--- rpms/smeserver-openvpn-s2s/contribs10/smeserver-openvpn-s2s-0.2-sme10.patch 2021/03/30 05:07:27 1.1
+++ rpms/smeserver-openvpn-s2s/contribs10/smeserver-openvpn-s2s-0.2-sme10.patch 2021/03/31 20:54:54 1.7
@@ -85,12 +85,12 @@ diff -Nur --no-dereference smeserver-ope
+
+
-+ UNSECURE
-+ Unsecure parameter
++ INSECURE
++ Insecure parameter
+
+
+ SUGGESTED
-+ Sugested value
++ Suggested value
+
+
+ DEFAULT
@@ -173,9 +173,9 @@ diff -Nur --no-dereference smeserver-ope
+my $tlsCipher12 = ( $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
+
+
-+# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
-+# here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
-+my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher') : undef;
++
++
++
+
+
if ($auth eq 'SharedKey'){
@@ -186,7 +186,7 @@ diff -Nur --no-dereference smeserver-ope
$OUT .= "tls-server\n";
+ $OUT .= "tls-version-min $tlsVmin\n";
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
-+ $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13;
++ $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined tlsCipherSuites13;
$OUT .= "ca pub/$key" . "_cacert.pem\n";
$OUT .= "cert pub/$key" . "_cert.pem\n";
$OUT .= "key priv/$key" . "_key.pem\n";
@@ -202,7 +202,7 @@ diff -Nur --no-dereference smeserver-ope
$OUT .= "tls-client\n";
+ $OUT .= "tls-version-min $tlsVmin\n";
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
-+ $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13;
++ $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined tlsCipherSuites13;
$OUT .= "ca pub/$key" . "_cacert.pem\n";
$OUT .= "cert pub/$key" . "_cert.pem\n";
$OUT .= "key priv/$key" . "_key.pem\n";
@@ -371,7 +371,7 @@ diff -Nur --no-dereference smeserver-ope
exit 1
diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm smeserver-openvpn-s2s-0.2/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm
--- smeserver-openvpn-s2s-0.2.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm 2021-03-30 00:12:27.724000000 -0400
-+++ smeserver-openvpn-s2s-0.2/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm 2021-03-30 00:54:13.155000000 -0400
++++ smeserver-openvpn-s2s-0.2/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm 2021-03-30 01:19:05.081000000 -0400
@@ -26,6 +26,7 @@
remove_conf
print_conf_to_remove
@@ -394,10 +394,10 @@ diff -Nur --no-dereference smeserver-ope
+ }
+ if ($q->param("cipher") eq 'BF-CBC') {
+ my $tmpk = $ovpn_db->get($conf);
-+ $tmpk->delete_prop('cipher');
++ $tmpk->delete_prop('Cipher');
+ }
+ else {
-+ $ovpn_db->set_prop($conf, 'cipher', $q->param("cipher"));
++ $ovpn_db->set_prop($conf, 'Cipher', $q->param("cipher"));
+ }
# Now, update the main configuration entry
@@ -475,10 +475,10 @@ diff -Nur --no-dereference smeserver-ope
elsif ($status eq 'disabled'){
$status = $fm->localise('DISABLED');
}
-+ my $cipher = $config->prop('cipher') || 'BF-CBC';
-+ $cipher = "". $fm->localise('UNSECURE'). " $cipher " unless ($cipher =~ /(128|192|256|512|SEED)/ );
-+ my $hmac = $config->prop('hmac') || 'SHA1';
-+ $hmac= "". $fm->localise('UNSECURE'). " $hmac " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/);
++ my $cipher = $config->prop('Cipher') || 'BF-CBC';
++ $cipher = "". $fm->localise('INSECURE'). " $cipher " unless ($cipher =~ /(128|192|256|512|SEED)/ );
++ my $hmac = $config->prop('HMAC') || 'SHA1';
++ $hmac= "". $fm->localise('INSECURE'). " $hmac " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/);
+ my $authe = $config->prop('Authentication') || '';
+ my $linkup = "". $fm->localise('DOWN')."" ;
+ use Net::Ping;
@@ -524,7 +524,7 @@ diff -Nur --no-dereference smeserver-ope
$ret = $fm->localise('NOT_A_VALID_URL',{string => $url});
}
return $ret;
-@@ -604,4 +672,115 @@
+@@ -604,4 +672,110 @@
return $ret;
}
@@ -576,14 +576,14 @@ diff -Nur --no-dereference smeserver-ope
+ my ($self) = @_;
+ my $name = $self->cgi->param('conf_name') or return "AES-128-CBC";
+ my $cvpn= $ovpn_db->get($name);
-+ return "BF-CBC" unless defined $cvpn->prop('cipher');
-+ return $cvpn->prop('cipher') ;
++ return "BF-CBC" unless defined $cvpn->prop('Cipher');
++ return $cvpn->prop('Cipher') ;
+}
+
+=head2 get_ciphers_options
+list obtained using
+openvpn --show-ciphers | egrep '^[A-Z]{2}' | sed 's/ by//; s/ default//; s/block,/block/; s/)// ' | awk {'print " '\''" $1 "'\'' => '\''" $1 $2 " " $4 " " $5 " " $7")'\''," '}
-+then reduced to remove most of unsecure ciphers
++then reduced to remove most of insecure ciphers
+Using a CBC or GCM mode is recommended.
+In static key mode only CBC mode is allowed.
+
@@ -634,9 +634,4 @@ diff -Nur --no-dereference smeserver-ope
+ return \%options;
+}
+
-+sub debugme{
-+ my ($self) = @_;
-+use Data::Dumper;
-+return print Data::Dumper->Dump(\@_);
-+}
1;