85 |
</entry> |
</entry> |
86 |
+ |
+ |
87 |
+ <entry> |
+ <entry> |
88 |
+ <base>UNSECURE</base> |
+ <base>INSECURE</base> |
89 |
+ <trans>Unsecure parameter</trans> |
+ <trans>Insecure parameter</trans> |
90 |
+ </entry> |
+ </entry> |
91 |
+ <entry> |
+ <entry> |
92 |
+ <base>SUGGESTED</base> |
+ <base>SUGGESTED</base> |
93 |
+ <trans>Sugested value</trans> |
+ <trans>Suggested value</trans> |
94 |
+ </entry> |
+ </entry> |
95 |
+ <entry> |
+ <entry> |
96 |
+ <base>DEFAULT</base> |
+ <base>DEFAULT</base> |
173 |
+my $tlsCipher12 = ( $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"; |
+my $tlsCipher12 = ( $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"; |
174 |
+ |
+ |
175 |
+ |
+ |
176 |
+# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one... |
+ |
177 |
+# here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel |
+ |
178 |
+my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher') : undef; |
+ |
179 |
+ |
+ |
180 |
+ |
+ |
181 |
if ($auth eq 'SharedKey'){ |
if ($auth eq 'SharedKey'){ |
186 |
$OUT .= "tls-server\n"; |
$OUT .= "tls-server\n"; |
187 |
+ $OUT .= "tls-version-min $tlsVmin\n"; |
+ $OUT .= "tls-version-min $tlsVmin\n"; |
188 |
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12; |
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12; |
189 |
+ $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13; |
+ $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13; |
190 |
$OUT .= "ca pub/$key" . "_cacert.pem\n"; |
$OUT .= "ca pub/$key" . "_cacert.pem\n"; |
191 |
$OUT .= "cert pub/$key" . "_cert.pem\n"; |
$OUT .= "cert pub/$key" . "_cert.pem\n"; |
192 |
$OUT .= "key priv/$key" . "_key.pem\n"; |
$OUT .= "key priv/$key" . "_key.pem\n"; |
202 |
$OUT .= "tls-client\n"; |
$OUT .= "tls-client\n"; |
203 |
+ $OUT .= "tls-version-min $tlsVmin\n"; |
+ $OUT .= "tls-version-min $tlsVmin\n"; |
204 |
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12; |
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12; |
205 |
+ $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13; |
+ $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13; |
206 |
$OUT .= "ca pub/$key" . "_cacert.pem\n"; |
$OUT .= "ca pub/$key" . "_cacert.pem\n"; |
207 |
$OUT .= "cert pub/$key" . "_cert.pem\n"; |
$OUT .= "cert pub/$key" . "_cert.pem\n"; |
208 |
$OUT .= "key priv/$key" . "_key.pem\n"; |
$OUT .= "key priv/$key" . "_key.pem\n"; |
394 |
+ } |
+ } |
395 |
+ if ($q->param("cipher") eq 'BF-CBC') { |
+ if ($q->param("cipher") eq 'BF-CBC') { |
396 |
+ my $tmpk = $ovpn_db->get($conf); |
+ my $tmpk = $ovpn_db->get($conf); |
397 |
+ $tmpk->delete_prop('cipher'); |
+ $tmpk->delete_prop('Cipher'); |
398 |
+ } |
+ } |
399 |
+ else { |
+ else { |
400 |
+ $ovpn_db->set_prop($conf, 'cipher', $q->param("cipher")); |
+ $ovpn_db->set_prop($conf, 'Cipher', $q->param("cipher")); |
401 |
+ } |
+ } |
402 |
|
|
403 |
# Now, update the main configuration entry |
# Now, update the main configuration entry |
475 |
elsif ($status eq 'disabled'){ |
elsif ($status eq 'disabled'){ |
476 |
$status = $fm->localise('DISABLED'); |
$status = $fm->localise('DISABLED'); |
477 |
} |
} |
478 |
+ my $cipher = $config->prop('cipher') || 'BF-CBC'; |
+ my $cipher = $config->prop('Cipher') || 'BF-CBC'; |
479 |
+ $cipher = "<span style='color:red'>". $fm->localise('UNSECURE'). " $cipher</span> " unless ($cipher =~ /(128|192|256|512|SEED)/ ); |
+ $cipher = "<span style='color:red'>". $fm->localise('INSECURE'). " $cipher</span> " unless ($cipher =~ /(128|192|256|512|SEED)/ ); |
480 |
+ my $hmac = $config->prop('HMAC') || 'SHA1'; |
+ my $hmac = $config->prop('HMAC') || 'SHA1'; |
481 |
+ $hmac= "<span style='color:red'>". $fm->localise('UNSECURE'). " $hmac</span> " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/); |
+ $hmac= "<span style='color:red'>". $fm->localise('INSECURE'). " $hmac</span> " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/); |
482 |
+ my $authe = $config->prop('Authentication') || ''; |
+ my $authe = $config->prop('Authentication') || ''; |
483 |
+ my $linkup = "<span style='color:red'>". $fm->localise('DOWN')."</span>" ; |
+ my $linkup = "<span style='color:red'>". $fm->localise('DOWN')."</span>" ; |
484 |
+ use Net::Ping; |
+ use Net::Ping; |
576 |
+ my ($self) = @_; |
+ my ($self) = @_; |
577 |
+ my $name = $self->cgi->param('conf_name') or return "AES-128-CBC"; |
+ my $name = $self->cgi->param('conf_name') or return "AES-128-CBC"; |
578 |
+ my $cvpn= $ovpn_db->get($name); |
+ my $cvpn= $ovpn_db->get($name); |
579 |
+ return "BF-CBC" unless defined $cvpn->prop('cipher'); |
+ return "BF-CBC" unless defined $cvpn->prop('Cipher'); |
580 |
+ return $cvpn->prop('cipher') ; |
+ return $cvpn->prop('Cipher') ; |
581 |
+} |
+} |
582 |
+ |
+ |
583 |
+=head2 get_ciphers_options |
+=head2 get_ciphers_options |
584 |
+list obtained using |
+list obtained using |
585 |
+openvpn --show-ciphers | egrep '^[A-Z]{2}' | sed 's/ by//; s/ default//; s/block,/block/; s/)// ' | awk {'print " '\''" $1 "'\'' => '\''" $1 $2 " " $4 " " $5 " " $7")'\''," '} |
+openvpn --show-ciphers | egrep '^[A-Z]{2}' | sed 's/ by//; s/ default//; s/block,/block/; s/)// ' | awk {'print " '\''" $1 "'\'' => '\''" $1 $2 " " $4 " " $5 " " $7")'\''," '} |
586 |
+then reduced to remove most of unsecure ciphers |
+then reduced to remove most of insecure ciphers |
587 |
+Using a CBC or GCM mode is recommended. |
+Using a CBC or GCM mode is recommended. |
588 |
+In static key mode only CBC mode is allowed. |
+In static key mode only CBC mode is allowed. |
589 |
+ |
+ |