ovpn: Generate ta.key before dh-parameter

Fixes: #11964 and #12157
If slow boards or/and boards with low entropy needs too long to generate the DH-parameter, ovpnmain.cgi can get into a
"Script timed out before returning headers" and no further OpenSSl commands will be executed after dhparam is finished.
Since the ta.key are created after the DH-parameter, it won´t be produced in that case.
To prevent this, the DH-parameter will now be generated at the end.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 439390228268846e8fa4fa4c44f0baaab205d502..5de80b269b4c462cadca006dee09d54c59aeb748 100644 (file)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1947,6 +1947,13 @@ END
 #      } else {
 #          &cleanssldatabase();
        }
+       # Create ta.key for tls-auth
+       system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+       if ($?) {
+           $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+           &cleanssldatabase();
+           goto ROOTCERT_ERROR;
+       }
        # Create Diffie Hellmann Parameter
        system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
        if ($?) {
@@ -1961,13 +1968,6 @@ END
 #      } else {
 #          &cleanssldatabase();
        }
-       # Create ta.key for tls-auth
-       system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
-       if ($?) {
-           $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
-           &cleanssldatabase();
-           goto ROOTCERT_ERROR;
-       }
        goto ROOTCERT_SUCCESS;
     }
     ROOTCERT_ERROR: