From 0c4ffc69193221a351ea2e53efae34514af1c90a Mon Sep 17 00:00:00 2001 From: Erik Kapfer Date: Sat, 27 Apr 2019 16:05:50 +0200 Subject: [PATCH] ovpn_reorganize_encryption: Added tls-auth into global section - Since HMAC selection is already in global section, it makes sense to keep the encryption togehter. - Given tls-auth better understandable name. Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer --- html/cgi-bin/ovpnmain.cgi | 35 +++++++++++++++++++---------------- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 80190dc348..d7895e600b 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -790,7 +790,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; - $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { @@ -1201,6 +1200,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} @@ -2673,9 +2673,6 @@ ADV_ERROR: $selected{'LOG_VERB'}{'10'} = ''; $selected{'LOG_VERB'}{'11'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; - $checked{'TLSAUTH'}{'off'} = ''; - $checked{'TLSAUTH'}{'on'} = ''; - $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); @@ -2805,17 +2802,6 @@ print <
- - - - - - - - - - -
HMAC tls-auth
END if ( -e "/var/run/openvpn.pid"){ @@ -3492,7 +3478,7 @@ foreach my $dkey (keys %confighash) { Fragment:$confighash{$key}[24] $Lang::tr{'MTU'}$confighash{$key}[31] Management Port $confighash{$key}[22] - $Lang::tr{'ovpn hmac'}:$confighash{$key}[39] + $Lang::tr{'ovpn tls auth'}:$confighash{$key}[39] $Lang::tr{'cipher'}$confighash{$key}[40]    @@ -4533,6 +4519,9 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA256'} = ''; $selected{'DAUTH'}{'SHA1'} = ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; if (1) { &Header::showhttpheaders(); @@ -5079,6 +5068,9 @@ END } } } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'off'; + } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } @@ -5121,6 +5113,10 @@ END $selected{'DAUTH'}{'SHA1'} = ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; + $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; @@ -5255,6 +5251,13 @@ END $Lang::tr{'comp-lzo'} + +
+ + $Lang::tr{'ovpn tls auth'} + + +

END ; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 1890e6bc8c..a2322e5f5a 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1887,6 +1887,7 @@ 'ovpn subnet' => 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', +'ovpn tls auth' => 'TLS-Kanal Absicherung:', 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform.
Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.

Es müssen dann alle OpenVPN clients erneuert werden!
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ac3984ad4f..d90560ee76 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1926,6 +1926,7 @@ 'ovpn subnet' => 'OpenVPN subnet:', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', +'ovpn tls auth' => 'TLS-Channel Protection:', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

All OpenVPN clients needs then to be renewed!
', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', -- 2.39.2