$cgiparams{'DAUTH'} = '';
$cgiparams{'TLSAUTH'} = '';
$routes_push_file = "${General::swroot}/ovpn/routes_push";
+# Perform crypto and configration test
+&pkiconfigcheck;
# Add CCD files if not already presant
unless (-e $routes_push_file) {
print FILE "";
close FILE;
}
+ if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) {
+ print FILE "";
+ close FILE;
+ }
unlink ("${General::swroot}/ovpn/certs/index.txt.old");
+ unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
unlink ("${General::swroot}/ovpn/certs/serial.old");
unlink ("${General::swroot}/ovpn/certs/01.pem");
}
if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
system ("touch ${General::swroot}/ovpn/certs/index.txt");
}
+ if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") {
+ system ("touch ${General::swroot}/ovpn/certs/index.txt.attr");
+ }
unlink ("${General::swroot}/ovpn/certs/index.txt.old");
+ unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
unlink ("${General::swroot}/ovpn/certs/serial.old");
}
}
}
+###
+### Check for PKI and configure problems
+###
+
+sub pkiconfigcheck
+{
+ # Warning if DH parameter is 1024 bit
+ if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
+ my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`;
+ my @dhbit = ($dhparameter =~ /(\d+)/);
+ if ($1 < 2048) {
+ $cryptoerror = "$Lang::tr{'ovpn error dh'}";
+ goto CRYPTO_ERROR;
+ }
+ }
+
+ # Warning if md5 is in usage
+ if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($signature =~ /md5WithRSAEncryption/) {
+ $cryptoerror = "$Lang::tr{'ovpn error md5'}";
+ goto CRYPTO_ERROR;
+ }
+ }
+
+ CRYPTO_ERROR:
+
+ # Warning if certificate is not compliant to RFC3280 TLS rules
+ if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+ $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+ goto CRYPTO_WARNING;
+ }
+ }
+
+ CRYPTO_WARNING:
+}
+
sub writeserverconf {
my %sovpnsettings = ();
my @temp = ();
print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
#print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
- # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500.
+ # Check if we are using mssfix, fragment and set the corretct mtu of 1500.
# If we doesn't use one of them, we can use the configured mtu value.
if ($sovpnsettings{'MSSFIX'} eq 'on')
{ print CONF "tun-mtu 1500\n"; }
}
-###
-### Check for cryptography problems
-###
-
-# Warning if DH parameter is 1024 bit
-if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
- my $dhlenght = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`;
- if ($dhlenght =~ /1024 bit/) {
- $cryptoerror = "$Lang::tr{'ovpn error dh'}";
- goto CRYPTO_ERROR;
- }
-}
-
-# Warning if md5 is in usage
-if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
- my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
- if ($signature =~ /md5WithRSAEncryption/) {
- $cryptoerror = "$Lang::tr{'ovpn error md5'}";
- goto CRYPTO_ERROR;
- }
-}
-
-CRYPTO_ERROR:
-
-# Warning if certificate is not compliant to RFC3280 TLS rules
-if (-f "${General::swroot}/ovpn/openssl/ovpn.cnf") {
- my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
- if ($extendkeyusage =~ /TLS Web Server Authentication/) {
- $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
- goto CRYPTO_WARNING;
- }
-}
-
-CRYPTO_WARNING:
-
###
### Save main settings
###
goto UPLOADCA_ERROR;
}
my $temp = `/usr/bin/openssl dhparam -text -in $filename`;
- if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) {
+ if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) {
$errormessage = $Lang::tr{'not a valid dh key'};
unlink ($filename);
goto UPLOADCA_ERROR;
if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";}
}
- if (($confighash{$cgiparams{'KEY'}}[38] eq 'yes') ||
- ($confighash{$cgiparams{'KEY'}}[38] eq 'maybe') ||
- ($confighash{$cgiparams{'KEY'}}[38] eq 'no' )) {
- if (($confighash{$cgiparams{'KEY'}}[23] ne 'on') || ($confighash{$cgiparams{'KEY'}}[24] eq '')) {
- if ($tunmtu eq '1500' ) {
- print CLIENTCONF "mtu-disc $confighash{$cgiparams{'KEY'}}[38]\n";
- }
- }
- }
# Check host certificate if X509 is RFC3280 compliant.
# If not, old --ns-cert-type directive will be used.
# If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
print CLIENTCONF "dev tun\r\n";
print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
- # Check if we are using fragment, mssfix or mtu-disc and set MTU to 1500
+ # Check if we are using fragment, mssfix and set MTU to 1500
# or use configured value.
if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' )
{ print CLIENTCONF "tun-mtu 1500\r\n"; }
my $mssfixactive;
my $authactive;
my $n2nfragment;
-my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);
my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
my @n2nproto = split(/-/, $n2nproto2[1]);
my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
$n2nlocalsub[2] =~ s/\n|\r//g;
$n2nfragment[1] =~ s/\n|\r//g;
$n2nmgmt[2] =~ s/\n|\r//g;
-$n2nmtudisc[1] =~ s/\n|\r//g;
$n2ncipher[1] =~ s/\n|\r//g;
$n2nauth[1] =~ s/\n|\r//g;
chomp ($complzoactive);
$confighash{$key}[29] = $n2nport[1];
$confighash{$key}[30] = $complzoactive;
$confighash{$key}[31] = $n2ntunmtu[1];
- $confighash{$key}[38] = $n2nmtudisc[1];
$confighash{$key}[39] = $n2nauth[1];
$confighash{$key}[40] = $n2ncipher[1];
$confighash{$key}[41] = 'disabled';
<tr><td class='boldbase' nowrap='nowrap'>MSSFIX:</td><td><b>$confighash{$key}[23]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>Fragment:</td><td><b>$confighash{$key}[24]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td></tr>
- <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn mtu-disc'}</td><td><b>$confighash{$key}[38]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>Management Port </td><td><b>$confighash{$key}[22]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn hmac'}:</td><td><b>$confighash{$key}[39]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td><td><b>$confighash{$key}[40]</b></td></tr>