/[smecontribs]/rpms/smeserver-openvpn-s2s/contribs10/smeserver-openvpn-s2s-0.2-sme10.patch
ViewVC logotype

Diff of /rpms/smeserver-openvpn-s2s/contribs10/smeserver-openvpn-s2s-0.2-sme10.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph | View Patch Patch

Revision 1.4 by jpp, Tue Mar 30 05:23:57 2021 UTC Revision 1.8 by jpp, Wed Mar 31 20:55:49 2021 UTC
# Line 90  diff -Nur --no-dereference smeserver-ope Line 90  diff -Nur --no-dereference smeserver-ope
90  +    </entry>  +    </entry>
91  +    <entry>  +    <entry>
92  +        <base>SUGGESTED</base>  +        <base>SUGGESTED</base>
93  +        <trans>Sugested value</trans>  +        <trans>Suggested value</trans>
94  +    </entry>  +    </entry>
95  +    <entry>  +    <entry>
96  +        <base>DEFAULT</base>  +        <base>DEFAULT</base>
# Line 173  diff -Nur --no-dereference smeserver-ope Line 173  diff -Nur --no-dereference smeserver-ope
173  +my $tlsCipher12 = (  $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";  +my $tlsCipher12 = (  $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
174  +  +
175  +  +
176  +# cipher default to BF if empty,  we really want higher on new setup, but keep empty for default on existing one...  +
177  +# here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel  +
178  +my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher')  : undef;  +
179  +  +
180  +  +
181   if ($auth eq 'SharedKey'){   if ($auth eq 'SharedKey'){
# Line 186  diff -Nur --no-dereference smeserver-ope Line 186  diff -Nur --no-dereference smeserver-ope
186           $OUT .= "tls-server\n";           $OUT .= "tls-server\n";
187  +       $OUT .= "tls-version-min $tlsVmin\n";  +       $OUT .= "tls-version-min $tlsVmin\n";
188  +        $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;  +        $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
189  +        $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13;  +        $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
190           $OUT .= "ca pub/$key" . "_cacert.pem\n";           $OUT .= "ca pub/$key" . "_cacert.pem\n";
191           $OUT .= "cert pub/$key" . "_cert.pem\n";           $OUT .= "cert pub/$key" . "_cert.pem\n";
192           $OUT .= "key priv/$key" . "_key.pem\n";           $OUT .= "key priv/$key" . "_key.pem\n";
# Line 202  diff -Nur --no-dereference smeserver-ope Line 202  diff -Nur --no-dereference smeserver-ope
202           $OUT .= "tls-client\n";           $OUT .= "tls-client\n";
203  +        $OUT .= "tls-version-min $tlsVmin\n";  +        $OUT .= "tls-version-min $tlsVmin\n";
204  +        $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;  +        $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
205  +        $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13;  +        $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
206           $OUT .= "ca pub/$key" . "_cacert.pem\n";           $OUT .= "ca pub/$key" . "_cacert.pem\n";
207           $OUT .= "cert pub/$key" . "_cert.pem\n";           $OUT .= "cert pub/$key" . "_cert.pem\n";
208           $OUT .= "key priv/$key" . "_key.pem\n";           $OUT .= "key priv/$key" . "_key.pem\n";
# Line 394  diff -Nur --no-dereference smeserver-ope Line 394  diff -Nur --no-dereference smeserver-ope
394  +    }  +    }
395  +    if ($q->param("cipher") eq 'BF-CBC') {  +    if ($q->param("cipher") eq 'BF-CBC') {
396  +       my $tmpk = $ovpn_db->get($conf);  +       my $tmpk = $ovpn_db->get($conf);
397  +       $tmpk->delete_prop('cipher');  +       $tmpk->delete_prop('Cipher');
398  +    }  +    }
399  +    else {  +    else {
400  +       $ovpn_db->set_prop($conf, 'cipher', $q->param("cipher"));  +       $ovpn_db->set_prop($conf, 'Cipher', $q->param("cipher"));
401  +    }  +    }
402    
403       # Now, update the main configuration entry       # Now, update the main configuration entry
# Line 475  diff -Nur --no-dereference smeserver-ope Line 475  diff -Nur --no-dereference smeserver-ope
475           elsif ($status eq 'disabled'){           elsif ($status eq 'disabled'){
476               $status = $fm->localise('DISABLED');               $status = $fm->localise('DISABLED');
477           }           }
478  +        my $cipher = $config->prop('cipher') || 'BF-CBC';  +        my $cipher = $config->prop('Cipher') || 'BF-CBC';
479  +       $cipher = "<span style='color:red'>". $fm->localise('INSECURE'). " $cipher</span> " unless ($cipher =~ /(128|192|256|512|SEED)/ );  +       $cipher = "<span style='color:red'>". $fm->localise('INSECURE'). " $cipher</span> " unless ($cipher =~ /(128|192|256|512|SEED)/ );
480  +        my $hmac   = $config->prop('HMAC') || 'SHA1';  +        my $hmac   = $config->prop('HMAC') || 'SHA1';
481  +       $hmac= "<span style='color:red'>". $fm->localise('INSECURE'). " $hmac</span> " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/);  +       $hmac= "<span style='color:red'>". $fm->localise('INSECURE'). " $hmac</span> " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/);
# Line 576  diff -Nur --no-dereference smeserver-ope Line 576  diff -Nur --no-dereference smeserver-ope
576  +    my ($self) = @_;  +    my ($self) = @_;
577  +    my $name = $self->cgi->param('conf_name') or return "AES-128-CBC";  +    my $name = $self->cgi->param('conf_name') or return "AES-128-CBC";
578  +    my $cvpn= $ovpn_db->get($name);  +    my $cvpn= $ovpn_db->get($name);
579  +    return "BF-CBC" unless defined $cvpn->prop('cipher');  +    return "BF-CBC" unless defined $cvpn->prop('Cipher');
580  +    return $cvpn->prop('cipher') ;  +    return $cvpn->prop('Cipher') ;
581  +}  +}
582  +  +
583  +=head2 get_ciphers_options  +=head2 get_ciphers_options

Legend:
Removed lines/characters  
Changed lines/characters
  Added lines/characters
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed