/[smecontribs]/rpms/smeserver-openvpn-s2s/contribs10/smeserver-openvpn-s2s-0.2-sme10.patch
ViewVC logotype

Diff of /rpms/smeserver-openvpn-s2s/contribs10/smeserver-openvpn-s2s-0.2-sme10.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph | View Patch Patch

Revision 1.3 by jpp, Tue Mar 30 05:20:13 2021 UTC Revision 1.7 by jpp, Wed Mar 31 20:54:54 2021 UTC
# Line 85  diff -Nur --no-dereference smeserver-ope Line 85  diff -Nur --no-dereference smeserver-ope
85       </entry>       </entry>
86  +  +
87  +    <entry>  +    <entry>
88  +        <base>UNSECURE</base>  +        <base>INSECURE</base>
89  +        <trans>Unsecure parameter</trans>  +        <trans>Insecure parameter</trans>
90  +    </entry>  +    </entry>
91  +    <entry>  +    <entry>
92  +        <base>SUGGESTED</base>  +        <base>SUGGESTED</base>
93  +        <trans>Sugested value</trans>  +        <trans>Suggested value</trans>
94  +    </entry>  +    </entry>
95  +    <entry>  +    <entry>
96  +        <base>DEFAULT</base>  +        <base>DEFAULT</base>
# Line 173  diff -Nur --no-dereference smeserver-ope Line 173  diff -Nur --no-dereference smeserver-ope
173  +my $tlsCipher12 = (  $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";  +my $tlsCipher12 = (  $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
174  +  +
175  +  +
176  +# cipher default to BF if empty,  we really want higher on new setup, but keep empty for default on existing one...  +
177  +# here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel  +
178  +my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher')  : undef;  +
179  +  +
180  +  +
181   if ($auth eq 'SharedKey'){   if ($auth eq 'SharedKey'){
# Line 186  diff -Nur --no-dereference smeserver-ope Line 186  diff -Nur --no-dereference smeserver-ope
186           $OUT .= "tls-server\n";           $OUT .= "tls-server\n";
187  +       $OUT .= "tls-version-min $tlsVmin\n";  +       $OUT .= "tls-version-min $tlsVmin\n";
188  +        $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;  +        $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
189  +        $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13;  +        $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined tlsCipherSuites13;
190           $OUT .= "ca pub/$key" . "_cacert.pem\n";           $OUT .= "ca pub/$key" . "_cacert.pem\n";
191           $OUT .= "cert pub/$key" . "_cert.pem\n";           $OUT .= "cert pub/$key" . "_cert.pem\n";
192           $OUT .= "key priv/$key" . "_key.pem\n";           $OUT .= "key priv/$key" . "_key.pem\n";
# Line 202  diff -Nur --no-dereference smeserver-ope Line 202  diff -Nur --no-dereference smeserver-ope
202           $OUT .= "tls-client\n";           $OUT .= "tls-client\n";
203  +        $OUT .= "tls-version-min $tlsVmin\n";  +        $OUT .= "tls-version-min $tlsVmin\n";
204  +        $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;  +        $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
205  +        $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13;  +        $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined tlsCipherSuites13;
206           $OUT .= "ca pub/$key" . "_cacert.pem\n";           $OUT .= "ca pub/$key" . "_cacert.pem\n";
207           $OUT .= "cert pub/$key" . "_cert.pem\n";           $OUT .= "cert pub/$key" . "_cert.pem\n";
208           $OUT .= "key priv/$key" . "_key.pem\n";           $OUT .= "key priv/$key" . "_key.pem\n";
# Line 394  diff -Nur --no-dereference smeserver-ope Line 394  diff -Nur --no-dereference smeserver-ope
394  +    }  +    }
395  +    if ($q->param("cipher") eq 'BF-CBC') {  +    if ($q->param("cipher") eq 'BF-CBC') {
396  +       my $tmpk = $ovpn_db->get($conf);  +       my $tmpk = $ovpn_db->get($conf);
397  +       $tmpk->delete_prop('cipher');  +       $tmpk->delete_prop('Cipher');
398  +    }  +    }
399  +    else {  +    else {
400  +       $ovpn_db->set_prop($conf, 'cipher', $q->param("cipher"));  +       $ovpn_db->set_prop($conf, 'Cipher', $q->param("cipher"));
401  +    }  +    }
402    
403       # Now, update the main configuration entry       # Now, update the main configuration entry
# Line 475  diff -Nur --no-dereference smeserver-ope Line 475  diff -Nur --no-dereference smeserver-ope
475           elsif ($status eq 'disabled'){           elsif ($status eq 'disabled'){
476               $status = $fm->localise('DISABLED');               $status = $fm->localise('DISABLED');
477           }           }
478  +        my $cipher = $config->prop('cipher') || 'BF-CBC';  +        my $cipher = $config->prop('Cipher') || 'BF-CBC';
479  +       $cipher = "<span style='color:red'>". $fm->localise('UNSECURE'). " $cipher</span> " unless ($cipher =~ /(128|192|256|512|SEED)/ );  +       $cipher = "<span style='color:red'>". $fm->localise('INSECURE'). " $cipher</span> " unless ($cipher =~ /(128|192|256|512|SEED)/ );
480  +        my $hmac   = $config->prop('HMAC') || 'SHA1';  +        my $hmac   = $config->prop('HMAC') || 'SHA1';
481  +       $hmac= "<span style='color:red'>". $fm->localise('UNSECURE'). " $hmac</span> " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/);  +       $hmac= "<span style='color:red'>". $fm->localise('INSECURE'). " $hmac</span> " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/);
482  +        my $authe  = $config->prop('Authentication') || '';  +        my $authe  = $config->prop('Authentication') || '';
483  +       my $linkup = "<span style='color:red'>". $fm->localise('DOWN')."</span>" ;  +       my $linkup = "<span style='color:red'>". $fm->localise('DOWN')."</span>" ;
484  +       use Net::Ping;  +       use Net::Ping;
# Line 576  diff -Nur --no-dereference smeserver-ope Line 576  diff -Nur --no-dereference smeserver-ope
576  +    my ($self) = @_;  +    my ($self) = @_;
577  +    my $name = $self->cgi->param('conf_name') or return "AES-128-CBC";  +    my $name = $self->cgi->param('conf_name') or return "AES-128-CBC";
578  +    my $cvpn= $ovpn_db->get($name);  +    my $cvpn= $ovpn_db->get($name);
579  +    return "BF-CBC" unless defined $cvpn->prop('cipher');  +    return "BF-CBC" unless defined $cvpn->prop('Cipher');
580  +    return $cvpn->prop('cipher') ;  +    return $cvpn->prop('Cipher') ;
581  +}  +}
582  +  +
583  +=head2 get_ciphers_options  +=head2 get_ciphers_options
584  +list obtained using  +list obtained using
585  +openvpn --show-ciphers | egrep '^[A-Z]{2}' |  sed 's/ by//; s/ default//; s/block,/block/; s/)// ' | awk {'print "    '\''" $1 "'\'' => '\''" $1 $2 " " $4 " "  $5 " "  $7")'\''," '}  +openvpn --show-ciphers | egrep '^[A-Z]{2}' |  sed 's/ by//; s/ default//; s/block,/block/; s/)// ' | awk {'print "    '\''" $1 "'\'' => '\''" $1 $2 " " $4 " "  $5 " "  $7")'\''," '}
586  +then reduced to remove most of unsecure ciphers  +then reduced to remove most of insecure ciphers
587  +Using a CBC or GCM mode is recommended.  +Using a CBC or GCM mode is recommended.
588  +In static key mode only CBC mode is allowed.  +In static key mode only CBC mode is allowed.
589  +  +


Legend:
Removed lines/characters  
Changed lines/characters
  Added lines/characters

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed