]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - html/cgi-bin/vpnmain.cgi
projects / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
vpnmain.cgi: Fix parsing CN from certificates generated by OpenSSL 3.2
[ipfire-2.x.git] / html / cgi-bin / vpnmain.cgi
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 3652627e9b3e48d17de98e822ef774e04488c565..53507305f2e5b9f7e4d6421f49fd3ce7b5156775 100644 (file)
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -193,7 +193,7 @@ sub cleanssldatabase {
                close FILE;
        }
        if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) {
-               print FILE "";
+               print FILE "unique_subject = yes";
                close FILE;
        }
        unlink ("${General::swroot}/certs/index.txt.old");
@@ -213,6 +213,7 @@ sub newcleanssldatabase {
        }
        if (! -s ">${General::swroot}/certs/index.txt.attr") {
                open(FILE, ">${General::swroot}/certs/index.txt.attr");
+               print FILE "unique_subject = yes";
                close(FILE);
        }
        unlink ("${General::swroot}/certs/index.txt.old");
@@ -243,7 +244,7 @@ sub callssl ($) {
 sub getCNfromcert ($) {
        #&General::log("ipsec", "Extracting name from $_[0]...");
        my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
-       $temp =~ /Subject:.*CN = (.*)[\n]/;
+       $temp =~ /Subject:.*CN\s*=\s*(.*)[\n]/;
        $temp = $1;
        $temp =~ s+/Email+, E+;
        $temp =~ s/ ST = / S = /;
@@ -869,6 +870,8 @@ END
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
        $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
 
+       &newcleanssldatabase();
+
        if (-f "${General::swroot}/ca/cacert.pem") {
                $errormessage = $Lang::tr{'valid root certificate already exists'};
                goto ROOTCERT_SKIP;
@@ -907,7 +910,7 @@ END
                # Extract the CA certificate from the file
                &General::log("ipsec", "Extracting caroot from p12...");
                if (open(STDIN, "-|")) {
-                       my $opt = " pkcs12 -cacerts -nokeys";
+                       my $opt = " pkcs12 -legacy -cacerts -nokeys";
                        $opt .= " -in $filename";
                        $opt .= " -out /tmp/newcacert";
                        $errormessage = &callssl ($opt);
@@ -920,7 +923,7 @@ END
                if (!$errormessage) {
                        &General::log("ipsec", "Extracting host cert from p12...");
                        if (open(STDIN, "-|")) {
-                               my $opt = " pkcs12 -clcerts -nokeys";
+                               my $opt = " pkcs12 -legacy -clcerts -nokeys";
                                $opt .= " -in $filename";
                                $opt .= " -out /tmp/newhostcert";
                                $errormessage = &callssl ($opt);
@@ -934,7 +937,7 @@ END
                if (!$errormessage) {
                        &General::log("ipsec", "Extracting private key from p12...");
                        if (open(STDIN, "-|")) {
-                               my $opt = " pkcs12 -nocerts -nodes";
+                               my $opt = " pkcs12 -legacy -nocerts -nodes";
                                $opt .= " -in $filename";
                                $opt .= " -out /tmp/newhostkey";
                                $errormessage = &callssl ($opt);
@@ -1093,7 +1096,7 @@ END
                        &General::log("ipsec", "Creating host cert...");
                        if (open(STDIN, "-|")) {
                                my $opt = " req -sha256 -nodes";
-                               $opt .= " -newkey rsa:2048";
+                               $opt .= " -newkey rsa:4096";
                                $opt .= " -keyout ${General::swroot}/certs/hostkey.pem";
                                $opt .= " -out ${General::swroot}/certs/hostreq.pem";
                                $errormessage = &callssl ($opt);
@@ -1939,7 +1942,7 @@ END
                # Extract the CA certificate from the file
                &General::log("ipsec", "Extracting caroot from p12...");
                if (open(STDIN, "-|")) {
-                       my $opt = " pkcs12 -cacerts -nokeys";
+                       my $opt = " pkcs12 -legacy -cacerts -nokeys";
                        $opt .= " -in $filename";
                        $opt .= " -out /tmp/newcacert";
                        $errormessage = &callssl ($opt);
@@ -1952,7 +1955,7 @@ END
                if (!$errormessage) {
                        &General::log("ipsec", "Extracting host cert from p12...");
                        if (open(STDIN, "-|")) {
-                               my $opt = " pkcs12 -clcerts -nokeys";
+                               my $opt = " pkcs12 -legacy -clcerts -nokeys";
                                $opt .= " -in $filename";
                                $opt .= " -out /tmp/newhostcert";
                                $errormessage = &callssl ($opt);
@@ -2139,7 +2142,7 @@ END
 
                if (open(STDIN, "-|")) {
                        my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
-                       $opt .= " -newkey rsa:2048";
+                       $opt .= " -newkey rsa:4096";
                        $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
                        $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
 
@@ -2197,7 +2200,7 @@ END
 
                # Create the pkcs12 file
                &General::log("ipsec", "Packing a pkcs12 file...");
-               $opt = " pkcs12 -export";
+               $opt = " pkcs12 -legacy -export";
                $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
                $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
                $opt .= " -name \"$cgiparams{'NAME'}\"";
@@ -2360,11 +2363,11 @@ END
        #use default advanced value
        $cgiparams{'IKE_ENCRYPTION'}    = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
        $cgiparams{'IKE_INTEGRITY'}             = 'sha2_512|sha2_256'; #[19];
-       $cgiparams{'IKE_GROUPTYPE'}             = 'curve448|curve25519|4096|3072|2048'; #[20];
+       $cgiparams{'IKE_GROUPTYPE'}             = 'curve448|curve25519|e521|e384|4096|3072'; #[20];
        $cgiparams{'IKE_LIFETIME'}              = '3'; #[16];
        $cgiparams{'ESP_ENCRYPTION'}    = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
        $cgiparams{'ESP_INTEGRITY'}             = 'sha2_512|sha2_256'; #[22];
-       $cgiparams{'ESP_GROUPTYPE'}             = 'curve448|curve25519|4096|3072|2048'; #[23];
+       $cgiparams{'ESP_GROUPTYPE'}             = 'curve448|curve25519|e521|e384|4096|3072'; #[23];
        $cgiparams{'ESP_KEYLIFE'}               = '1'; #[17];
        $cgiparams{'COMPRESSION'}               = 'off'; #[13];
        $cgiparams{'ONLY_PROPOSED'}             = 'on'; #[24];
@@ -3146,8 +3149,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                                        <option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>
                                        <option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>
                                        <option value='3072' $checked{'IKE_GROUPTYPE'}{'3072'}>MODP-3072</option>
-                                       <option value='2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048</option>
-                                       <option value='1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536</option>
+                                       <option value='2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048 ($Lang::tr{'vpn weak'})</option>
+                                       <option value='1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536 ($Lang::tr{'vpn broken'})</option>
                                        <option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024 ($Lang::tr{'vpn broken'})</option>
                                        <option value='768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768 ($Lang::tr{'vpn broken'})</option>
                                </select>
@@ -3169,8 +3172,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                                        <option value='6144' $checked{'ESP_GROUPTYPE'}{'6144'}>MODP-6144</option>
                                        <option value='4096' $checked{'ESP_GROUPTYPE'}{'4096'}>MODP-4096</option>
                                        <option value='3072' $checked{'ESP_GROUPTYPE'}{'3072'}>MODP-3072</option>
-                                       <option value='2048' $checked{'ESP_GROUPTYPE'}{'2048'}>MODP-2048</option>
-                                       <option value='1536' $checked{'ESP_GROUPTYPE'}{'1536'}>MODP-1536</option>
+                                       <option value='2048' $checked{'ESP_GROUPTYPE'}{'2048'}>MODP-2048 ($Lang::tr{'vpn weak'})</option>
+                                       <option value='1536' $checked{'ESP_GROUPTYPE'}{'1536'}>MODP-1536 ($Lang::tr{'vpn broken'})</option>
                                        <option value='1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024 ($Lang::tr{'vpn broken'})</option>
                                        <option value='768' $checked{'ESP_GROUPTYPE'}{'768'}>MODP-768 ($Lang::tr{'vpn broken'})</option>
                                        <option value='none' $checked{'ESP_GROUPTYPE'}{'none'}>- $Lang::tr{'none'} -</option>
IPFire 2.x development tree