1947,6 +1947,13 @@ END # } else { # &cleanssldatabase(); } + # Create ta.key for tls-auth + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + &cleanssldatabase(); + goto ROOTCERT_ERROR; + } # Create Diffie Hellmann Parameter system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { @@ -1961,13 +1968,6 @@ END # } else { # &cleanssldatabase(); } - # Create ta.key for tls-auth - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - &cleanssldatabase(); - goto ROOTCERT_ERROR; - } goto ROOTCERT_SUCCESS; } ROOTCERT_ERROR: From patchwork Wed Sep 18 05:03:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: ummeegge X-Patchwork-Id: 2410 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 46Y7Dv6GCCz42SB for ; Wed, 18 Sep 2019 05:04:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 46Y7Dq3RBCz2MD; Wed, 18 Sep 2019 05:04:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1568783051; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=zn5MqMG4A0f4tiSUh+kELnxmLKm772IVRNUd1MoYA8E=; b=mosNbTq1SxOtrBdZEs1ODBq+hv9wZIgVNM9aGoyl5wjJ5QtOjVM/4+O+YZHCccgHOKUcGh lBEsjYZ0oWYI0A/OiZ1EiQKW8Ji5M7mBpL6fEPwXHBN7v1ZEdsogX0ol++OT+sjodqSVSi beh8CTyql+trW7BVttXmKWMcjxD5ZKsHH5JV3pOHwt12wUgWJIOwYEj8HRG4Pv0bueOs+u EBubGlZtDGEPHEoanjeN6n14yHjFhiVxa6enyJhB+ySfTRr1xCt/A4j70Yk2dlO5tv5S9Y y3qCRZzPE+IcvKTRZCXdlm4par5yqL0BD02IsRLGyd+gmyGPhooMW6ROgtpVXQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1568783051; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=zn5MqMG4A0f4tiSUh+kELnxmLKm772IVRNUd1MoYA8E=; b=c4vxNwYghcxuA+SXSoTe6CqhZ6S8p9IpprwqFEcczLo05bny6/WPRSQNKDpuRTzyoqswlA fF2HEDg1OIqluJCQ== Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 46Y7Dq2Z3wz2yXf; Wed, 18 Sep 2019 05:04:11 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 46Y7Dn6rRYz2yHC for ; Wed, 18 Sep 2019 05:04:09 +0000 (UTC) Received: from ipfire-server.local (i59F72E17.versanet.de [89.247.46.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 46Y7Dj530yz2PY; Wed, 18 Sep 2019 05:04:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1568783045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zn5MqMG4A0f4tiSUh+kELnxmLKm772IVRNUd1MoYA8E=; b=Gb77lOkkBFh7GVX84nQe7IrW/EJWuQ/LGjW359PQplw56QD+0w8qYR+Wc6op7N3joJX1fO j9oyjzQqNHHi7ejmLhv6MulQkYZWMRIqlAkIYGSc8udXf7lVORRW4YNVMpR7gXgXmx41wE Z0hwdEuYsMpaemHMVj5ve/OfNrbTltPyX272jhUDm6FqUNdxJfChmjLFAiPAHAe4luI+uj ofAsJr/zmHbgrhWFLcTtTtxtcF97fjYMlMzm7acjmzIZpyd5SUW8WPZszGEnVPn1bzDhaT S5AGMPgHgFKUsQn6wN5OhWX6f3/3JJLRXKw2mAzm7uhpLr0oDSCt22tsddCTAQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1568783045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zn5MqMG4A0f4tiSUh+kELnxmLKm772IVRNUd1MoYA8E=; b=diN3GDuU2bvwaPubv7oV+VQ0LHLoPSz0Awi6cYMB9J5Vgek5s5FHQ4nTT4tTvF45T/NHoh iAfxwMqL90pEcmCA== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH 2/2] ovpn: Add ta.key check to main settings Date: Wed, 18 Sep 2019 07:03:34 +0200 Message-Id: <20190918050334.10792-2-ummeegge@ipfire.org> In-Reply-To: <20190918050334.10792-1-ummeegge@ipfire.org> References: <20190918050334.10792-1-ummeegge@ipfire.org> MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ummeegge smtp.mailfrom=ummeegge@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Since Core 132 the 'TLS Channel Protection' is part of the global settings, the ta.key generation check should also be in the main section otherwise it won´t be created if not present. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5de80b269..5b8ca9731 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -898,17 +898,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; goto ADV_ERROR; } - # Create ta.key for tls-auth if not presant - if ($cgiparams{'TLSAUTH'} eq 'on') { - if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - goto ADV_ERROR; - } - } - } - &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf();#hier ok } @@ -1189,6 +1178,17 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto SETTINGS_ERROR; + } + } + } + $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};