OpenVPN: x509 and DH-parameter check with Warnings and error messages in WUI

[ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index c0c7cff6d87f6e18206129ab196172be61683a38..f06e7cf03c8b854adc58e8b81f8c616aaffc9c34 100644 (file)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -99,6 +99,8 @@ $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
+# Perform crypto and configration test
+&pkiconfigcheck;
 
 # Add CCD files if not already presant
 unless (-e $routes_push_file) {
@@ -201,6 +203,45 @@ sub deletebackupcert
        }
 }
 
+###
+### Check for PKI and configure problems
+###
+
+sub pkiconfigcheck
+{
+       # Warning if DH parameter is 1024 bit
+       if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
+               my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`;
+               my @dhbit = ($dhparameter =~ /(\d+)/);
+               if ($1 < 2048) {
+                       $cryptoerror = "$Lang::tr{'ovpn error dh'}";
+                       goto CRYPTO_ERROR;
+               }
+       }
+
+       # Warning if md5 is in usage
+       if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+               my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+               if ($signature =~ /md5WithRSAEncryption/) {
+                       $cryptoerror = "$Lang::tr{'ovpn error md5'}";
+                       goto CRYPTO_ERROR;
+               }
+       }
+
+       CRYPTO_ERROR:
+
+       # Warning if certificate is not compliant to RFC3280 TLS rules
+       if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+               my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+               if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+                       $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+                       goto CRYPTO_WARNING;
+               }
+       }
+
+       CRYPTO_WARNING:
+}
+
 sub writeserverconf {
     my %sovpnsettings = ();  
     my @temp = ();  
@@ -1072,41 +1113,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
 
 }
 
-###
-### Check for cryptography problems
-###
-
-# Warning if DH parameter is 1024 bit
-if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
-       my $dhlenght = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`;
-       if ($dhlenght =~ /1024 bit/) {
-               $cryptoerror = "$Lang::tr{'ovpn error dh'}";
-               goto CRYPTO_ERROR;
-       }
-}
-
-# Warning if md5 is in usage
-if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
-       my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
-       if ($signature =~ /md5WithRSAEncryption/) {
-               $cryptoerror = "$Lang::tr{'ovpn error md5'}";
-               goto CRYPTO_ERROR;
-       }
-}
-
-CRYPTO_ERROR:
-
-# Warning if certificate is not compliant to RFC3280 TLS rules
-if (-f "${General::swroot}/ovpn/openssl/ovpn.cnf") {
-       my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
-       if ($extendkeyusage =~ /TLS Web Server Authentication/) {
-               $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
-               goto CRYPTO_WARNING;
-       }
-}
-
-CRYPTO_WARNING:
-
 ###
 ### Save main settings
 ###
@@ -1373,7 +1379,7 @@ END
        goto UPLOADCA_ERROR;
     }
     my $temp = `/usr/bin/openssl dhparam -text -in $filename`;
-    if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) {
+    if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) {
         $errormessage = $Lang::tr{'not a valid dh key'};
         unlink ($filename);
         goto UPLOADCA_ERROR;