From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 19 Mar 2024 19:44:18 +0000 (+0100)
Subject: ovpnmain.cgi: Force NCP on clients
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee868771f72db6576f6b1445a66d219b6f29f31a;p=people%2Fms%2Fipfire-2.x.git

ovpnmain.cgi: Force NCP on clients

This change requires that all clients support NCP if they are set up
with a new connection. Existing clients remain supported using the
fallback cipher option.

This will result that connections with OpenVPN <= 2.3 cannot be set up
any more which is totally fine since that version is EOL.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 424481b4c..bc5012c23 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -1013,7 +1013,7 @@ WARNING: untranslated string: optional = Optional
 WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected
 WARNING: untranslated string: pakfire invalid tree = Invalid repository selected
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 9c60e3e38..cc5ea40e7 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1455,8 +1455,8 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn ha = Hash algorithm
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
 WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn no connections = No active OpenVPN connections
 WARNING: untranslated string: ovpn on blue = OpenVPN on BLUE:
 WARNING: untranslated string: ovpn on orange = OpenVPN on ORANGE:
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 949675bc0..c5e70054e 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1033,7 +1033,7 @@ WARNING: untranslated string: online = Online
 WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected
 WARNING: untranslated string: pakfire ago = ago.
 WARNING: untranslated string: route config changed = unknown string
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 4362f9992..8fb9b6388 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -1037,7 +1037,7 @@ WARNING: untranslated string: oops something went wrong = Oops, something went w
 WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected
 WARNING: untranslated string: pakfire ago = ago.
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 23554dbe5..1a2a514f9 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1276,7 +1276,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn connection name = Connection Name
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log
 WARNING: untranslated string: ovpn tls auth = TLS Channel Protection:
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 6e4348d65..168fa32ab 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1301,7 +1301,7 @@ WARNING: untranslated string: ovpn crypt options = Cryptographic options
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn ha = Hash algorithm
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log
 WARNING: untranslated string: ovpn tls auth = TLS Channel Protection:
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index e12dce223..f6e333110 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1465,8 +1465,8 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn ha = Hash algorithm
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
 WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn no connections = No active OpenVPN connections
 WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required.
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 4230c8953..6e301a8f5 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1460,8 +1460,8 @@ WARNING: untranslated string: ovpn crypt options = Cryptographic options
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn ha = Hash algorithm
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
 WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn no connections = No active OpenVPN connections
 WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required.
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 53eff868d..2366fe5f7 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1189,7 +1189,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn connection name = Connection Name
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log
 WARNING: untranslated string: ovpn tls auth = TLS Channel Protection:
diff --git a/doc/language_missings b/doc/language_missings
index 8a091e64f..7e4ce312e 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -90,7 +90,7 @@
 < ovpn ciphers
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn unsupported cipher selected
 < quick control
@@ -146,7 +146,7 @@
 < ovpn ciphers
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn unsupported cipher selected
 ############################################################################
 # Checking cgi-bin translations for language: fr                           #
@@ -196,7 +196,7 @@
 < ovpn ciphers
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn unsupported cipher selected
 < password has quotation mark
@@ -661,7 +661,7 @@
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn rw connection log
 < ovpn tls auth
@@ -1309,7 +1309,7 @@
 < ovpn fallback cipher help
 < ovpn generating the root and host certificates
 < ovpn ha
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn reneg sec
 < ovpn roadwarrior server
 < ovpn rw connection log
@@ -2274,7 +2274,6 @@
 < ovpn fallback cipher help
 < ovpn generating the root and host certificates
 < ovpn ha
-< ovpn if ncp is disabled we must have cipher
 < ovpn mgmt in root range
 < ovpn mtu-disc
 < ovpn mtu-disc and mtu not 1500
@@ -2283,6 +2282,7 @@
 < ovpn mtu-disc off
 < ovpn mtu-disc with mssfix or fragment
 < ovpn mtu-disc yes
+< ovpn no cipher selected
 < ovpn no connections
 < ovpn port in root range
 < ovpn reneg sec
@@ -3374,7 +3374,6 @@
 < ovpn fallback cipher help
 < ovpn generating the root and host certificates
 < ovpn ha
-< ovpn if ncp is disabled we must have cipher
 < ovpn mgmt in root range
 < ovpn mtu-disc
 < ovpn mtu-disc and mtu not 1500
@@ -3383,6 +3382,7 @@
 < ovpn mtu-disc off
 < ovpn mtu-disc with mssfix or fragment
 < ovpn mtu-disc yes
+< ovpn no cipher selected
 < ovpn no connections
 < ovpn port in root range
 < ovpn reneg sec
@@ -3974,7 +3974,7 @@
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn rw connection log
 < ovpn tls auth
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 30ebea58b..be7089ef5 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -715,9 +715,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
     my @temp=();
 
-	# If NCP is disabled, we need the fallback cipher
-	if ($cgiparams{'DATACIPHERS'} eq '' && $cgiparams{'DCIPHER'} eq '') {
-		$errormessage = $Lang::tr{'ovpn if ncp is disabled we must have cipher'};
+	# We must have at least one cipher selected
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$errormessage = $Lang::tr{'ovpn no cipher selected'};
 		goto ADV_ERROR;
 	}
 
@@ -2178,18 +2178,9 @@ else
 	$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
     }
 
-	# Cryptography
-
-	# If no data ciphers have been selected, we try to use the fallback cipher
-	if ($vpnsettings{'DATACIPHERS'} eq '') {
-		print CLIENTCONF "ncp-disable\r\n";
-
-		if ($vpnsettings{'DCIPHER'} ne '') {
-		    print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n";
-		}
-	} else {
-		# Otherwise we don't write anything because the server and client will negotiate
-	}
+	# We no longer send any cryptographic configuration since 2.6.
+	# That way, we will be able to push this from the server.
+	# Therefore we always mandate NCP for new clients.
 
 	print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
 
@@ -2649,7 +2640,7 @@ ADV_ERROR:
 					</td>
 
 					<td>
-						<select name='DATACIPHERS' multiple>
+						<select name='DATACIPHERS' multiple required>
 END
 
 	foreach my $cipher (@SUPPORTED_CIPHERS) {
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 27c2cf862..f90bb0b04 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2052,7 +2052,6 @@
 'ovpn fallback cipher help' => 'This cipher is being used by clients that do not support cipher negotiation.',
 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',
 'ovpn ha' => 'Hash algorithm',
-'ovpn if ncp is disabled we must have cipher' => 'If you want to disable cipher negotiation, you will have to select a fallback cipher.',
 'ovpn log' => 'OVPN-Log',
 'ovpn mgmt in root range' => 'A port number of 1024 or higher is required.',
 'ovpn mtu-disc' => 'Path MTU Discovery',
@@ -2062,6 +2061,7 @@
 'ovpn mtu-disc off' => 'Disabled',
 'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery cannot be used with mssfix or fragment.',
 'ovpn mtu-disc yes' => 'Forced',
+'ovpn no cipher selected' => 'No cipher selected',
 'ovpn no connections' => 'No active OpenVPN connections',
 'ovpn on blue' => 'OpenVPN on BLUE:',
 'ovpn on orange' => 'OpenVPN on ORANGE:',