my $col="";
my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
+my $dhparameter = "/etc/ssl/ffdhe4096.pem";
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
$cgiparams{'ENABLED'} = 'off';
$cgiparams{'ONLY_PROPOSED'} = 'off';
$cgiparams{'ACTION'} = '';
$cgiparams{'CA_NAME'} = '';
-$cgiparams{'DH_NAME'} = 'dh1024.pem';
-$cgiparams{'DHLENGHT'} = '';
$cgiparams{'DHCP_DOMAIN'} = '';
$cgiparams{'DHCP_DNS'} = '';
$cgiparams{'DHCP_WINS'} = '';
sub pkiconfigcheck
{
- # Warning if DH parameter is 1024 bit
- if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
- my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}");
- my $dhbit;
-
- # Loop through the output and search for the DH bit lenght.
- foreach my $line (@dhparameter) {
- if ($line =~ (/(\d+)/)) {
- # Assign match to dhbit value.
- $dhbit = $1;
-
- last;
- }
- }
-
- # Check if the used key lenght is at least 2048 bit.
- if ($dhbit < 2048) {
- $cryptoerror = "$Lang::tr{'ovpn error dh'}";
- goto CRYPTO_ERROR;
- }
- }
-
# Warning if md5 is in usage
if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
- print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
+ print CONF "dh $dhparameter\n";
my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
#print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
exit (0);
###
-### Generate DH key step 2
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') {
- # Delete if old key exists
- if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
- unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
- }
- # Create Diffie Hellmann Parameter
- # The system call is safe, because all arguments are passed as an array.
- system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
- if ($?) {
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
- unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
- }
-
-###
-### Generate DH key step 1
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) {
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ovpn'}, 1, '');
- &Header::openbigbox('100%', 'LEFT', '', '');
- &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:");
- print <<END;
- <table width='100%'>
- <tr>
- <td width='20%'> </td> <td width='15%'></td> <td width='65%'></td>
- </tr>
- <tr>
- <td class='base'>$Lang::tr{'ovpn dh'}:</td>
- <td align='center'>
- <form method='post'><input type='hidden' name='AREUSURE' value='yes' />
- <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
- <select name='DHLENGHT'>
- <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
- <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
- <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
- </select>
- </td>
- </tr>
- <tr><td colspan='4'><br></td></tr>
- </table>
- <table width='100%'>
- <tr>
- <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'dh key warn'}
- </tr>
- <tr>
- <td class='base'>$Lang::tr{'dh key warn1'}</td>
- </tr>
- <tr><td colspan='2'><br></td></tr>
- <tr>
- <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
- </form>
- </tr>
- </table>
-
-END
- ;
- &Header::closebox();
- print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
- &Header::closebigbox();
- &Header::closepage();
- exit (0);
-
-###
-### Upload DH key
-###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) {
- unless (ref ($cgiparams{'FH'})) {
- $errormessage = $Lang::tr{'there was no file upload'};
- goto UPLOADCA_ERROR;
- }
- # Move uploaded dh key to a temporary file
- (my $fh, my $filename) = tempfile( );
- if (copy ($cgiparams{'FH'}, $fh) != 1) {
- $errormessage = $!;
- goto UPLOADCA_ERROR;
- }
- my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename");
- if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) {
- $errormessage = $Lang::tr{'not a valid dh key'};
- unlink ($filename);
- goto UPLOADCA_ERROR;
- } else {
- # Delete if old key exists
- if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
- unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
- }
-
- unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}")) {
- $errormessage = "$Lang::tr{'dh key move failed'}: $!";
- unlink ($filename);
- goto UPLOADCA_ERROR;
- }
- }
-###
### Upload CA Certificate
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
&cleanssldatabase();
goto ROOTCERT_ERROR;
}
- # Create Diffie Hellmann Parameter
- # The system call is safe, because all arguments are passed as an array.
- system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
- if ($?) {
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
- unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
- unlink ("${General::swroot}/ovpn/certs/servercert.pem");
- unlink ("${General::swroot}/ovpn/ca/cacert.pem");
- unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
- unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
- &cleanssldatabase();
- goto ROOTCERT_ERROR;
-# } else {
-# &cleanssldatabase();
- }
goto ROOTCERT_SUCCESS;
}
ROOTCERT_ERROR:
}
print <<END;
</select></td>
- <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
- <td class='base'><select name='DHLENGHT'>
- <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
- <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
- <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
- </select>
- </td>
- </tr>
<tr><td> </td>
<td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
<tr><td class='base' colspan='4' align='left'>
<img src='/blob.gif' valign='top' alt='*' /> $Lang::tr{'required field'}</td></tr>
<tr><td colspan='2'><br></td></tr>
- <table width='100%'>
- <tr>
- <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'ovpn generating the root and host certificates'}
- <td class='base'>$Lang::tr{'dh key warn'}</td>
- </tr>
- <tr>
- <td class='base'>$Lang::tr{'dh key warn1'}</td>
- </tr>
- <tr><td colspan='2'><br></td></tr>
- <tr>
</table>
<table width='100%'>
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) {
- if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") {
+ if (! -e "$dhparameter") {
$errormessage = $Lang::tr{'not present'};
} else {
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'ovpn'}, 1, '');
&Header::openbigbox('100%', 'LEFT', '', '');
&Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:");
- my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
+ my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter");
my $output = &Header::cleanhtml(join("", @output) ,"y");
print "<pre>$output</pre>\n";
&Header::closebox();
print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
- -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
+ -e "$dhparameter" &&
-e "${General::swroot}/ovpn/certs/servercert.pem" &&
-e "${General::swroot}/ovpn/certs/serverkey.pem") &&
(( $cgiparams{'ENABLED'} eq 'on') ||
}
# Adding DH parameter to chart
- if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
- my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
+ if (-f "$dhparameter") {
+ my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$dhparameter");
my $dhsubject;
foreach my $line (@dhsubject) {
<td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
</tr>
</table>
-
- <br>
-
- <table border='0' width='100%'>
- <tr>
- <td colspan='4'><b>$Lang::tr{'ovpn dh parameters'}</b></td>
- </tr>
-
- <tr>
- <td width='40%'>$Lang::tr{'ovpn dh upload'}:</td>
- <td width='30%'><input type='file' name='FH' size='25'>
- <td width='30%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload dh key'}'></td>
- </tr>
-
- <tr>
- <td width='40%'>$Lang::tr{'ovpn dh new key'}:</td>
- <td colspan='2' width='60%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
- </tr>
- </table>
</form>
<br><hr>
'device' => 'Gerät',
'devices on blue' => 'Geräte auf BLAU',
'dh' => 'Diffie-Hellman-Parameter',
-'dh key move failed' => 'Verschieben der Diffie-Hellman-Parameter fehlgeschlagen.',
-'dh key warn' => 'Das Erzeugen eines Diffie-Hellman-Parameters mit 2048 Bit dauert üblicherweise einige Minuten. Parameter von 3072 oder 4096 Bit Länge beanspruchen gegebenenfalls mehrere Stunden. Bitte haben Sie etwas Geduld.',
-'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen, lange Diffie-Hellman-Parameter über die Upload-Funktion hochzuladen.',
-'dh parameter' => 'Diffie-Hellman-Parameter',
'dhcp advopt add' => 'DHCP Option hinzufügen',
'dhcp advopt added' => 'DHCP Option hinzugefügt',
'dhcp advopt blank value' => 'Wert für DHCP Option darf nicht leer sein',
'fwhost wo subnet' => '(Ohne Subnetz)',
'gateway' => 'Gateway',
'gateway ip' => 'Gateway-IP',
-'gen dh' => 'Neuen Diffie-Hellman-Parameter erzeugen',
'gen static key' => 'Statischen Schlüssel erzeugen',
'generate' => 'Root/Host-Zertifikate generieren',
'generate a certificate' => 'Erzeuge ein Zertifikat:',
-'generate dh key' => 'Diffie-Hellman Key generieren',
'generate iso' => 'ISO erstellen',
'generate ptr' => 'PTR erzeugen',
'generate root/host certificates' => 'Erzeuge Root/Host-Zertifikate',
'nonetworkname' => 'Kein Netzwerkname wurde eingegeben',
'noservicename' => 'Kein Dienstname wurde eingegeben',
'not a valid ca certificate' => 'Kein gültiges CA Zertifikat.',
-'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.',
'not affected' => 'Nicht betroffen',
'not enough disk space' => 'Nicht genügend Plattenplatz vorhanden',
'not present' => '<B>Nicht</B> vorhanden',
'ovpn connection name' => 'Verbindungs-Name',
'ovpn crypt options' => 'Kryptografieoptionen',
'ovpn device' => 'OpenVPN-Gerät',
-'ovpn dh' => 'Diffie-Hellman-Parameter-Länge',
-'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen',
-'ovpn dh parameters' => 'Diffie-Hellman-Parameter Optionen',
-'ovpn dh upload' => 'Neuen Diffie-Hellman-Parameter hochladen',
'ovpn dl' => 'OVPN-Konfiguration downloaden',
'ovpn engines' => 'Krypto Engine',
'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
-'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>',
'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.',
'ovpn ha' => 'Hash-Algorithmus',
'upload a certificate' => 'Ein Zertifikat hochladen:',
'upload a certificate request' => 'Eine Zertifikatsanfrage hochladen:',
'upload ca certificate' => 'CA-Zertifikat hochladen',
-'upload dh key' => 'Diffie-Hellman-Parameter hochladen',
'upload file' => 'Datei zum Hochladen',
'upload new ruleset' => 'Neuen Regelsatz hochladen',
'upload p12 file' => 'PKCS12-Datei hochladen',
'device' => 'Device',
'devices on blue' => 'Devices on BLUE',
'dh' => 'Diffie-Hellman parameters',
-'dh key move failed' => 'Diffie-Hellman parameters move failed.',
-'dh key warn' => 'Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.',
-'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.',
-'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".',
'dh parameter' => 'Diffie-Hellman parameters',
'dhcp advopt add' => 'Add a DHCP option',
'dhcp advopt added' => 'DHCP option added',
'g.lite' => 'TO BE REMOVED',
'gateway' => 'Gateway',
'gateway ip' => 'Gateway IP',
-'gen dh' => 'Generate new Diffie-Hellman parameters',
'gen static key' => 'Generate a static key',
'generate' => 'Generate root/host zertifikate',
'generate a certificate' => 'Generate a certificate:',
-'generate dh key' => 'Generate Diffie-Hellman parameters',
'generate iso' => 'Generate ISO',
'generate ptr' => 'Generate PTR',
'generate root/host certificates' => 'Generate root/host certificates',
'nonetworkname' => 'No Network Name entered',
'noservicename' => 'No Service Name entered',
'not a valid ca certificate' => 'Not a valid CA certificate.',
-'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 2048, 3072 or 4096 bits and the PKCS#3 format.',
'not affected' => 'Not Affected',
'not enough disk space' => 'Not enough disk space',
'not present' => '<b>Not</b> present',
'ovpn connection name' => 'Connection Name',
'ovpn crypt options' => 'Cryptographic options',
'ovpn device' => 'OpenVPN device:',
-'ovpn dh' => 'Diffie-Hellman parameters length',
-'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
-'ovpn dh parameters' => 'Diffie-Hellman parameters options',
-'ovpn dh upload' => 'Upload new Diffie-Hellman parameters',
'ovpn dl' => 'OVPN-Config Download',
'ovpn engines' => 'Crypto engine',
'ovpn errmsg green already pushed' => 'Route for green network is always set',
'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
-'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>',
'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',
'ovpn ha' => 'Hash algorithm',
'upload a certificate' => 'Upload a certificate:',
'upload a certificate request' => 'Upload a certificate request:',
'upload ca certificate' => 'Upload CA certificate',
-'upload dh key' => 'Upload Diffie-Hellman parameters',
'upload fcdsl.o' => 'TO BE REMOVED',
'upload file' => 'Upload file',
'upload new ruleset' => 'Upload new ruleset',