$cgiparams{'DAUTH'} = '';
$cgiparams{'TLSAUTH'} = '';
$routes_push_file = "${General::swroot}/ovpn/routes_push";
-# Perform crypto and configration test
-&pkiconfigcheck;
# Add CCD files if not already presant
unless (-e $routes_push_file) {
}
}
+ # Warning for Roadwarrior if deprecated 64-bit-block ciphers or weak HMAC is in usage
+ if (-f "${General::swroot}/ovpn/server.conf") {
+ my $oldciphers = "${General::swroot}/ovpn/server.conf";
+ open(FH, $oldciphers);
+ while(my $cipherstring = <FH>) {
+ if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) {
+ my @tempcipherstring = split(" ", $cipherstring);
+ $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block cipher'}";
+ goto CRYPTO_WARNING;
+ }
+ }
+ close(FH);
+ }
+
+ # Warning for Net-to-Net connections if deprecated 64-bit-block ciphers or HMAC is in usage
+ if (-f "${General::swroot}/ovpn/ovpnconfig") {
+ my $oldciphers = "${General::swroot}/ovpn/ovpnconfig";
+ open(FH, $oldciphers);
+ while(my $cipherstring = <FH>) {
+ if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC/) {
+ my @tempcipherstring = split(",", $cipherstring);
+ $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>";
+ goto CRYPTO_WARNING;
+ }
+ if ($cipherstring =~ /SHA1/) {
+ my @tempcipherstring = split(",", $cipherstring);
+ $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>";
+ goto CRYPTO_WARNING;
+ }
+ }
+ }
+
+
CRYPTO_WARNING:
}
my @status = <FILE>;
close(FILE);
+ # Perform crypto and configration test
+ &pkiconfigcheck;
+
if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
my $ipaddr = <IPADDR>;
'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.',
'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ',
'ovpn tls auth' => 'TLS-Kanalabsicherung:',
+'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte Ändern Sie dies auf beiden Seiten (Server und Client) so schnell wie möglich!</br>',
+'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert',
+'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung',
'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
'ovpn_fastio' => 'Fast-IO',
'ovpn_fragment' => 'Fragmentgrösse',
'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
'ovpn tls auth' => 'TLS Channel Protection:',
+'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this on both sides (server and client) as soon as possible!</br>',
+'ovpn warning algorithm' => 'The following algorithm was configured',
+'ovpn warning algorithm n2n' => 'For the Net-to-Net connection',
'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
'ovpn_fastio' => 'Fast-IO',
'ovpn_mssfix' => 'MSSFIX Size',
projects / people / ummeegge / ipfire-2.x.git / commitdiff
