ovpn.cnf: Removal of SKID & AKID from server section - Fixes Bug#13595 - The update to openssl-3.2.x introduced a bug fix which now gives an error if the subjectKeyIdentifier (SKID) or authorityKeyIdentifier (AKID) is in the x509 extensions for a CSR. - See the following discssion in the openssl github issues https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738 - The SKID & AKID should never have been specified in the CSR but due to a bug they were never flagged with an error, just ignored. Since the bug fix for that bug was put into OpenSSL-3.2.0 the prescence of the SKID & AKID in the CSR causes an error to be flagged. - The consequence of this is that in CU183 trying to create a new x509 root/host certificate gives an error when the CSR is generated so only the root certificate is created and not the host certificate. - Tested out the removal of the SKID & AKID lines from the [ server ] section of the ovpn.cnf file and the root/host certificate set was created without any issue. - Then tested the creation of a RW client connection and that worked with no problems. Also creating a fresh N2N connection worked without any problems. - Also tested restoring from an earlier backup. The RW and N2N connections worked without issues with the AKID and SKID missing from the [ server ] section. - It would be good if this could be merged into CU184 for final testing. Fixes: Bug#13595 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
OpenVPN: Fix for '--ns-cert-type server is deprecated' . - Added extended key usage based on RFC3280 TLS rules for OpenVPNs OpenSSL configuration, so '--remote-cert-tls' can be used instead of the old and deprecated '--ns-cert-type' if the host certificate are newely generated with this options. Nevertheless both directives (old and new) will work also with old CAs. - Automatic detection if the host certificate uses the new options. If it does, '--remote-cert-tls server' will be automatically set into the client configuration files for Net-to-Net and Roadwarriors connections. If it does NOT, the old '--ns-cert-type server' directive will be set in the client configuration file. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
OpenVPN:Add HMAC, cipher 'n2n' and DH key selection. Fixes and new design. Added HMAC algorithm selection menu for N2N and RW. Added cipher selection menu for N2N connections. Added DH key selection also for existing installations incl. DH key upload possibility. Adjusted the ovpn main WUI design to IPSec WUI. Extend key lenght for CA, cert and control channel with faktor 2. Some code and typo cleanup. Bugfixes for #10317, #10149, #10462, #10463 V.2 New changes: Integrated changes in langs and ovpnmain.cgi until 20.03.2014 2.15-Beta3. ovpn.cnf have now default bits of 2048 instead of 1024. ovpn.cnf default_md works now with sha256 instead of md5. Bugfix: By new installation the auth directive for RWs is faded out #10462 Comment 15. Added error message if the crl should be displayed but no crl is present.
Update: * Squid 2.5STABLE14 eingepflegt. Geändert: * xinetd Konfiguration verschoben. * OpenVPN Errors behoben. Funktioniert immernoch nicht korrekt. :( * Pakfire bearbeitet. * Credits erweitert und GPL hinzugefügt. * index.cgi, völlig neuer Look. git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@155 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8